Title: Topics in Digital Forensics
1Topics in Digital Forensics
- Golden G. Richard III, Ph.D.
- Professor
- Dept. of Computer Science
- GIAC-certified Digital Forensics Investigator
- Co-founder, Digital Forensics Solutions, LLC
- golden_at_cs.uno.edu
- http//www.cs.uno.edu/golden
2Digital Forensics
- Definition Tools and techniques to recover,
preserve, and examine digital evidence on or
transmitted by digital devices. - Devices include computers, PDAs, cellular phones,
videogame consoles, copy machines, printers,
3Examples of Digital Evidence
- Threatening emails
- Documents (e.g., in places they shouldnt be)
- Suicide notes
- Bomb-making diagrams
- Malicious Software
- Viruses
- Worms
-
- Child pornography (contraband)
- Evidence that network connections were made
between machines - Cell phone SMS messages
4Facts (or Why Digital Forensics?)
- Deleted files arent securely deleted
- Recover deleted file when it was deleted!
- Renaming files to avoid detection is pointless
- Formatting disks doesnt delete much data
- Web-based email can be (partially) recovered even
w/o access to web email account - Files transferred over a network can be
reassembled and used as evidence
5Facts (2)
- Uninstalling applications is much more difficult
than it might appear - Volatile data hangs around for a long time
- Remnants from previously executed applications
- Even rebooting may not erase volatile data!
- Using encryption properly is difficult, because
data isnt useful unless decrypted - Anti-forensics (privacy-enhancing) software is
mostly broken - Big magnets (generally) dont work
- Media mutilation (except in the extreme) doesnt
work - Basic enabler Data is very hard to kill
6Legal Issues
- Investigative needs vs. the right to privacy
- Search warrant laws, e.g., Fourth Amendment to
the U.S. Constitution - Self-incrimination protection (e.g., Fifth
Amendment) - Wiretap laws
- Chain of custody
- Admissibility of evidence in court Daubert
- Essentially
- Has theory or technique in question been tested?
- Is error rate known?
- Widespread acceptance within a relevant
scientific community? - Patriot Act
- Greatly expands governmental powers in terms of
searching, wiretap
7Privacy
- The existence of sophisticated digital forensics
techniques is a great enabler for fascism - Child pornographers must break rocks vs.
- Innocent citizens must have privacy
- Actively fight laws that dont appropriately
balance privacy with need for investigation - Secure file deletion software (mostly) works
- Overwriting files with zeros is good enough
unless a tunneling electron microscope is
available - Volatile computing may help
8CD-based Volatile Linux Distributions
9CD (2)
10Privacy Through Media Mutilation
or
or
or
forensically-secure file deletion software (but
make sure it works!)
degausser
11Digital Forensics Process
- Legal Balance of need to investigate vs. privacy
- Identification of potential digital evidence
- Where might the evidence be?
- Which devices did the suspect use?
- Preservation and copying of evidence
- On the crime scene
- First, stabilize evidenceprevent loss and
contamination - If possible, make identical copies of evidence
for examination - Careful examination of evidence
- Presentation
- The FAT was fubared, but using a hex editor I
changed the first byte of directory entry 13 from
0xEF to 0x08 to restore HITLIST.DOC - The suspect attempted to hide the Microsoft Word
document HITLIST.DOC but I was able to recover
it without tampering with the file contents.
12Traditional Digital Forensics
- Document the scene (photos)
- Pull the plug
- Image (make copies) of hard drives, floppies,
USB keys, etc. - Use forensics software to analyze copies of
drives - Investigator typically uses a single computer to
perform investigation in the lab - Present results to client, to officer-in-charge,
court
13On the Scene Preservation
tickticktick
Just pull the plug? Move the mouse for a quick
peek? Tripwires
Volatile computing
Living room
14Careful Documentation is Crucial
15Preservation Imaging
- When making copies of media to be investigated,
prevent accidental modification or destruction of
evidence! - Write blocker
Drivelock write blocker
16Computers Wheres the Evidence?
- Undeleted files, expect some names to be
incorrect - Deleted files
- Windows registry
- Print spool files
- Hibernation files
- Temp files (all those .TMP files!)
- Slack space
- Swap files
- Browser caches
- Alternate partitions
- On a variety of removable media (floppies, ZIP,
Jazz, tapes, )
17More Sources
- Wireless telephones
- Numbers called
- Incoming calls
- Voice mail access numbers
- Debit/credit card numbers
- Email addresses
- Call forwarding numbers
- PDAs/Smart Phones
- Above, plus contacts, maps, pictures, passwords,
documents,
18More Sources (2)
- Landline Telephones/Answering machines
- Incoming/outgoing messages
- Numbers called
- Incoming call info
- Access codes for voice mail systems
- Contact lists
- Copiers
- Especially digital copiers, which may store
entire copy jobs
19More Sources (3)
- Digital Voice Recorders
- Filesystem on device is easily investigated
- Video game systems
- Basically computer systems, especially XBox
- GPS devices
- Routes, way-points
- Digital cameras
- Photos (obvious) but also video, arbitrary files
on storage cards (SD, memory stick, CF, )
20Typical Traditional Forensics Point and Click
- Visual, point and click approach to digital
forensics investigation - Software application organizes evidence and helps
investigator preview and analyze - One investigative machine per investigation
- Lots of hourglass time
- Limited features
- Good for low hanging fruit
- Disturbing point and click interface doesnt
show it ? its not evidence (!!)
21(No Transcript)
22(No Transcript)
23(No Transcript)
24But Evidence is Also
- In RAM
- In the network
- On machine-critical machines
- Cant turn off without severe disruption
- Cant turn them ALL off just to see!
- On huge storage devices
- 1TB server image entire machine and drag it
back to the lab to see if its interesting? - 10TB?
25RAM Carving
Content-Type text/plain charsetUTF-8 X-MMS-IM-F
ormat FNMS20Shell20Dlg EF CO0 CS0
PF0 Are you enjoying Mardi Gras this year? I
hear the crowds are smaller, but that the general
spirit is high
Remnants of transmitted chat messages, emails,
etc. persist in memory even if they were never
saved on your hard drive
26Live Forensics Defeating Encryption
Process info
Mem dump
Plaintext
From E. Casey, Practical Approaches to
Recovering Digital Evidence
27Is someone sniffing your network?
promiscuous mode detector for network
interfaces
28Wireshark (aka Ethereal)
Packet listing
Detailed packet data at various protocol levels
Raw data
29Wireshark Following a TCP Stream
30Wireshark FTP Control Stream
31Wireshark FTP Data Stream
32Wireshark FTP Data Stream
33Wireshark Extracted FTP Data Stream
34Next Generation Needs
- Better auditing
- Better collaboration
- Better software design for tools
- Faster
- Live forensics
- Network forensics
- Better handling of digital media
- Are there any photos like THESE?
- More automation of investigative process
- What sort of users used this machine?
- What were their typical activities?
- Are these machines related in any way?
- On-the-spot forensics Triage
- Better detection of malicious software
- Viruses
- Worms
- Spyware
35Better Auditing
- Want Digital Evidence Bags
- See P. Turner, Unification of Digital Evidence
from Disparate Sources (Digital Evidence Bags),
DFRWS 2005 - See Common Digital Evidence Storage Format
(CDESF) working group, http//www.dfrws.org/CDESF/
.
36Bluepipe On the Spot Digital Forensics
Bluepipe Patterns
Y. Gao, G. G. Richard III, V. Roussev, Bluepipe
An Architecture for On-the-Spot Digital
Forensics, International Journal of Digital
Evidence (IJDE), 3(1), 2004.
37Distributed Digital Forensics
300GB
300GB
750GB
750GB
V. Roussev, G. G. Richard III, "Breaking the
Performance Wall The Case for Distributed
Digital Forensics, Proceedings of the 2004
Digital Forensics Research Workshop (DFRWS 2004),
Baltimore, MD
38Faster
39DDF Typical Results
- Live string search
- Vassil Roussev
- Regular expression search
- va-zia-zaa-zga-zra-za
40Faster Use Graphics Card for Forensics Analysis!
8800GTX / G80 GPU 768MB Device Memory 16
multiprocessors 128 processors, 1.35GHz
each Hardware thread management, can schedule
millions of threads Separate device memory DMA
access to host memory
41GPU Horsepower
1.35GHz X 128 X 2 instructions per cycle
345GFLOPS
42G80 High-level Architecture
Shared instruction unit is reason thatSIMD
programs areneeded for maxspeedup
43GPU Carving 20GB/Dell XPS
44GPU Carving 100GB/Dell XPS
45Other Uses of GPUs in Forensics
- Increasing nastiness of malware
- Can prevent proper live forensics analysis
- GPU Persistence of Memory
- Independent Agent
- CoPilot-like
- Memory capture
- Memory analysis
- GPU as suicide bomberto stop propagation of
malware?
46University of New Orleans
- Information Assurance (Computer Security)
concentrations at all levels in Computer Science - B.S.
- M.S.
- Ph.D.
- Best computer security curriculum in the state
- Only digital forensics curriculum in the state
- Arguably, the best digital forensics curriculum
in the South - Scholarships available
- ( Work with nice people like me!)
47Free Ride Scholarships
- Information Assurance Concentration
- B.S., M.S., Ph.D.
- University of New Orleans is a Center of
Academic Excellence in Information Assurance - NSA
- DHS
- Scholarship benefits
- Full tuition
- Books, supplies, laboratory materials
- Stipend 10,000 per year for undergraduates,
15,000 per year for graduate students - Eligibility
- Undergraduate with at least two years of
classwork or an M.S./Ph.D. student - GPA gt 3.0
- U.S. citizen
- One year of federal employment per year of
support - High permanent job placement rate
48Random Bedside Reading
- http//www.dfrws.org (Digital Forensics Research
Workshop) - http//www.ijde.org/ (International Journal of
Digital Evidence) - F. Adelstein, Live Forensics Diagnosing Your
System Without Killing it First, Communications
of the ACM, February 2006. - M. A. Caloyannides, Privacy Protection and
Computer Forensics, Second Edition, 2004. - B. Carrier, File System Forensic Analsis,
Addison-Wesley, 2005. - B. Carrier, Risks of Live Digital Forensics
Analysis, Communications of the ACM, February
2006. - E. Casey, Digital Evidence and Computer Crime,
Academic Press, 2004. - J. Chow, B. Pfaff, T. Garfinkel, M. Rosenblum,
Shredding Your Garbage Reducing Data Lifetime
Through Secure Deallocation, 14th USENIX
Security Symposium, 2005. - M. Geiger, Evaluating Commercial
Counter-Forensic Tools, 5th Annual Digital
Forensic Research Workshop (DFRWS 2005), New
Orleans, 2005. - G. G. Richard III, V. Roussev, "Next Generation
Digital Forensics," Communications of the ACM,
February 2006. - G. G. Richard III, V. Roussev, Digital Forensics
Tools The Next Generation, invited chapter in
Digital Crime and Forensic Science in Cyberspace,
IDEA Group Publishing, 2005. - A. Schuster, Searching for Processes and Threads
in Microsoft Windows Memory Dumps, 6th Annual
Digital Forensic Research Workshop (DFRWS 2006),
West Lafayette, IN, 2006. - S. Sparks, J. Butler, Raising the Bar for
Windows Rootkit Detection, Phrack Issue 63. - G. Hoglund, J. Butler, Rootkits Subverting the
Windows Kernel, Addison-Wesley, 2005.
49Presentation available
?
- http//www.cs.uno.edu/golden/teach.html
- golden_at_cs.uno.edu
- Security Lab (NSSAL) Math 322
- Weekly security research meeting (open to all)
- Schedule for summer announced soon