2. Digital Forensics
• Also known as
Computer
Forensics
• A system in your
enterprise has
been
compromised
• You want to track
down suspicious
activity
• Where do you
begin?
3. Digital Forensics
• Defined: Pertains to legal
evidence found in
computers and digital
storage mediums.
• Goal: To explain the
current state of a “digital
artifact.”
• A digital artifact is a
computer system, storage
media (such as a hard disk
or CD-ROM), an electronic
document (e.g. an email
message or JPEG image) or
even a sequence of packets
moving over a computer
network.
4. Digital Forensics
• Can be as simple as
retrieving a single piece
of data
• Can be as complex as
piecing together a trail
of many digital artifacts
5. Why Use Digital Forensics?
• In legal cases,
computer forensic
techniques are
frequently used to
analyze computer
systems belonging
to defendants (in
criminal cases) or
litigants (in civil
cases).
6. Why Use Digital Forensics?
• To recover data in the event of a
hardware or software failure.
• To analyze a computer system after
a break-in, for example, to
determine how the attacker gained
access and what the attacker did.
7. Why Use Digital Forensics?
• To gather evidence
against an employee
that an organization
wishes to terminate.
• To gain information
about how computer
systems work for
the purpose of
debugging,
performance
optimization, or
reverse-engineering.
8. Chain of Custody
• “Chain of Custody”
is a fancy way of
saying “The ability
to demonstrate who
has had access to
the digital
information being
used as evidence”
• Special measures
should be taken
when conducting a
forensic
investigation if it is
desired for the
results to be used in
a court of law.
9. Chain of Custody
• One of the most important measures
is to assure that the evidence has
been accurately collected and that
there is a clear chain of custody from
the scene of the crime to the
investigator---and ultimately to the
court.
10. 5 Steps in Performing Digital
Forensics
• Preparation
(of the
investigator,
not the data)
• Collection (the
data)
• Examination
• Analysis
• Reporting
11.
12. Preparation
• The investigator must be
properly trained to perform the
specific kind of investigation
that is at hand.
• Tools that are used to generate
reports for court should be
validated. There are many tools
to be used in the process. One
should determine the proper
tool to be used based on the
case.
13. Collecting Digital Evidence
• Digital evidence can be collected
from many obvious sources, such
as:
• Computers
• Cell phones
• Digital cameras
• Hard drives
• CD-ROM
• USB storage flash drives
14. Can You Think of Non-Obvious
Sources?
• Non-obvious sources could include:
• Settings of digital thermometers
• Black boxes inside automobiles
• RFID tags
• Web pages (which must be
preserved as they are subject to
change).
15. !!BE CAREFUL!!
• Special care must be taken when
handling computer evidence: most
digital information is easily
changed, and once changed it is
usually impossible to detect that a
change has taken place (or to
revert the data back to its original
state) unless other measures have
been taken.
16. Create Proof of Non-Alteration
• For this reason it is common
practice to calculate a
cryptographic hash of an evidence
file and to record that hash
elsewhere, usually in an
investigator's notebook, so that
one can establish at a later point in
time that the evidence has not
been modified since the hash was
calculated.
17. Important Data Handling
Practices
• Handle the original evidence as
little as possible to avoid changing
the data.
• Establish and maintain the chain of
custody.
• Documenting everything that has
been done.
• Only use tools and methods that
have been tested and evaluated to
validate their accuracy and
reliability.
18. The Personal Interview
• Some of the
most valuable
information
obtained in the
course of a
forensic
examination
will come from
the computer
user:
• System
configuration
• Applications
• Encryption
keys
19. Who Performs the Analysis
• Special care must be taken to
ensure that the forensic
specialist has the legal
authority to seize, copy, and
examine the data.
• One should not examine
digital information unless one
has the legal authority to do
so.
20. Live vs. Dead Analysis
• Traditionally computer
forensic investigations were
performed on data at rest---
for example, the content of
hard drives. This can be
thought of as a dead
analysis.
21. Live vs. Dead Analysis
• Investigators
were told to
shut down
computer
systems when
they were
impounded for
fear that digital
time-bombs
might cause
data to be
erased.
22. Live vs. Dead Analysis
• In recent years there has
increasingly been an emphasis
on performing analysis on live
systems
• Why? -- Some attacks leave
no trace on the hard drive
• Why? -- Cryptographic
storage, with keys only stored
in memory!
23. Live Analysis -- Imaging
Electronic Media
• The process of creating an
exact duplicate of the original
evidenciary media is often
called Imaging
• Standalone hard-drive
duplicator or software imaging
tools ensure the entire hard
drive is completely duplicated.
24. Live Analysis -- Imaging
Electronic Media
• During imaging, a write
protection device or application is
normally used to ensure that no
information is introduced onto the
evidentiary media during the
forensic process.
25. Collecting Volatile Data
• If the machine is still active, any
intelligence which can be gained
by examining the applications
currently open is recorded.
• If information stored solely in RAM
is not recovered before powering
down it may be lost.
26. A Great Tool Which YOU Can
Impress People With
• Knoppix
• An OS which runs directly
from a CD
• Will not alter data on hard
disk
• Great for grabbing copies of
files from a hard disk!
• Can be loaded from a USB
flash drive
27. Knoppix
• Can also scan RAM and
Registry information to show
recently accessed web-based
email sites and the
login/password combination
used. Additionally these tools
can also yield login/password
for recently access local email
applications including MS
Outlook.
30. Freezing Memory
• RAM can be
analyzed for
prior content
after power
loss
• Freezing the
memory to -60
degrees Celsius
helps maintain
the memory’s
charge (state)
• How practical is
this?
31. Analysis
• All digital
evidence must
be analyzed to
determine the
type of
information
that is stored
upon it
• FTK
• Encase
• Sleuth Kit
32. Analysis of Data
• Comprised of:
• Manual review of material on the
media
• Reviewing the Windows registry for
suspect information
• Discovering and cracking
passwords
• Keyword searches for topics
related to the crime
• Extracting e-mail and images for
review.
33. Reporting
• Written
• Oral Testimony
• Both
• Subject matter
area specialists
34. Examples of Digital Forensics
Cases
• Chandra Levy
• Washington
D.C. Intern for
Representative
Gary Condit
• Vanished April
30, 2001
35. Examples of Digital Forensics
Cases
• She had used the web and e-mail
to make travel arrangements and
communicate with her parents.
• Information found on her
computer led police to search
most of Rock Creek Park, where
her body was eventually found
one year later by a man walking
his dog.
36. Examples of Digital Forensics
Cases
• BTK Killer
• Convicted of a
string of serial
killings that
occurred over a
period of sixteen
years
• Towards the end of
this period, the
killer sent letters to
the police on a
floppy dsk.
37. Examples of Digital Forensics
Cases
• Metadata is
defined as “data
about data”
• Metadata within
the documents
implicated an
author named
"Dennis" at
"Christ Lutheran
Church"
• This evidence
helped lead to
Dennis Rader's
arrest.