Topics in Digital Forensics

1
Topics in Digital Forensics

• Golden G. Richard III, Ph.D.
• Professor
• Dept. of Computer Science
• GIAC-certified Digital Forensics Investigator
• Co-founder, Digital Forensics Solutions, LLC
• golden_at_cs.uno.edu
• http//www.cs.uno.edu/golden

2
Digital Forensics

• Definition Tools and techniques to recover,
  preserve, and examine digital evidence on or
  transmitted by digital devices.
• Devices include computers, PDAs, cellular phones,
  videogame consoles, copy machines, printers,

3
Examples of Digital Evidence

• Threatening emails
• Documents (e.g., in places they shouldnt be)
• Suicide notes
• Bomb-making diagrams
• Malicious Software
• Viruses
• Worms
• Child pornography (contraband)
• Evidence that network connections were made
  between machines
• Cell phone SMS messages

4
Facts (or Why Digital Forensics?)

• Deleted files arent securely deleted
• Recover deleted file when it was deleted!
• Renaming files to avoid detection is pointless
• Formatting disks doesnt delete much data
• Web-based email can be (partially) recovered even
  w/o access to web email account
• Files transferred over a network can be
  reassembled and used as evidence

5
Facts (2)

• Uninstalling applications is much more difficult
  than it might appear
• Volatile data hangs around for a long time
• Remnants from previously executed applications
• Even rebooting may not erase volatile data!
• Using encryption properly is difficult, because
  data isnt useful unless decrypted
• Anti-forensics (privacy-enhancing) software is
  mostly broken
• Big magnets (generally) dont work
• Media mutilation (except in the extreme) doesnt
  work
• Basic enabler Data is very hard to kill

6
Legal Issues

• Investigative needs vs. the right to privacy
• Search warrant laws, e.g., Fourth Amendment to
  the U.S. Constitution
• Self-incrimination protection (e.g., Fifth
  Amendment)
• Wiretap laws
• Chain of custody
• Admissibility of evidence in court Daubert
• Essentially
• Has theory or technique in question been tested?
• Is error rate known?
• Widespread acceptance within a relevant
  scientific community?
• Patriot Act
• Greatly expands governmental powers in terms of
  searching, wiretap

7
Privacy

• The existence of sophisticated digital forensics
  techniques is a great enabler for fascism
• Child pornographers must break rocks vs.
• Innocent citizens must have privacy
• Actively fight laws that dont appropriately
  balance privacy with need for investigation
• Secure file deletion software (mostly) works
• Overwriting files with zeros is good enough
  unless a tunneling electron microscope is
  available
• Volatile computing may help

8
CD-based Volatile Linux Distributions
9
CD (2)
10
Privacy Through Media Mutilation
or
or
or
forensically-secure file deletion software (but
make sure it works!)
degausser
11
Digital Forensics Process

• Legal Balance of need to investigate vs. privacy
• Identification of potential digital evidence
• Where might the evidence be?
• Which devices did the suspect use?
• Preservation and copying of evidence
• On the crime scene
• First, stabilize evidenceprevent loss and
  contamination
• If possible, make identical copies of evidence
  for examination
• Careful examination of evidence
• Presentation
• The FAT was fubared, but using a hex editor I
  changed the first byte of directory entry 13 from
  0xEF to 0x08 to restore HITLIST.DOC
• The suspect attempted to hide the Microsoft Word
  document HITLIST.DOC but I was able to recover
  it without tampering with the file contents.

12
Traditional Digital Forensics

• Document the scene (photos)
• Pull the plug
• Image (make copies) of hard drives, floppies,
  USB keys, etc.
• Use forensics software to analyze copies of
  drives
• Investigator typically uses a single computer to
  perform investigation in the lab
• Present results to client, to officer-in-charge,
  court

13
On the Scene Preservation
tickticktick
Just pull the plug? Move the mouse for a quick
peek? Tripwires
Volatile computing
Living room
14
Careful Documentation is Crucial
15
Preservation Imaging

• When making copies of media to be investigated,
  prevent accidental modification or destruction of
  evidence!
• Write blocker

Drivelock write blocker
16
Computers Wheres the Evidence?

• Undeleted files, expect some names to be
  incorrect
• Deleted files
• Windows registry
• Print spool files
• Hibernation files
• Temp files (all those .TMP files!)
• Slack space
• Swap files
• Browser caches
• Alternate partitions
• On a variety of removable media (floppies, ZIP,
  Jazz, tapes, )

17
More Sources

• Wireless telephones
• Numbers called
• Incoming calls
• Voice mail access numbers
• Debit/credit card numbers
• Email addresses
• Call forwarding numbers
• PDAs/Smart Phones
• Above, plus contacts, maps, pictures, passwords,
  documents,

18
More Sources (2)

• Landline Telephones/Answering machines
• Incoming/outgoing messages
• Numbers called
• Incoming call info
• Access codes for voice mail systems
• Contact lists
• Copiers
• Especially digital copiers, which may store
  entire copy jobs

19
More Sources (3)

• Digital Voice Recorders
• Filesystem on device is easily investigated
• Video game systems
• Basically computer systems, especially XBox
• GPS devices
• Routes, way-points
• Digital cameras
• Photos (obvious) but also video, arbitrary files
  on storage cards (SD, memory stick, CF, )

20
Typical Traditional Forensics Point and Click

• Visual, point and click approach to digital
  forensics investigation
• Software application organizes evidence and helps
  investigator preview and analyze
• One investigative machine per investigation
• Lots of hourglass time
• Limited features
• Good for low hanging fruit
• Disturbing point and click interface doesnt
  show it ? its not evidence (!!)

21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
But Evidence is Also

• In RAM
• In the network
• On machine-critical machines
• Cant turn off without severe disruption
• Cant turn them ALL off just to see!
• On huge storage devices
• 1TB server image entire machine and drag it
  back to the lab to see if its interesting?
• 10TB?

25
RAM Carving
Content-Type text/plain charsetUTF-8 X-MMS-IM-F
ormat FNMS20Shell20Dlg EF CO0 CS0
PF0 Are you enjoying Mardi Gras this year? I
hear the crowds are smaller, but that the general
spirit is high
Remnants of transmitted chat messages, emails,
etc. persist in memory even if they were never
saved on your hard drive
26
Live Forensics Defeating Encryption
Process info
Mem dump
Plaintext
From E. Casey, Practical Approaches to
Recovering Digital Evidence
27
Is someone sniffing your network?
promiscuous mode detector for network
interfaces
28
Wireshark (aka Ethereal)
Packet listing
Detailed packet data at various protocol levels
Raw data
29
Wireshark Following a TCP Stream
30
Wireshark FTP Control Stream
31
Wireshark FTP Data Stream
32
Wireshark FTP Data Stream
33
Wireshark Extracted FTP Data Stream
34
Next Generation Needs

• Better auditing
• Better collaboration
• Better software design for tools
• Faster
• Live forensics
• Network forensics
• Better handling of digital media
• Are there any photos like THESE?
• More automation of investigative process
• What sort of users used this machine?
• What were their typical activities?
• Are these machines related in any way?
• On-the-spot forensics Triage
• Better detection of malicious software
• Viruses
• Worms
• Spyware

35
Better Auditing

• Want Digital Evidence Bags
• See P. Turner, Unification of Digital Evidence
  from Disparate Sources (Digital Evidence Bags),
  DFRWS 2005
• See Common Digital Evidence Storage Format
  (CDESF) working group, http//www.dfrws.org/CDESF/
  .

36
Bluepipe On the Spot Digital Forensics
Bluepipe Patterns
Y. Gao, G. G. Richard III, V. Roussev, Bluepipe
An Architecture for On-the-Spot Digital
Forensics, International Journal of Digital
Evidence (IJDE), 3(1), 2004.
37
Distributed Digital Forensics
300GB
300GB
750GB
750GB
V. Roussev, G. G. Richard III, "Breaking the
Performance Wall The Case for Distributed
Digital Forensics, Proceedings of the 2004
Digital Forensics Research Workshop (DFRWS 2004),
Baltimore, MD
38
Faster
39
DDF Typical Results

• Live string search
• Vassil Roussev

• Regular expression search
• va-zia-zaa-zga-zra-za

40
Faster Use Graphics Card for Forensics Analysis!
8800GTX / G80 GPU 768MB Device Memory 16
multiprocessors 128 processors, 1.35GHz
each Hardware thread management, can schedule
millions of threads Separate device memory DMA
access to host memory
41
GPU Horsepower
1.35GHz X 128 X 2 instructions per cycle
345GFLOPS
42
G80 High-level Architecture
Shared instruction unit is reason thatSIMD
programs areneeded for maxspeedup
43
GPU Carving 20GB/Dell XPS
44
GPU Carving 100GB/Dell XPS
45
Other Uses of GPUs in Forensics

• Increasing nastiness of malware
• Can prevent proper live forensics analysis
• GPU Persistence of Memory
• Independent Agent
• CoPilot-like
• Memory capture
• Memory analysis
• GPU as suicide bomberto stop propagation of
  malware?

46
University of New Orleans

• Information Assurance (Computer Security)
  concentrations at all levels in Computer Science
• B.S.
• M.S.
• Ph.D.
• Best computer security curriculum in the state
• Only digital forensics curriculum in the state
• Arguably, the best digital forensics curriculum
  in the South
• Scholarships available
• ( Work with nice people like me!)

47
Free Ride Scholarships

• Information Assurance Concentration
• B.S., M.S., Ph.D.
• University of New Orleans is a Center of
  Academic Excellence in Information Assurance
• NSA
• DHS
• Scholarship benefits
• Full tuition
• Books, supplies, laboratory materials
• Stipend 10,000 per year for undergraduates,
  15,000 per year for graduate students
• Eligibility
• Undergraduate with at least two years of
  classwork or an M.S./Ph.D. student
• GPA gt 3.0
• U.S. citizen
• One year of federal employment per year of
  support
• High permanent job placement rate

48
Random Bedside Reading

• http//www.dfrws.org (Digital Forensics Research
  Workshop)
• http//www.ijde.org/ (International Journal of
  Digital Evidence)
• F. Adelstein, Live Forensics Diagnosing Your
  System Without Killing it First, Communications
  of the ACM, February 2006.
• M. A. Caloyannides, Privacy Protection and
  Computer Forensics, Second Edition, 2004.
• B. Carrier, File System Forensic Analsis,
  Addison-Wesley, 2005.
• B. Carrier, Risks of Live Digital Forensics
  Analysis, Communications of the ACM, February
  2006.
• E. Casey, Digital Evidence and Computer Crime,
  Academic Press, 2004.
• J. Chow, B. Pfaff, T. Garfinkel, M. Rosenblum,
  Shredding Your Garbage Reducing Data Lifetime
  Through Secure Deallocation, 14th USENIX
  Security Symposium, 2005.
• M. Geiger, Evaluating Commercial
  Counter-Forensic Tools, 5th Annual Digital
  Forensic Research Workshop (DFRWS 2005), New
  Orleans, 2005.
• G. G. Richard III, V. Roussev, "Next Generation
  Digital Forensics," Communications of the ACM,
  February 2006.
• G. G. Richard III, V. Roussev, Digital Forensics
  Tools The Next Generation, invited chapter in
  Digital Crime and Forensic Science in Cyberspace,
  IDEA Group Publishing, 2005.
• A. Schuster, Searching for Processes and Threads
  in Microsoft Windows Memory Dumps, 6th Annual
  Digital Forensic Research Workshop (DFRWS 2006),
  West Lafayette, IN, 2006.
• S. Sparks, J. Butler, Raising the Bar for
  Windows Rootkit Detection, Phrack Issue 63.
• G. Hoglund, J. Butler, Rootkits Subverting the
  Windows Kernel, Addison-Wesley, 2005.

49
Presentation available
?

• http//www.cs.uno.edu/golden/teach.html
• golden_at_cs.uno.edu
• Security Lab (NSSAL) Math 322
• Weekly security research meeting (open to all)
• Schedule for summer announced soon