CS 42736273: Introduction to Computer Forensics Dr' Dave Dampier August 23, 2004

1
CS 4273/6273 Introduction to Computer
ForensicsDr. Dave DampierAugust 23, 2004
Mississippi State University Dept Of Computer
Science and Engineering
2
What is Forensics?

• Forensics is the application of scientific
  techniques of investigation to the problem of
  finding, preserving and exploiting evidence to
  establish an evidentiary basis for arguing about
  facts in court cases

3
What is Computer Forensics?

• Computer forensics is forensics applied to
  information stored or transported on computers
• It Involves the preservation, identification,
  extraction, documentation, and interpretation of
  computer media for evidentiary and/or root cause
  analysis
• Procedures are followed, but flexibility is
  expected and encouraged, because the unusual will
  be encountered.

4
What is Computer Crime?

• Two categories of computer crime
• Computer used to conduct the crime
• Child Pornography/Exploitation
• Threatening letters
• Fraud
• Embezzlement
• Theft of intellectual property
• Computer is the target of the crime
• Incident Reponse
• Security Breach

5
What is evidence?

• Bytes
• Files
• Present
• Deleted
• Encrypted
• Fragments of Files
• Words
• Sentences
• Paragraphs

6
Where do we find it?

• Storage Media
• Hard Disks
• Floppy Disks
• CDs, Zip disks, tapes, etc.
• RAM
• Log Files

7
What do we do with it?

• Acquire the evidence without altering or damaging
  the original.
• Authenticate that your recovered evidence is the
  same as the originally seized data.
• Analyze the data without modifying it.

8
Acquire the evidence

• How do we seize the computer?
• How do we handle computer evidence?
• What is chain of custody?
• Evidence collection
• Evidence Identification
• Transportation
• Storage
• Documenting the Investigation

9
Authenticate the Evidence

• Prove that the evidence is indeed what the
  criminal left behind.
• Readable text or pictures dont magically appear
  at random.
• Calculate a hash value for the data
• CRC
• MD5

10
Analysis

• Always work from an image of the evidence and
  never from the original.
• Prevent damage to the evidence
• Make two backups of the evidence in most cases.
• Analyze everything, you may need clues from
  something seemingly unrelated.

11
Analysis (cont.)

• Existing Files
• mislabelled
• Deleted Files
• Show up in directory listing with ? in place of
  first letter
• Dave.txt appears as ? ave.txt
• Free Space
• Slack Space
• Swap Space

12
Storage Media Basics

• Sector 512 Bytes
• Cluster (Block) 2 or more clusters (up to 64)

13
Slack Space

• RAM Slack That portion of a sector that is not
  overwritten in memory.
• Disk Slack Those sectors of the cluster that are
  not needed to store file.

RAM Slack

EOF
Disk Slack
EOF
14
Slack Space

• File Slack Last cluster of file isnt filled up
  completely, so data from the last use of that
  cluster isnt overwritten.
• File Slack Disk Slack RAM Slack

File Slack
Disk Slack
RAM Slack
EOF
15
Free Space

• That portion of the Media that is not currently
  in use.
• Could have been used before, but not overwritten.
• Especially true today with very large disks
• Can we really erase a hard drive?
• Even if formatted, the data is not lost.

16
Encryption and Forensics

• Encryption used to protect data in two ways
• Maintain privacy
• Use of Ciphers
• Files might need to be decrypted
• Decryption program generally stored fairly close
  to the file to be decrypted.
• Probably password protected.
• Prove integrity
• Hashing

17
Data Hiding

• Obfuscating Data
• Encrypted
• Compressed
• Hiding Data
• In plain sight innocent looking data has
  alternate meaning
• Within File system

18
Data Hiding in File System

• In a File
• Steganography
• Invisible names
• Misleading names
• Obscurity
• No names
• Not in file
• Slack, swap, free space
• Removable Media

19
Hostile Code

• Presume that any unknown code is hostile.
• Guilty until proven innocent.
• Any code used by an unauthorized person to gain
  advantage or power over someone else should be
  considered hostile.

• Remote access
• Data gathering
• Sabotage
• Denial-of-service
• Eluding detection

• Resource theft
• Circumvention of access control mechanisms
• Social status
• Self-fulfillment

20
Tools

• Password crackers
• Hard Drive Tools
• Fdisk on Linux
• Viewers
• QVP
• Diskview
• Thumbsplus
• Unerase tools

• CD-R Utilities
• Text search tools
• Drive Imaging
• Safeback
• Linux dd
• Disk Wiping
• Forensic Toolkits
• Forensic Computers

21
Forensic Programs

• Forensic Toolkit
• The Coroners Toolkit
• ForensiX
• New Technologies Inc. (NTI)
• Encase
• ILook
• Maresware

22
Criminal Justice Fundamentals

• How a case usually plays out
• Law Enforcement notified of crime
• Evidence is gathered may require search
  warrants
• Suspects are developed
• Interviews or interrogations are conducted
• Suspect is charged
• Case w/evidence is turned over to prosecutor

23
Questions?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?