Computer Forensics

:
Technology, Policy and Countermeasures
Simson L. Garfinkel, Ph.D.
Naval Postgraduate School
May 1, 2007
Computers, Freedom & Privacy 2007
1
A bit about me
Tech Journalist: 1985--2002
Entrepreneur: 1995--2002
Vineyard.NET
Sandstorm Enterprises, Inc.
MIT EECS: 2003--2005
Harvard Center for Research on
Computation and Society: 2005-2007
Naval Postgraduate School: 2007-
“Used Hard Drives
Reveal Secrets.”
2
Forensics: Dual Meaning
fo·ren·sics n. (used with a sing. verb)
1. The art or study of formal debate; argumentation.
2. The use of science and technology to investigate and establish facts in
criminal or civil courts of law.
(American Heritage Dictionary, 4
th
Edition)
3
Computer Forensics:
Multiple Meanings
1. “Involves the preservation, identification, extraction, documentation, and
interpretation of computer data.”
(Computer Forensics: Incident Response Essentials, Warren Kruse and Jay Heiser.)
2. “The scientific examination, analysis, and/or evaluation of digital evidence
in legal matters.”
(Scientific Working Group on Digital Evidence, http://www.swgde.org)
So what’s digital evidence?
4
Computer Forensics is like a magic camera
Tools can go “back in time...”
-
View previous versions of files
-
Recover “deleted” files
-
Find out what was typed
-
Discover visited websites
Why does this work?
-
Computers keep extensive logs
-
Most data is not encrypted
-
free() doesn’t erase memory
-
DELETE doesn’t erase files
-
FORMAT doesn’t wipe disks
5
Digital Evidence is evidence found in digital
systems.
Brian Carrier’s PhD has several definitions for digital evidence:

“Information stored or transmitted in binary form that may be relied upon
in court” [Int02]

“Information of probative value that is stored or transmitted in binary
form” [Sci05]

“Information and data of investigative value that is stored on or
transmitted by a computer” [Ass05]

“Any data stored or transmitted using a computer that support or refute a
theory of how an offense occurred or that address critical elements of the
offense such as intent or alibi” [Cas04]
All of these definitions assume a legal process.
Forensics can be used for much more.
6
Computer Forensics are typically used
after a crime is suspected
Computer break-ins:
• Determine how a computer was compromised.
• Determine extent of damage
Make a claim about the computer’s owner:
• Possession of contraband information
• Copyright infringement
• Theft of intellectual property
• Confirm/disprove an alibi
7
Forensics can also be used for auditing
Evaluate the privacy properties of a system
Understand what’s actually going over a network
Audit application performance & security
Spot-check regulatory compliance:
• Data disposal policies
• Data flow across boundaries
Audit internal information flows
8
1. The Forensic Process
2. Legal Standards
3. Specific Forensic Techniques
• Disk Forensics
• Network Forensics
• Document Forensics
• Memory Forensics
• Cell Phone Forensics
• Software Forensics
4. Anti-Forensics
5. Civil and Criminal Applications
This tutorial looks at the range of forensic
techniques currently in use
many of these sources, their credibility was difficult to assess and was often left to the foreign
government services to judge. Intelligence Community HUMINT efforts against a closed society
like Iraq prior to Operation Iraqi Freedom were hobbled by the Intelligence Community's
dependence on having an official U.S. presence in-country to mount clandestine HUMINT
collection efforts.
(U) When UN inspectors departed Iraq, the placement of HUMINT agents and the
development of unilateral sources inside Iraq were not top priorities for the Intelligence
Community. The Intelligence Community did not have a single HUMINT source collecting
against Iraq's weapons of mass destruction programs in Iraq after 1998. The Intelligence
Community appears to have decided that the difficulty and risks inherent in developing sources
or inserting operations officers into Iraq outweighed the potential benefits. The Committee
found no evidence that a lack of resources significantly prevented the Intelligence Community
from developing sources or inserting operations officers into Iraq.
When Committee staff asked why the CIA had not considered
placing a CIA officer in Iraq years before Operation Iraqi Freedom to investigate Iraq's weapons
of mass destruction programs, a CIA officer said, "because it's very hard to sustain . . . it takes a
rare officer who can go in . . . and survive scrutiny | ^ | [ m | | | for a long time." The
Committee agrees that such operations are difficult and dangerous, but they should be within the
norm of the CIA's activities and capabilities. Senior CIA officials have repeatedly told the
Committee that a significant increase in funding and personnel will be required to enable to the
CIA to penetrate difficult HUMINT targets similar to prewar Iraq. The Committee believes,
however, that if an officer willing and able to take such an assignment really is "rare" at the CIA,
the problem is less a question of resources than a need for dramatic changes in a risk averse
corporate culture.
(U) Problems with the Intelligence Community's HUMINT efforts were also evident in
the Intelligence Community's handling of Iraq's alleged efforts to acquire uranium from Niger.
The Committee does not fault the CIA for exploiting the access enjoyed by the spouse of a CIA
employee traveling to Niger. The Committee believes, however, that it is unfortunate,
considering the significant resources available to the CIA, that this was the only option available.
Given the nature of rapidly evolving global threats such as terrorism and the proliferation of
weapons and weapons technology, the Intelligence Community must develop means to quickly
respond to fleeting collection opportunities outside the Community's established operating areas.
The Committee also found other problems with the Intelligence Community's follow-up on the
- 2 5 -
printf(“%d, %f”, i, f);
i++; f+=3.0;
g = fmod(f,i);
9
The Forensic Process
10
Computer Forensics turns computer systems into
courtroom testimony.
Five basic steps:
1.Preparation
2.Collection
3.Examination
4.Analysis
5.Reporting
Source:
Electronic Crime Scene Investigation Guide,
National Institute of Justice
11
Step 1: Preparation
Identify potential sources of evidence
Computer system components:
• Hard drives
• Memory / flash / configuration
• Physical configuration
Web Pages on other computers
Files
Communication networks
Each source may need its own personnel, tools, training & procedures.
One of the most difficult tasks is determining what to include & exclude.
many of these sources, their credibility was difficult to assess and was often left to the foreign
government services to judge. Intelligence Community HUMINT efforts against a closed society
like Iraq prior to Operation Iraqi Freedom were hobbled by the Intelligence Community's
dependence on having an official U.S. presence in-country to mount clandestine HUMINT
collection efforts.
(U) When UN inspectors departed Iraq, the placement of HUMINT agents and the
development of unilateral sources inside Iraq were not top priorities for the Intelligence
Community. The Intelligence Community did not have a single HUMINT source collecting
against Iraq's weapons of mass destruction programs in Iraq after 1998. The Intelligence
Community appears to have decided that the difficulty and risks inherent in developing sources
or inserting operations officers into Iraq outweighed the potential benefits. The Committee
found no evidence that a lack of resources significantly prevented the Intelligence Community
from developing sources or inserting operations officers into Iraq.
When Committee staff asked why the CIA had not considered
placing a CIA officer in Iraq years before Operation Iraqi Freedom to investigate Iraq's weapons
of mass destruction programs, a CIA officer said, "because it's very hard to sustain . . . it takes a
rare officer who can go in . . . and survive scrutiny | ^ | [ m | | | for a long time." The
Committee agrees that such operations are difficult and dangerous, but they should be within the
norm of the CIA's activities and capabilities. Senior CIA officials have repeatedly told the
Committee that a significant increase in funding and personnel will be required to enable to the
CIA to penetrate difficult HUMINT targets similar to prewar Iraq. The Committee believes,
however, that if an officer willing and able to take such an assignment really is "rare" at the CIA,
the problem is less a question of resources than a need for dramatic changes in a risk averse
corporate culture.
(U) Problems with the Intelligence Community's HUMINT efforts were also evident in
the Intelligence Community's handling of Iraq's alleged efforts to acquire uranium from Niger.
The Committee does not fault the CIA for exploiting the access enjoyed by the spouse of a CIA
employee traveling to Niger. The Committee believes, however, that it is unfortunate,
considering the significant resources available to the CIA, that this was the only option available.
Given the nature of rapidly evolving global threats such as terrorism and the proliferation of
weapons and weapons technology, the Intelligence Community must develop means to quickly
respond to fleeting collection opportunities outside the Community's established operating areas.
The Committee also found other problems with the Intelligence Community's follow-up on the
- 2 5 -
12
If the activity is ongoing, your choices include:
• Passive Monitoring
• Experimental Probing
If the activity is over, choices include:
• Make a copy
• Seizure
Issues to consider:
• What tools are used? Are they validated?
• Is the copy accurate? Is it complete?
• How can you prove that the copy wasn’t modified at a later time?
Step 2:
Collect and Preserve the evidence
13
Step 3: Examination.
Make evidence “visible” and eliminated excess.
Disk Analysis:
• Examine partitions and file systems
• Resident files & delete files
• “Slack space” at end of files
• Unallocated space between files
File based evidence:
• Document text
• Deleted text
• Metadata (creation date; author fields; etc.)
Network Evidence:
• Device configuration
• Categorize packets; discard what isn’t needed
14
Step 4: Analyze to determine
“significance and probative value”
Build a hypothesis about what happened.
Look for evidence to prove or disprove hypothesis.
Examples:
• Hypothesis: Suspect is arrested on suspicion of child pornography
• Evidence: Known child pornography on suspect’s hard drive
• Hypothesis: Suspect broke into a telephone company computer and stole
confidential documents.
• Evidence: Hacker tools; confidential information from telco.
15
BUT:
Investigators rarely look for count-evidence
Build a hypothesis about what happened.
Look for evidence to prove or disprove hypothesis.
Examples:
• Hypothesis: Suspect is arrested on suspicion of child pornography
• Evidence: Known child pornography on suspect’s hard drive
• Counter Evidence: Root kit allowing remote access
• Hypothesis: Suspect broke into a telephone company computer and stole
confidential documents.
• Evidence: Hacker tools; confidential information from telco.
• Counter Evidence: Documents publicly available
16
There are many kinds of testimony:
• Written reports
• Depositions
• Courtroom testimony
Testimony needs to include several key points:
• The tools used and procedures that were followed
• What was found
• Examiner’s interpretation of what it means
Step 5:
Reporting and Testimony
17
Preservation
Survey
Documentation
Search
Event
Reconstruction
The Digital Crime Scene Investigation model
has five similar steps.
18
This isn’t really what happens in reality.
Instead, investigations are guided by “hypotheses.”
Goal of most investigations is to explain evidence that is observed.
• Investigations asked to answer questions about previous states or events.
• Investigator encounters the machine.
• Investigator uses tools to extract and preserve information from machine
“Because the observation of the data is indirect, a hypothesis must be
formed that the actual data is equal to the observed data”
“Hypotheses also need to be formulated about the data abstractions
that exist and the previous states and events that occurred.”
• The investigator searches for data that supports or refutes the hypotheses.
• Information may be used for confirming/eliminating a hypotheses even if
the information itself is inadmissible in court.
A Hypothesis-Based Approach to Digital Forensic Investigations,
Brian D. Carrier, PhD Thesis, June 2006
19
Legal Standards
US Federal Rules of Evidence
Daubert
20
US Federal Rules of Evidence article VIII
regulates the testimony of “experts”
Rule 702. Testimony by Experts
Rule 703. Bases of Opinion Testimony by Experts
Rule 704. Opinion on Ultimate Issue
Rule 705. Disclosure of Facts or Data Underlying Expert Opinion
Rule 706. Court Appointed Experts
These rules apply in the Federal Court; many states follow the rules as well
• http://www.law.cornell.edu/rules/fre/
21
Rule 702. Testimony by Experts
“If scientific, technical, or other specialized knowledge will assist the trier of fact
to understand the evidence or to determine a fact in issue, a witness qualified
as an expert by knowledge, skill, experience, training, or education, may testify
thereto in the form of an opinion or otherwise, if
(1) the testimony is based upon sufficient facts or data,
(2) the testimony is the product of reliable principles and methods, and
(3) the witness has applied the principles and methods reliably to the facts
of the case.”
22
Rule 703. Bases of Opinion Testimony by Experts
“The facts or data in the particular case upon which an expert bases an opinion
or inference may be those perceived by or made known to the expert at or
before the hearing.
If of a type reasonably relied upon by experts in the particular field in forming
opinions or inferences upon the subject, the facts or data need not be
admissible in evidence in order for the opinion or inference to be admitted.
Facts or data that are otherwise inadmissible shall not be disclosed to the jury
by the proponent of the opinion or inference unless the court determines that
their probative value in assisting the jury to evaluate the expert's opinion
substantially outweighs their prejudicial effect.”
23
Rule 704. Opinion on Ultimate Issue
(a) Except as provided in subdivision (b), testimony in the form of an opinion or
inference otherwise admissible is not objectionable because it embraces an
ultimate issue to be decided by the trier of fact.
(b) No expert witness testifying with respect to the mental state or condition of
a defendant in a criminal case may state an opinion or inference as to whether
the defendant did or did not have the mental state or condition constituting an
element of the crime charged or of a defense thereto. Such ultimate issues are
matters for the trier of fact alone.
24
The “Daubert Standard” is supposed to keep
“junk science” out of the courts.
Daubert turns federal judges “gatekeepers.”
Daubert v. Merrell Dow Pharmaceuticals, 509 US 579 (1993)
• Evidence must be “relevant”
• Evidence must be “reliable” (ie, scientific)
• Subject to peer review (has been published)
• Generally accepted by the relevant professional community
• Standards for the technique’s operation
• Known error rate
Surprisingly, digital evidence may not meet this standard.
[Carrier 2006, pp. 1-4]
25
The “CSI Effect” causes victims and juries
to have unrealistic expectations.
Prosecutors & Jurors:
-
Think it’s impossible to delete
anything.
-
Expect highly produced
presentations.
-
Have no tolerance for
ambiguity.
-
26

The Forensic Process

Legal Standards
3. Specific Forensic Techniques
• Disk Forensics
• Network Forensics
• Document Forensics
• Memory Forensics
• Cell Phone Forensics
• Software Forensics
4. Anti-Forensics
5. Civil and Criminal Applications
This tutorial looks at the range of forensic
techniques currently in use
many of these sources, their credibility was difficult to assess and was often left to the foreign
government services to judge. Intelligence Community HUMINT efforts against a closed society
like Iraq prior to Operation Iraqi Freedom were hobbled by the Intelligence Community's
dependence on having an official U.S. presence in-country to mount clandestine HUMINT
collection efforts.
(U) When UN inspectors departed Iraq, the placement of HUMINT agents and the
development of unilateral sources inside Iraq were not top priorities for the Intelligence
Community. The Intelligence Community did not have a single HUMINT source collecting
against Iraq's weapons of mass destruction programs in Iraq after 1998. The Intelligence
Community appears to have decided that the difficulty and risks inherent in developing sources
or inserting operations officers into Iraq outweighed the potential benefits. The Committee
found no evidence that a lack of resources significantly prevented the Intelligence Community
from developing sources or inserting operations officers into Iraq.
When Committee staff asked why the CIA had not considered
placing a CIA officer in Iraq years before Operation Iraqi Freedom to investigate Iraq's weapons
of mass destruction programs, a CIA officer said, "because it's very hard to sustain . . . it takes a
rare officer who can go in . . . and survive scrutiny | ^ | [ m | | | for a long time." The
Committee agrees that such operations are difficult and dangerous, but they should be within the
norm of the CIA's activities and capabilities. Senior CIA officials have repeatedly told the
Committee that a significant increase in funding and personnel will be required to enable to the
CIA to penetrate difficult HUMINT targets similar to prewar Iraq. The Committee believes,
however, that if an officer willing and able to take such an assignment really is "rare" at the CIA,
the problem is less a question of resources than a need for dramatic changes in a risk averse
corporate culture.
(U) Problems with the Intelligence Community's HUMINT efforts were also evident in
the Intelligence Community's handling of Iraq's alleged efforts to acquire uranium from Niger.
The Committee does not fault the CIA for exploiting the access enjoyed by the spouse of a CIA
employee traveling to Niger. The Committee believes, however, that it is unfortunate,
considering the significant resources available to the CIA, that this was the only option available.
Given the nature of rapidly evolving global threats such as terrorism and the proliferation of
weapons and weapons technology, the Intelligence Community must develop means to quickly
respond to fleeting collection opportunities outside the Community's established operating areas.
The Committee also found other problems with the Intelligence Community's follow-up on the
- 2 5 -
printf(“%d, %f”, i, f);
i++; f+=3.0;
g = fmod(f,i);
27
! " #
Disk Forensics
28
Hard drive forensics:
Typical tasks
Recover:
• Deleted files
• Child pornography
Recreate:
• Timelines - when did the computer do what?
• Flow of information
• Evidence of Inappropriate use
Gather Intelligence:
• Names of associates
• Meeting places
29
Hard drive forensics:
Tools of the trade
Local acquisition:
• Write-Blockers prevent modification
• Create an “image file”
Mirror Disks:
• Work with a “mirror” of original disk
Network acquisition
• “Encase Enterprise” allows remote forensics on live system
GUI-Based Programs:
• Forensic Tool Kit
• Encase (Guidance Software)
• Forensic Toolkit (Accessdata)
30
The important thing about disk imaging:
get the data off the suspect drive, onto your drive.
Imaging options:
-
dd if=/dev/hda of=diskfile.img
-
aimage /dev/hda diskfile.img
-
LinEn
Most tools will:
-
copy the raw device to a file
-
Compute MD5 & SHA1
Some tools will:
-
Compress image
-
Capture metadata like s/n
-
Record investigative notes
31
Once data is imaged,
the investigator has many options:
Typical “first steps” include:
• Inventory all files (resident & deleted) on disk
• Show files modified during a certain time period
• Search disk for files with “known bads” (hacker tools, child porn)
• Scan for key words
32
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
33
“Deleted files” are left on the disk because “delete”
doesn’t overwrite the actual files.
Desktop Folder
file1.jpg
file2.jpg
file3.jpg
“Free Blocks”
33
Directory FILE1 FILE2 FILE3
Deleted
Word file
FILE4 FILE5
Deleted
Word file
FILE4 JPEG3
As a result, a typical disk has many kinds of files
and data segments on it:
34
Formatting a disk just writes a new root directory.
35
Directory FILE1 FILE2 FILE3
Deleted
Word file
FILE4 FILE5
Deleted
Word file
FILE4 JPEG3
Formatting a disk just writes a new root directory.
36
Example: Disk #70: IBM-DALA-3540/81B70E32
Purchased for $5 from a Mass retail store on eBay
Copied the data off: 541MB
Initial analysis:
• Total disk sectors: 1,057,392
• Total non-zero sectors: 989,514
• Total files: 3
The files:
drwxrwxrwx 0 root 0 Dec 31 1979 ./
-r-xr-xr-x 0 root 222390 May 11 1998 IO.SYS
-r-xr-xr-x 0 root 9 May 11 1998 MSDOS.SYS
-rwxrwxrwx 0 root 93880 May 11 1998 COMMAND.COM
37
Image this disk to a file,
then use the Unix “strings” command:
% strings 70.img | more
Insert diskette for drive
and press any key when ready
Your program caused a divide overflow error.
If the problem persists, contact your program vendor.
Windows has disabled direct disk access to protect your lo
To override this protection, see the LOCK /? command for m
The system has been halted. Press Ctrl+Alt+Del to restart
You started your computer with a version of MS-DOS incompatible
version of Windows. Insert a Startup diskette matching this
OEMString = "NCR 14 inch Analog Color Display Enchanced SV
Graphics Mode: 640 x 480 at 72Hz vertical refresh.
XResolution = 640
YResolution = 480
38
% strings cont...
ling the Trial Edition
----------------------------
IBM AntiVirus Trial Edition is a full-function but time-li
evaluation version of the IBM AntiVirus Desktop Edition pr
may have received the Trial Edition on a promotional CD-RO
single-file installation program oveœr a network. The Tria
is available in seven national languages, and each languag
provided on a separate CC-ROM or as a separa
EAS.STCm
EET.STC
ELR.STCq
ELS.STC
39
% strings 70.img cont...
MAB-DEDUCTIBLE
MAB-MOOP
MAB-MOOP-DED
METHIMAZOLE
INSULIN (HUMAN)
COUMARIN ANTICOAGULANTS
CARBAMATE DERIVATIVES
AMANTADINE
MANNITOL
MAPROTILINE
CARBAMAZEPINE
CHLORPHENESIN CARBAMATE
ETHINAMATE
FORMALDEHYDE
MAFENIDE ACETATE
40
Roughly 1/3 of the discarded hard drives have
significant amounts of confidential data.
From sampling 150 hard drives
collected between 1998 and
2002, we found:
-
Thousands of credit cards
-
Financial records
-
Medical information
-
Trade secrets
-
Highly personal information
[Garfinkel & Shelat 03]
41
Network Forensics
packets
flows
logfiles
42
Capture and Analysis of:
• packets in flight
• packets after the fact
• just packet headers
• network flows
• log files
“Network Forensics”
has many different meanings.
Internet
storage
43
Internet
storage
Packets can be analyzed in flight or after capture.
44
IP options (optional)
4
0 8 16 24 32
IHL ToS total length
identification flags fragment offset
TTL protocol header checksum
source IP address
destination IP address
IP Header
20 bytes
data
Default
tcpdump
capture
size
68 bytes
source port destination port
sequence number
Acknowledgement number
off res ECN Control Window
Checksum Urgent pointer
TCP options and padding
TCP Header
20 bytes
Average
packet
size
500 bytes
Systems can capture the entire packet
or just the packet header
45
!
... 525 complete packets
Complete packets allows for reconstruction.
46
!
... 525 packet headers
10:52:16.294858 IP 192.168.1.102.58754 > www2.cnn.com.http: S
10:52:16.370616 IP www2.cnn.com.http > 192.168.1.102.58754: S
10:52:16.370700 IP 192.168.1.102.58754 > www2.cnn.com.http: .
10:52:16.371114 IP 192.168.1.102.58754 > www2.cnn.com.http: P
10:52:16.455120 IP www2.cnn.com.http > 192.168.1.102.58754: .
10:52:19.956986 IP i7.cnn.net.http > 192.168.1.102.58755: .
10:52:19.961475 IP i7.cnn.net.http > 192.168.1.102.58755: .
10:52:19.981228 IP cnn1.dyn.cnn.com.http > 192.168.1.102.58766:
10:52:19.983731 IP cl4.cnn.com.http > 192.168.1.102.58761: P
With just headers, you can only get source,
destination, size, timestamps, ports, etc.
47
10:52:16.294858 IP 192.168.1.102.58754 > www2.cnn.com.http: S
10:52:16.370616 IP www2.cnn.com.http > 192.168.1.102.58754: S
10:52:16.370700 IP 192.168.1.102.58754 > www2.cnn.com.http: .
10:52:16.371114 IP 192.168.1.102.58754 > www2.cnn.com.http: P
10:52:16.455120 IP www2.cnn.com.http > 192.168.1.102.58754: .
10:52:19.956986 IP i7.cnn.net.http > 192.168.1.102.58755: .
10:52:19.961475 IP i7.cnn.net.http > 192.168.1.102.58755: .
10:52:19.981228 IP cnn1.dyn.cnn.com.http > 192.168.1.102.58766:
10:52:19.983731 IP cl4.cnn.com.http > 192.168.1.102.58761: P
Count Source > Destination
46 i7.cnn.net.http > 192.168.1.102.58755
34 192.168.1.102.58755 > i7.cnn.net.http
26 69.22.138.51.http > 192.168.1.102.58776
24 www2.cnn.com.http > 192.168.1.102.58754
21 192.168.1.102.58776 > 69.22.138.51.http
19 192.168.1.102.58765 > i7.cnn.net.http
17 64.236.29.63.http > 192.168.1.102.58758
17 192.168.1.102.58754 > www2.cnn.com.http
16 i7.cnn.net.http > 192.168.1.102.58765
14 192.168.1.102.58759 > 64.236.29.63.http
13 72.32.153.176.http > 192.168.1.102.58769
13 192.168.1.102.58769 > 72.32.153.176.http
13 192.168.1.102.58758 > 64.236.29.63.http
12 64.236.29.63.http > 192.168.1.102.58759
10 64.236.29.63.http > 192.168.1.102.58778
10 64.236.29.63.http > 192.168.1.102.58757
Packet headers can be used to reconstruct “flows”
48
Internet
V210
Many switches and routers will report “netfow”
data directly.
Each Cisco NetFlow record contains:
• Total bytes & packets
• S&D IP addresses
• S&D ports (UDP or TCP)
• flags
• start & end time
• min & max packet size
• VLANs & ifaces
• Vendor proprietary data
49
Each computer and router generates log files.
Here’s what’s on my MacBook:
Date & Time of:
-
OS installation
-
Calendar syncs
-
Wake from sleep & time slept
-
Every program that crashed
-
Every file installed
-
Every log-in and log-out
Other information:
-
Daily amount of free space
-
Every 802.11 network found
-
Every associated network
-
50
Internet
Logfile
Repository
Log files are kept on each host;
they can be aggregated into a central location
A central repository makes the logs more
resistant to attack.
51
Some vendors call this “deep packet inspection”
or “deep packet analysis.”
Primary use is to discover inappropriate data transfer
or service use:
• Use of outside chat or web mail services.
• Leaking protected health Information.
• Restrict information
Also good for debugging networks:
• Duplicate requests
• Incomplete transactions
• Discovery of vulnerabilities
without scanning
• Cleartext usernames & passwords
storage
52
Network Traffic Monitor
Packets from network
Packet
Database
Continuously
cycling record of
the last few days,
weeks or months
archive
rules
Long term archive
Analysis
Engine
User input
Conclusion
Database
! Connections
! Data objects
Visualization
Engine
Reporting
Engine
Reports
Network Forensics Architecture
53
Packet monitoring is similar to wiretapping.
Passive Monitoring Options:
-
Use an ethernet “hub” with a
packet sniffer.
-
Set up a switched monitoring port.
-
Full-duplex networks may require
two monitoring ports.
Active Monitoring Options:
-
Monitor with a proxy or router.
-
Monitor packets at endpoints
Critical uses:
-
Attack assessment
-
Policy enforcement
“A DVR for an Internet connection.”
54
Internet Wiretapping History
1983 — Netwatch – Graphical display of Internet Traffic
1990 — First reports of hostile packet sniffers
1995 — Ardita (Harvard FAS monitored by FBI)
1997 — FBI / DOJ / Carnivore
1999 — Emergence of commercial tools
2003 — Cisco Systems adds “Lawful Intercept Controls” to switches to
allow eavesdropping on VoIP conversations “without detection”
2007 — FBI reportedly adopts large-scale Internet surveillance techniques.
55
1996: Julio Caesar Ardita used
Harvard FAS as a jump-off point
From Harvard, Ardita penetrated military and
commercial systems throughout the world.
FBI installed TCP/IP stream reassembler with
keyword trigger developed by US Army
Details at:
http://www.simson.net/ref/1996/ardita.pdf
56
1997:
US Department of Justice develops “Omnivore”
Hodge-podge of technologies:
• Monitoring of IP and
❚❚❚❚❚❚❚❚ protocols
• Intercepts stored on ZIP disks
• Solaris X.86
• Triggers on:
• SMTP username
• RADIUS
$2,315,000 development cost
http://www.epic.org/privacy/carnivore/omnivoreproposal.html
57
1998: Omnivore renamed “Carnivore”
(“gets at the meat”)
Targeting Techniques:
• email usernames, RADIUS username
• IP address, DHCP mac address
Analysis:
• Logins & Logouts
• Email “pen register” (SMTP & RFC822)
• telnet
Apparently designed for medium-sized dial-up ISPs.
Renamed Digital Collection System 2000 (DSC2000)
Reportedly abandoned in favor of commercial and open source tools
58
Is it reasonable to capture all the packets?
In 1991, Los Alamos captured all
information in and out of the lab’s
T1 on DAT tape:
• 8 gigabytes/day (50%)
Disks have gotten bigger faster
than network connections have
gotten faster.
This is an engineering problem.
Connection
GB/Day
(50% )
T1 8 GB
10 Mbit 54 GB
T3 170 GB
OC3 512 GB
OC12 2,000 GB
59
Network Forensic issues:
Scaling issues:
• Amount of data
• Quality of data (lost packets)
Analysis issues:
• String search
• Correlation
Ultimate goal of work:
• Reconstruction
• Exploration
Vendor:
• Open Source
• Commercial
60
Full-content “deep analysis” solutions:
Open Source
• Wireshark
• Snort
• Squil
Commercial in-memory:
• NFR
• Intrusic
• McAfee
• NetWitness
Commercial archiving systems:
• CA eTrust Network Forensics
• Chronicle Solutions
• NIKSUN NetDetector
• Sandstorm NetIntercept
• Network Intelligence
!
... 525 complete packets
61
Flow-based systems:
“blind” to data
Advantages:
• More economical
• Finds rogue servers and consultants
Can’t discover:
• Missing encryption
• Inappropriate encryption
• Protocols on wrong ports
Internet
V210
62
Flow-based vendors
Arbor Networks
GraniteEdge Networks
Lanscope
Mazu Networks
Q1 Labs
...and many more
Internet
V210
63
Log files: options
Open Source Options:
• syslog
Commercial Options:
• LogLogic
• Netforensics
• Q1 Labs
• Many other options...
Internet
Logfile
Repository
64
ANAL YSÌ S OF DÌ VERSÌ T Y
Ì N T HE ATTORNEY WORKFORCE
KPMG CONSUL T Ì NG JUNE 14, 2002 PAGE ES-2


The Department suIIers Irom an inadequate human resources management infrastructure.
There is widespread perception. especially among minorities. that HR practices lack
transparency. This results in attorneys perceiving that practices are unIair. The Department does
not emphasize career development. and tools Ior perIormance appraisal are deIicient. As a
result. attorneys cite poor 'people management¨ by supervisors.

Section Chiefs are an extremely critical element oI the Department`s diversity climate. They
have signiIicant authority in recruitment. hiring. promotion. perIormance appraisal. case
assignment. and career development. The Section ChieI workIorce is not diverse and turnover is
low. This pattern. combined with the generally low attention that these managers pay to staII
career development. leads minorities to perceive a lack oI advancement opportunities.

The Department`s attorney workIorce is more diverse than the U.S. legal workforce: 38°
Iemale. compared to 30° in the U.S. legal labor pool. and 15° minority. compared to 12° in
the labor pool. The Department`s attorney workIorce is about as diverse as the federal
government legal workforce. whose attorneys are 38° Iemale and 16° minority.

Hiring is serving to make the Department even more diverse: hires in 2001 were 40° Iemale
and 21° minority. In particular. the Attorney General`s Honors Program is an important
tool Ior increasing diversity. Honors Program hires in 2001 were 63° Iemale. compared to 45°
oI the law school graduating class. and 30° minority. compared to 21° oI the class oI 2001.

Minorities are significantly under-represented in management ranks. They comprise only
7° oI (career) SES attorneys and 11° oI supervisory Assistant U.S. Attorneys. Women
constitute 31° oI SESs and 37° oI supervisory AUSAs. Among GS-15 attorneys in the
Litigating Divisions. minorities comprise 11° oI non-supervisors and 6° oI supervisors. and
women comprise 37° oI non-supervisors and 33° oI supervisors.

Minorities are substantially more likely to leave the Department than whites. In 2001. the
attrition rate was 49° higher among minorities than whites. There was no diIIerence in recent
attrition between men and women.

There are also statistically significant race and/or gender effects on a number oI HR outcomes.
including starting grade. current grade. promotions. and compensation. For example. the average
minority GS attorney is currently 0.4 steps lower than the average white. and the average woman
is 0.3 steps lower than the average man. controlling Ior seniority. grade. and component.

Based on these Iindings. we recommend that the Department take the Iollowing actions:

Exercise AG- and DAG-level leadership to stress the importance oI diversity and their
commitment to it. Publicly commit the Department to parity both in diversity outcomes (e.g..
comparable representation at all levels) and in attitudes (e.g.. iob satisIaction) among all
demographic groups. IdentiIy levers Ior change. Iocusing on AAGs (who are diverse) and
Section ChieIs. Implement training oI leaders to identiIy their role in shaping work climate
issues and in eIIectuating change.


Document Forensics
65
Uses for Document Forensics
Which computer generated this document?
Who edited this document?
What was changed? When?
Is this document “authentic?”
66
Approaches for Data and Document Analysis:
Look for hidden data:
• Deleted information; previous versions
• GIDs embedded in Microsoft Word document
Look for characteristic data:
• Indicates authorship
• Indicates program used to create document.
Look for inconsistent data:
• Indicates possible tampering.
67
Privacy and Security violations result when
improperly sanitized documents are released.
Adobe PDF files:
• The New York Times published a PDF file containing the names of Iranians
who helped with the 1953 coup. (2000) (http://cryptome.org/cia-iran.htm)
• US DoJ published a PDF file “diversity report” with embarrassing
redacted information. (2003) (http://www.thememoryhole.org/feds/doj-
attorney-diversity.htm)
• Multinational Force-Iraq report (2005)
Microsoft Word Files:
• SCO Word file revealed its anti-Linux legal strategy. (2004)
• Intelligence report by Blair Government was found to be plagiarized from a
postgraduate student at the Monterey Institute of International Studies
based on transaction log (2003) (http://www.computerbytesman.com/
privacy/blair.htm)
ANAL YSÌ S OF DÌ VERSÌ T Y
Ì N T HE ATTORNEY WORKFORCE
KPMG CONSUL T Ì NG JUNE 14, 2002 PAGE ES-2


The Department suIIers Irom an inadequate human resources management infrastructure.
There is widespread perception. especially among minorities. that HR practices lack
transparency. This results in attorneys perceiving that practices are unIair. The Department does
not emphasize career development. and tools Ior perIormance appraisal are deIicient. As a
result. attorneys cite poor 'people management¨ by supervisors.

Section Chiefs are an extremely critical element oI the Department`s diversity climate. They
have signiIicant authority in recruitment. hiring. promotion. perIormance appraisal. case
assignment. and career development. The Section ChieI workIorce is not diverse and turnover is
low. This pattern. combined with the generally low attention that these managers pay to staII
career development. leads minorities to perceive a lack oI advancement opportunities.

The Department`s attorney workIorce is more diverse than the U.S. legal workforce: 38°
Iemale. compared to 30° in the U.S. legal labor pool. and 15° minority. compared to 12° in
the labor pool. The Department`s attorney workIorce is about as diverse as the federal
government legal workforce. whose attorneys are 38°Iemale and 16° minority.

Hiring is serving to make the Department even more diverse: hires in 2001 were 40°Iemale
and 21° minority. In particular. the Attorney General`s Honors Programis an important
tool Ior increasing diversity. Honors Program hires in 2001 were 63°Iemale. compared to 45°
oI the law school graduating class. and 30° minority. compared to 21° oI the class oI 2001.

Minorities are significantly under-represented in management ranks. They comprise only
7°oI (career) SES attorneys and 11°oI supervisory Assistant U.S. Attorneys. Women
constitute 31°oI SESs and 37°oI supervisory AUSAs. Among GS-15 attorneys in the
Litigating Divisions. minorities comprise 11° oI non-supervisors and 6° oI supervisors. and
women comprise 37°oI non-supervisors and 33°oI supervisors.

Minorities are substantially more likely to leave the Department than whites. In 2001. the
attrition rate was 49°higher among minorities than whites. There was no diIIerence in recent
attrition between men and women.

There are also statistically significant race and/or gender effects on a number oI HR outcomes.
including starting grade. current grade. promotions. and compensation. For example. the average
minority GS attorney is currently 0.4 steps lower than the average white. and the average woman
is 0.3 steps lower than the average man. controlling Ior seniority. grade. and component.

Based on these Iindings. we recommend that the Department take the Iollowing actions:

Exercise AG- and DAG-level leadership to stress the importance oI diversity and their
commitment to it. Publicly commit the Department to parity both in diversity outcomes (e.g..
comparable representation at all levels) and in attitudes (e.g.. iob satisIaction) among all
demographic groups. IdentiIy levers Ior change. Iocusing on AAGs (who are diverse) and
Section ChieIs. Implement training oI leaders to identiIy their role in shaping work climate
issues and in eIIectuating change.


68
Why is data left in documents?
1. Confusion between “covering data” and removing it.
2. Failure to implement “complete delete.”
3. Information that is written but never read.
69
ANAL YSÌ S OF DÌ VERSÌ T Y
Ì N T HE ATTORNEY WORKFORCE
KPMG CONSUL T Ì NG JUNE 14, 2002 PAGE ES-2


The Department suIIers Irom an inadequate human resources management infrastructure.
There is widespread perception. especially among minorities. that HR practices lack
transparency. This results in attorneys perceiving that practices are unIair. The Department does
not emphasize career development. and tools Ior perIormance appraisal are deIicient. As a
result. attorneys cite poor 'people management¨ by supervisors.

Section Chiefs are an extremely critical element oI the Department`s diversity climate. They
have signiIicant authority in recruitment. hiring. promotion. perIormance appraisal. case
assignment. and career development. The Section ChieI workIorce is not diverse and turnover is
low. This pattern. combined with the generally low attention that these managers pay to staII
career development. leads minorities to perceive a lack oI advancement opportunities.

The Department`s attorney workIorce is more diverse than the U.S. legal workforce: 38°
Iemale. compared to 30° in the U.S. legal labor pool. and 15° minority. compared to 12° in
the labor pool. The Department`s attorney workIorce is about as diverse as the federal
government legal workforce. whose attorneys are 38° Iemale and 16° minority.

Hiring is serving to make the Department even more diverse: hires in 2001 were 40° Iemale
and 21° minority. In particular. the Attorney General`s Honors Program is an important
tool Ior increasing diversity. Honors Program hires in 2001 were 63° Iemale. compared to 45°
oI the law school graduating class. and 30° minority. compared to 21° oI the class oI 2001.

Minorities are significantly under-represented in management ranks. They comprise only
7° oI (career) SES attorneys and 11° oI supervisory Assistant U.S. Attorneys. Women
constitute 31° oI SESs and 37° oI supervisory AUSAs. Among GS-15 attorneys in the
Litigating Divisions. minorities comprise 11° oI non-supervisors and 6° oI supervisors. and
women comprise 37° oI non-supervisors and 33° oI supervisors.

Minorities are substantially more likely to leave the Department than whites. In 2001. the
attrition rate was 49° higher among minorities than whites. There was no diIIerence in recent
attrition between men and women.

There are also statistically significant race and/or gender effects on a number oI HR outcomes.
including starting grade. current grade. promotions. and compensation. For example. the average
minority GS attorney is currently 0.4 steps lower than the average white. and the average woman
is 0.3 steps lower than the average man. controlling Ior seniority. grade. and component.

Based on these Iindings. we recommend that the Department take the Iollowing actions:

Exercise AG- and DAG-level leadership to stress the importance oI diversity and their
commitment to it. Publicly commit the Department to parity both in diversity outcomes (e.g..
comparable representation at all levels) and in attitudes (e.g.. iob satisIaction) among all
demographic groups. IdentiIy levers Ior change. Iocusing on AAGs (who are diverse) and
Section ChieIs. Implement training oI leaders to identiIy their role in shaping work climate
issues and in eIIectuating change.


Most Acrobat leakage is a result of Microsoft Word.
70
Microsoft Word encourages people to use the
highlight feature to eradicate data.
71
Microsoft Word encourages people to use the
highlight feature to eradicate data.
71
Microsoft Word encourages people to use the
highlight feature to eradicate data.
71
Microsoft Word encourages people to use the
highlight feature to eradicate data.
71
When Microsoft Word generates the PDF file,
“Secret Data” is covered with the black box
72
Tools for recovering hidden data in Acrobat files:
Adobe Illustrator
• Move the boxes
• Turn the boxes yellow
Adobe Acrobat Reader
• Select and copy the text
73
Adobe’s Illustrator can read and edit PDF files.
74
Select each “block box.”
75
Change the color of the box to yellow.
76
Behold the
“redacted” data.
77
MSAT
C
D
H
S
A
T
S
A
T
S
A
T
S
A
T
S
A
T
DIR JPEG
JPEG
TEXT 1
TEXT 2
Dir: 5
SSAT: 10
MSAT: 15
"Slot 5"
TEXT 1: 20
TEXT 2: 35
JPEG: 55
"20"
"30"
TEXT 1
"55"
Data can be left in a Word document in unallocated
sectors.
Microsoft Word implements a
“file system” inside every file.
78
Tools for recovering hidden Word data:
Unix strings(1) command reveals:
• Deleted text
• Names and/or usernames of author and editors
• Paths where document was saved
• GUID of system on which it was saved
Note: Text may be UTF16 (remove NULLs or use more intelligent
processing)
Other tools:
• Antiword (http://www.winfield.demon.nl/)
• catdoc
• wvText
• MITRE’s Heuristic Office File Format Analysis toolkit (HOFFA)
79
Tools for finding Microsoft Word files
Use Google!
• inurl:www.number-10.gov.uk filetype:doc confidential
80
Case study of inconsistent data:
State of Utah vs. Carl Payne
81
State of Utah vs. Carl Payne
State’s Claims:
• Victim ISP suffered devastating attack on November 6th, 1996.
• All files erased
• All router configurations cleared.
• Carl Payne, one of the company’s founders, had a falling out with the
company and was terminated on October 30th, 1996.
• Payne had the necessary knowledge to carry out the attack.
• Payne created a “back door” on his last week of employment.
• Payne’s accounts were used for the attack.
82
State of Utah vs. Carl Payne
State’s Evidence:
• 140 pages of printouts made by a local expert on the day of the attack.
• Testimony of the expert.
• Testimony of the Fibernet employees
Payne’s Defense:
• “I didn’t do it.”
• All of Payne’s account passwords had been changed when he was
terminated.
• Alibi defense: was having breakfast with a friend when attack took place.
83
/etc/shadow
(printed November 6, 1996)
84
Solaris /etc/shadow:
setup:ANImj3G8/T3m2:64455:::::::
Field 1: Username
Field 2: Encrypted Password
Field 3: Password Aging
• Number of days since January 1, 1970
Source: Solaris Documentation
85
Decoding “6645”
mysql> select from_days(to_days'1970-01-01')+6445);
+---------------------------------------+
| from_days(to_days('1970-01-01')+6445) |
+---------------------------------------+
| 1987-08-25 |
+---------------------------------------+
1 row in set (0.00 sec)
mysql>
• August 25, 1987
86
/etc/shadow
(Printed November 6, 1996 by prosecution expert witness)
9818 = November 18, 1996
6445 = August 25, 1987
9807 = November 7, 1996
9800 = October 31, 1996
87
Lessons of Utah vs. Payne
Not all “Evidence” is equal (Chain-of-custody is vital)
Evidence may not prove what you think it proves
Computer evidence lends itself to forgery
Most data isn’t tampered...
• ... but most data isn’t used for evidence.
• If data is going to be used for evidence, there is an incentive to tamper
with it.
88
Memory Forensics
What was really happening on
the subject’s computer?
89
EAX
EBX
ECX
EDX
ESI
EDI
Architectural Registers
R001
R002
R003
R004
...
Rnnn
Active Register File
L1 Cache L2 Cache
Main
Memory
Disks
Computer systems arrange memory in a hierarchy.
90
There are many ways to get access to the memory.
Unix/Linux: /dev/mem
Windows: Device Drivers
Hardware memory imagers
Firewire
• Firewire designed as a
replacement for hard drives.
• ATA drives support DMA
• So Firewire supports DMA
91
EAX
EBX
ECX
EDX
ESI
EDI
Architectural Registers
R001
R002
R003
R004
...
Rnnn
Active Register File
L1 Cache L2 Cache
Main
Memory
Disks
DMA
Controller
OHCI
1394
Controller
iPod
or
PC
It’s pretty easy to attack a system with an iPod
92
Many different kinds of information can be retrieved
from a computer’s memory.
Reading:
• Current contents of the screen
• Cryptographic Keys
• Passwords (BIOS & programs)
• Programs
• All data
Writing:
• Patch programs on the fly
• Change security levels
DMA bypasses the operating
system and the CPU.
93
Cell Phone Forensics
Who did you call?
Where have you been?
94
Cell Phone Forensics: What can be done
PHONE: Recovery of personal information (even after deletion)
• SMS messages
• Phone log
• Phone book
PHONE: Recovery of service information
• Cell sites passed, used
CELL SITES: Recovery of phone information
• Phones in the area
95
Cell phone forensics: Precautions
Turning on the phone can damage data!
• But sometimes you can’t access the data any other way
96
Paraben’s tools for cell phone forensics
Paraben “Device Seizure” to image the phone’s content.
• Acquires phone flash and some of GSM SIM card
• Understands some of the phone’s internal databases
• Views some of the photos, messages, etc.
• Only covers specific phones
“Device Seizure Toolbox” has lots of different cables.
“StrongHold Box” prevents phone from calling home.
Project-a-Phone captures screens
http://www.paraben-forensics.com/
97
Cell Phone Forensics: References & Resources
Guidelines on Cell Phone Forensics (NIST SP 800-101)
• August 2006
• http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf
Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250)
• http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
PDA Forensic Tools: An Overview and Analysis (NISTIR 7100)
• http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf
98
Software Forensics
Who authored a program?
Are two programs similar?
How old is a program?
if(dirlist.size()==0){
if(argc!=2){
fprintf(stderr,"Please specify a directory or just two AFF files.\n\n");
usage();
}
/* Must be copying from file1 to file2. Make sure file2 does not exist */
if(access(argv[1],R_OK)==0){
errx(1,"File exists: %s\n",argv[1]);
}
vector<string> outfiles;
outfiles.push_back(argv[1]);
return afcopy(argv[0],outfiles);
}
99
Anti-Forensics: Techniques,
Detection and Countermeasures
100
What is Anti-Forensics?
Computer Forensics: “Scientific Knowledge for collecting, analyzing, and
presenting evidence to the courts” (USCERT 2005)
Anti-Forensics: tools and techniques that frustrate forensic tools, investigations
and investigators
Goals of Anti-Forensics:

Avoiding detection

Disrupting information collection

Increasing the examiner’s time

Casting doubt on a forensic report or testimony (Liu and Brown, 2006)

Forcing a tool to reveal its presence

Subverting the tool — using it to attack the examiner or organization

Leaving no evidence that the AF tool has been run
101
Physical destruction makes forensic recovery
impossible.
102
One traditional Anti-Forensic technique
is to overwrite or otherwise destroy data.
Overwriting: Eliminate data or metadata (e.g. disk sanitizers, Microsoft Word
metadata “washers,” timestamp eliminators.)
Disk Sanitizers; Free Space Sanitizers; File Shredders

Microsoft Remove Hidden Data Tool; cipher.exe; ccleaner
Metadata Erasers

Example: timestomp
Hard problem: What should be overwritten?
103
Anti-Forensic tools can hide data with
cryptography or steganography.
Cryptographic File Systems (EFS, TrueCrypt)
Encrypted Network Protocols (SSL, SSH, Onion Routing*)
Program Packers (PECompact, Burneye) & Rootkits
Steganography
Data Hiding in File System Structures
• Slacker — Hides data in slack space
• FragFS — Hides in NTFS Master File Table
• RuneFS — Stores data in “bad blocks”
• KY FS — Stores data in directories
• Data Mule FS — Stores in inode reserved space
• Host Protected Areas & Device Configuration Overlay
*Onion routing also protects from traffic analysis
104
Anti-Forensics 3: Minimizing the Footprint
Overwriting and Data Hiding are easy to detect.

Tools leave tell-tale signs; examiners know what to look for.

Statistical properties are different after data is overwritten or hidden.
AF tools that minimize footprint avoiding leaving traces for later analysis.

Memory injection and syscall proxying

Live CDs, Bootable USB Tokens

Virtual Machines

Anonymous Identities and Storage
(don’t worry; we have slides for each of these)
105
Memory Injection and Userland Execve:
Running a program without loading the code.
Memory Injection loads code without having the code on the disk.

Buffer overflow exploits — run code supplied as (oversized) input
Userland Execve
— Runs program without using execve()
— Bypasses logging and access control
— Works with code from disk or read from network
106
Syscall proxying:
Running a program without the code!
Syscall Proxying

Program runs on one computer, syscalls executed on another.

Program not available for analysis

May generate a lot of network traffic

Developed by Core Security; used in Impact
Client
stub
Client
runtime
Client Application
server
stub
server
runtime
Server Application
Network
Client Kernel Server Kernel
107
Live CDs, Bootable USB Tokens, Virtual Machines:
Running code without leaving a trace.
Most forensic information is left in the file system of the running computer.
These approaches keep the attacker’s file system segregated:
— In RAM (CDs & Bootable USB Tokens)
— In the Virtual Machine file (where it can be securely deleted)
108
Anonymous Identities and Storage:
The attacker’s data may be anywhere.
Attackers have long made use of anonymous e-mail accounts.
Today these accounts are far more powerful.

Yahoo and GMail both have 2GB of storage

APIs allow this storage to be used as if it were a file system
Amazon’s Elastic Compute Cloud (EC2) and Simple Storage Service (S3)
provide high-capability, little-patrolled services to anyone with a credit card

EC2: 10 ¢/CPU hour (Xen-based virtual machines)

S3: 10 ¢/GB-Month
With BGP, it’s possible to have “anonymous IP addresses.”
1. Announce BGP route
2. Conduct attack
3. Withdraw BGP address
Being used by spammers today
(http://www.nanog.org/mtg-0602/pdf/feamster.pdf)
109
Attacking the Investigator:
AF techniques that exploit CFT bugs.
Craft packets to exploit buffer-overflow bugs in network monitoring programs
like tcpdump, snort and ethereal.
Create files that cause EnCase to crash.
Successful attacks provide:
➡ Ability to run code on the forensic appliance
➡ Erase collected evidence
➡ Break the investigative software
➡ Leak information about the analyst or the investigation
➡ Implicate the investigator
110
Attacking the Investigator:
Denial-of-Service Attacks against the CFT
Any CFT resource whose use is determined by input can be overwhelmed.

Create millions of files or identities

Overwhelm the logging facility

Compression bombs — 42.zip
The clever adversary will combine this chaff with real data, e.g.:
100
TB
215
TB
Real
Data
54
TB
500
TB
C B A D
Chaff
111
Anti-Forensic Tools can detect
Computer Forensic Tools: cat-and-mouse.
SMART (Self-Monitoring, Analysis and Reporting Technology) drives report:
• Total number of power cycles
• Total time hard drive has been on
Network Forensics can be detected with:

Hosts in “promiscuous” mode responding differently
— to PINGs.
— to malformed packets
— to ARPs

Hosts responding to traffic not intended to them (MAC vs. IP address)

Reverse DNS queries for packets sent to unused IP addresses
to: 192.168.1.250
from: 64.3.20.100
who is
64.3.20.100?
192.168.1.10
Attacker
112
Countermeasures for Anti-Forensics
Improve the tools — many CFTs are poorly written.
Save data where the attacker can’t get at it:
— Log hosts
— CD-Rs
Develop new tools:
— Defeat encrypted file systems with keyloggers.
— Augment network sniffers with traffic analysis
113
Find out more at the Forensics Wiki:
http://www.forensicswiki.org/
114
In Conclusion:
Many forensic techniques in use today can be circumvented
Circumvention tools are widely available
Common approaches:
• Overwriting data
• Encrypting data
• Anonymous identities & resources
• Exploit bugs in computer forensic tools to hide
New approaches:
• Minimizing or eliminating memory footprints
• Virtual machines
• Direct attacks against computer forensic tools
http://www.simson.net/ref/2007/slides-ICIW.pdf
115
Research directions in Computer Forensics
Environmental Data Survey Projects
• Phone systems
• Hard drives & data storage devices
• Network hosts and traffic
Theory and Algorithm Development:
• Brian Carrier 2006 PhD
• Cross-Drive Analysis
• Carving Fragmented Objects with Validation
Tool Development
• Easy-to-use tools
• Batch tools
• Data correlation
116
Forensics, Conclusion
Forensic analysis is a growth area.
Being a practitioner is hard:
• Many skills
• Many tools
• In-depth knowledge of many different systems
What is the forensics research agenda?
117
Other Resources
http://www.forensicswiki.org/
http://www/forensicwiki.com/
http://staff.washington.edu/dittrich/forensics.html
http://faculty.ncwc.edu/toconnor/426/426links.htm
118

A bit about me

Tech Journalist: 1985--2002 Entrepreneur: 1995--2002 Vineyard.NET Sandstorm Enterprises, Inc. MIT EECS: 2003--2005 Harvard Center for Research on Computation and Society: 2005-2007 Naval Postgraduate School: 2007-

“Used Hard Drives Reveal Secrets.”

2

Forensics: Dual Meaning
fo·ren·sics n. (used with a sing. verb) 1. 2. The art or study of formal debate; argumentation. The use of science and technology to investigate and establish facts in criminal or civil courts of law.
(American Heritage Dictionary, 4th Edition)

3

org) So what’s digital evidence? 4 . identification.” (Computer Forensics: Incident Response Essentials. Warren Kruse and Jay Heiser. http://www. and/or evaluation of digital evidence in legal matters.swgde.” (Scientific Working Group on Digital Evidence.) 2. documentation. “The scientific examination.Computer Forensics: Multiple Meanings 1. extraction. analysis. and interpretation of computer data. “Involves the preservation.

FORMAT doesn’t wipe disks 5 .Discover visited websites Why does this work? .Recover “deleted” files .Computer Forensics is like a magic camera Tools can go “back in time.DELETE doesn’t erase files .Computers keep extensive logs .” .Find out what was typed ..Most data is not encrypted ..View previous versions of files .free() doesn’t erase memory .

Digital Evidence is evidence found in digital systems. Brian Carrier’s PhD has several definitions for digital evidence: • “Information stored or transmitted in binary form that may be relied upon in court” [Int02] form” [Sci05] • “Information of probative value that is stored or transmitted in binary • “Information and data of investigative value that is stored on or transmitted by a computer” [Ass05] • “Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi” [Cas04] All of these definitions assume a legal process. 6 . Forensics can be used for much more.

Computer Forensics are typically used after a crime is suspected Computer break-ins: • Determine how a computer was compromised. • Determine extent of damage Make a claim about the computer’s owner: • Possession of contraband information • Copyright infringement • Theft of intellectual property • Confirm/disprove an alibi 7 .

Forensics can also be used for auditing Evaluate the privacy properties of a system Understand what’s actually going over a network Audit application performance & security Spot-check regulatory compliance: • Data disposal policies • Data flow across boundaries Audit internal information flows 8 .

the Intelligence Community must develop means to quickly respond to fleeting collection opportunities outside the Community's established operating areas. their credibility was difficult to assess and was often left to the foreign government services to judge. however. many of these sources. that if an officer willing and able to take such an assignment really is "rare" at the CIA. Intelligence Community HUMINT efforts against a closed society like Iraq prior to Operation Iraqi Freedom were hobbled by the Intelligence Community's dependence on having an official U. it takes a rare officer who can go in . a CIA officer said.This tutorial looks at the range of forensic techniques currently in use 1. . When Committee staff asked why the CIA had not considered placing a CIA officer in Iraq years before Operation Iraqi Freedom to investigate Iraq's weapons of mass destruction programs. that this was the only option available. "because it's very hard to sustain . Specific Forensic Techniques • Disk Forensics • Network Forensics • Document Forensics • Memory Forensics • Cell Phone Forensics • Software Forensics 4. i++. (U) When UN inspectors departed Iraq. and survive scrutiny | ^ | [ m | | | for a long time.0. however. The Committee does not fault the CIA for exploiting the access enjoyed by the spouse of a CIA employee traveling to Niger. The Committee believes. %f”. the problem is less a question of resources than a need for dramatic changes in a risk averse corporate culture. The Committee also found other problems with the Intelligence Community's follow-up on the -25- 9 . Anti-Forensics 5. Senior CIA officials have repeatedly told the Committee that a significant increase in funding and personnel will be required to enable to the CIA to penetrate difficult HUMINT targets similar to prewar Iraq. that it is unfortunate. f+=3. . (U) Problems with the Intelligence Community's HUMINT efforts were also evident in the Intelligence Community's handling of Iraq's alleged efforts to acquire uranium from Niger. The Committee found no evidence that a lack of resources significantly prevented the Intelligence Community from developing sources or inserting operations officers into Iraq. g = fmod(f.i). f). The Intelligence Community did not have a single HUMINT source collecting against Iraq's weapons of mass destruction programs in Iraq after 1998. presence in-country to mount clandestine HUMINT collection efforts. but they should be within the norm of the CIA's activities and capabilities. i." The Committee agrees that such operations are difficult and dangerous.S. . The Forensic Process 2. The Committee believes. Given the nature of rapidly evolving global threats such as terrorism and the proliferation of weapons and weapons technology. . The Intelligence Community appears to have decided that the difficulty and risks inherent in developing sources or inserting operations officers into Iraq outweighed the potential benefits. Legal Standards 3. the placement of HUMINT agents and the development of unilateral sources inside Iraq were not top priorities for the Intelligence Community. considering the significant resources available to the CIA. Civil and Criminal Applications printf(“%d.

The Forensic Process 10 .

Computer Forensics turns computer systems into courtroom testimony. Five basic steps: 1.Examination 4. National Institute of Justice 11 .Preparation 2.Analysis 5.Collection 3.Reporting Source: Electronic Crime Scene Investigation Guide.

tools.Step 1: Preparation Identify potential sources of evidence Computer system components: • Hard drives • Memory / flash / configuration • Physical configuration Web Pages on other computers Files Communication networks many of these sources. the placement of HUMINT agents and the development of unilateral sources inside Iraq were not top priorities for the Intelligence Community. "because it's very hard to sustain . Senior CIA officials have repeatedly told the Committee that a significant increase in funding and personnel will be required to enable to the CIA to penetrate difficult HUMINT targets similar to prewar Iraq. the Intelligence Community must develop means to quickly respond to fleeting collection opportunities outside the Community's established operating areas. The Intelligence Community did not have a single HUMINT source collecting against Iraq's weapons of mass destruction programs in Iraq after 1998. that this was the only option available. a CIA officer said. Intelligence Community HUMINT efforts against a closed society like Iraq prior to Operation Iraqi Freedom were hobbled by the Intelligence Community's dependence on having an official U. but they should be within the norm of the CIA's activities and capabilities. 12 . The Committee believes. presence in-country to mount clandestine HUMINT collection efforts. When Committee staff asked why the CIA had not considered placing a CIA officer in Iraq years before Operation Iraqi Freedom to investigate Iraq's weapons of mass destruction programs. . Given the nature of rapidly evolving global threats such as terrorism and the proliferation of weapons and weapons technology. and survive scrutiny | ^ | [ m | | | for a long time. . The Committee does not fault the CIA for exploiting the access enjoyed by the spouse of a CIA employee traveling to Niger. One of the most difficult tasks is determining what to include & exclude. the problem is less a question of resources than a need for dramatic changes in a risk averse corporate culture." The Committee agrees that such operations are difficult and dangerous. considering the significant resources available to the CIA.S. their credibility was difficult to assess and was often left to the foreign government services to judge. training & procedures. that it is unfortunate. that if an officer willing and able to take such an assignment really is "rare" at the CIA. . (U) When UN inspectors departed Iraq. The Committee also found other problems with the Intelligence Community's follow-up on the -25- Each source may need its own personnel. however. The Intelligence Community appears to have decided that the difficulty and risks inherent in developing sources or inserting operations officers into Iraq outweighed the potential benefits. The Committee believes. . (U) Problems with the Intelligence Community's HUMINT efforts were also evident in the Intelligence Community's handling of Iraq's alleged efforts to acquire uranium from Niger. The Committee found no evidence that a lack of resources significantly prevented the Intelligence Community from developing sources or inserting operations officers into Iraq. however. it takes a rare officer who can go in .

your choices include: • Passive Monitoring • Experimental Probing If the activity is over. choices include: • Make a copy • Seizure Issues to consider: • What tools are used? Are they validated? • Is the copy accurate? Is it complete? • How can you prove that the copy wasn’t modified at a later time? 13 .Step 2: Collect and Preserve the evidence If the activity is ongoing.

discard what isn’t needed 14 . author fields. Make evidence “visible” and eliminated excess.Step 3: Examination. Disk Analysis: • Examine partitions and file systems • Resident files & delete files • “Slack space” at end of files • Unallocated space between files File based evidence: • Document text • Deleted text • Metadata (creation date. etc.) Network Evidence: • Device configuration • Categorize packets.

Examples: • Hypothesis: Suspect is arrested on suspicion of child pornography • Evidence: Known child pornography on suspect’s hard drive • Hypothesis: Suspect broke into a telephone company computer and stole confidential documents. 15 . • Evidence: Hacker tools.Step 4: Analyze to determine “significance and probative value” Build a hypothesis about what happened. Look for evidence to prove or disprove hypothesis. confidential information from telco.

Look for evidence to prove or disprove hypothesis. • Counter Evidence: Documents publicly available 16 . Examples: • Hypothesis: Suspect is arrested on suspicion of child pornography • Evidence: Known child pornography on suspect’s hard drive • Counter Evidence: Root kit allowing remote access • Hypothesis: Suspect broke into a telephone company computer and stole confidential documents. • Evidence: Hacker tools. confidential information from telco.BUT: Investigators rarely look for count-evidence Build a hypothesis about what happened.

Step 5: Reporting and Testimony There are many kinds of testimony: • Written reports • Depositions • Courtroom testimony Testimony needs to include several key points: • The tools used and procedures that were followed • What was found • Examiner’s interpretation of what it means 17 .

The Digital Crime Scene Investigation model has five similar steps. Preservation Survey Documentation Search Event Reconstruction 18 .

• Investigator encounters the machine. • Information may be used for confirming/eliminating a hypotheses even if the information itself is inadmissible in court. Instead.” Goal of most investigations is to explain evidence that is observed.” • The investigator searches for data that supports or refutes the hypotheses. investigations are guided by “hypotheses. PhD Thesis.This isn’t really what happens in reality. a hypothesis must be formed that the actual data is equal to the observed data” “Hypotheses also need to be formulated about the data abstractions that exist and the previous states and events that occurred. June 2006 19 . Carrier. Brian D. • Investigator uses tools to extract and preserve information from machine “Because the observation of the data is indirect. A Hypothesis-Based Approach to Digital Forensic Investigations. • Investigations asked to answer questions about previous states or events.

Legal Standards US Federal Rules of Evidence Daubert 20 .

Testimony by Experts Rule 703.US Federal Rules of Evidence article VIII regulates the testimony of “experts” Rule 702. Court Appointed Experts These rules apply in the Federal Court.edu/rules/fre/ 21 .cornell. many states follow the rules as well • http://www.law. Opinion on Ultimate Issue Rule 705. Disclosure of Facts or Data Underlying Expert Opinion Rule 706. Bases of Opinion Testimony by Experts Rule 704.

experience. and (3) the witness has applied the principles and methods reliably to the facts of the case. if (1) the testimony is based upon sufficient facts or data. training. Testimony by Experts “If scientific. or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue. or education. may testify thereto in the form of an opinion or otherwise. (2) the testimony is the product of reliable principles and methods.” 22 . technical. skill.Rule 702. a witness qualified as an expert by knowledge.

” 23 . Facts or data that are otherwise inadmissible shall not be disclosed to the jury by the proponent of the opinion or inference unless the court determines that their probative value in assisting the jury to evaluate the expert's opinion substantially outweighs their prejudicial effect. Bases of Opinion Testimony by Experts “The facts or data in the particular case upon which an expert bases an opinion or inference may be those perceived by or made known to the expert at or before the hearing. If of a type reasonably relied upon by experts in the particular field in forming opinions or inferences upon the subject.Rule 703. the facts or data need not be admissible in evidence in order for the opinion or inference to be admitted.

24 . Opinion on Ultimate Issue (a) Except as provided in subdivision (b). testimony in the form of an opinion or inference otherwise admissible is not objectionable because it embraces an ultimate issue to be decided by the trier of fact. (b) No expert witness testifying with respect to the mental state or condition of a defendant in a criminal case may state an opinion or inference as to whether the defendant did or did not have the mental state or condition constituting an element of the crime charged or of a defense thereto.Rule 704. Such ultimate issues are matters for the trier of fact alone.

The “Daubert Standard” is supposed to keep “junk science” out of the courts. scientific) • Subject to peer review (has been published) • Generally accepted by the relevant professional community • Standards for the technique’s operation • Known error rate Surprisingly. Merrell Dow Pharmaceuticals.” Daubert v. 1-4] 25 . Daubert turns federal judges “gatekeepers. pp. digital evidence may not meet this standard. [Carrier 2006. 509 US 579 (1993) • Evidence must be “relevant” • Evidence must be “reliable” (ie.

Have no tolerance for ambiguity. .Think it’s impossible to delete anything.The “CSI Effect” causes victims and juries to have unrealistic expectations. - 26 .Expect highly produced presentations. . Prosecutors & Jurors: .

the placement of HUMINT agents and the development of unilateral sources inside Iraq were not top priorities for the Intelligence Community. considering the significant resources available to the CIA. Specific Forensic Techniques • Disk Forensics • Network Forensics • Document Forensics • Memory Forensics • Cell Phone Forensics • Software Forensics 4. that if an officer willing and able to take such an assignment really is "rare" at the CIA. . Given the nature of rapidly evolving global threats such as terrorism and the proliferation of weapons and weapons technology. f+=3. many of these sources." The Committee agrees that such operations are difficult and dangerous. that it is unfortunate. a CIA officer said. The Committee believes. presence in-country to mount clandestine HUMINT collection efforts. the problem is less a question of resources than a need for dramatic changes in a risk averse corporate culture. Senior CIA officials have repeatedly told the Committee that a significant increase in funding and personnel will be required to enable to the CIA to penetrate difficult HUMINT targets similar to prewar Iraq. %f”. . (U) When UN inspectors departed Iraq. The Committee believes. it takes a rare officer who can go in . but they should be within the norm of the CIA's activities and capabilities. (U) Problems with the Intelligence Community's HUMINT efforts were also evident in the Intelligence Community's handling of Iraq's alleged efforts to acquire uranium from Niger. i. g = fmod(f. The Committee also found other problems with the Intelligence Community's follow-up on the -25- 27 .This tutorial looks at the range of forensic techniques currently in use ✓ The Forensic Process ✓ Legal Standards 3.i). that this was the only option available.S. however. . and survive scrutiny | ^ | [ m | | | for a long time. the Intelligence Community must develop means to quickly respond to fleeting collection opportunities outside the Community's established operating areas.0. Civil and Criminal Applications printf(“%d. The Intelligence Community did not have a single HUMINT source collecting against Iraq's weapons of mass destruction programs in Iraq after 1998. Anti-Forensics 5. Intelligence Community HUMINT efforts against a closed society like Iraq prior to Operation Iraqi Freedom were hobbled by the Intelligence Community's dependence on having an official U. The Committee found no evidence that a lack of resources significantly prevented the Intelligence Community from developing sources or inserting operations officers into Iraq. . The Committee does not fault the CIA for exploiting the access enjoyed by the spouse of a CIA employee traveling to Niger. When Committee staff asked why the CIA had not considered placing a CIA officer in Iraq years before Operation Iraqi Freedom to investigate Iraq's weapons of mass destruction programs. "because it's very hard to sustain . The Intelligence Community appears to have decided that the difficulty and risks inherent in developing sources or inserting operations officers into Iraq outweighed the potential benefits. f). their credibility was difficult to assess and was often left to the foreign government services to judge. however. i++.

! " # Disk Forensics 28 .

when did the computer do what? • Flow of information • Evidence of Inappropriate use Gather Intelligence: • Names of associates • Meeting places 29 .Hard drive forensics: Typical tasks Recover: • Deleted files • Child pornography Recreate: • Timelines .

Hard drive forensics: Tools of the trade Local acquisition: • Write-Blockers prevent modification • Create an “image file” Mirror Disks: • Work with a “mirror” of original disk Network acquisition • “Encase Enterprise” allows remote forensics on live system GUI-Based Programs: • Forensic Tool Kit • Encase (Guidance Software) • Forensic Toolkit (Accessdata) 30 .

dd if=/dev/hda of=diskfile.copy the raw device to a file . Imaging options: .LinEn Most tools will: .img .Capture metadata like s/n .Record investigative notes 31 .The important thing about disk imaging: get the data off the suspect drive. onto your drive.aimage /dev/hda diskfile.Compute MD5 & SHA1 Some tools will: .Compress image .img .

Once data is imaged. child porn) • Scan for key words 32 . the investigator has many options: Typical “first steps” include: • Inventory all files (resident & deleted) on disk • Show files modified during a certain time period • Search disk for files with “known bads” (hacker tools.

jpg file2.jpg 33 .jpg file3.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files. Desktop Folder file1.

jpg file2.jpg file3.jpg 33 . Desktop Folder file1.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.

jpg file2.jpg file3.jpg 33 . Desktop Folder file1.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.

Desktop Folder file1.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.jpg file3.jpg file2.jpg 33 .

jpg 33 . Desktop Folder file1.jpg file2.jpg file3.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.

jpg 33 . Desktop Folder file1.jpg file3.jpg file2.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.

“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files. Desktop Folder file1.jpg 33 .jpg file3.jpg file2.

jpg file3.jpg 33 . Desktop Folder file1.“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.jpg file2.

“Deleted files” are left on the disk because “delete” doesn’t overwrite the actual files.jpg file2.jpg “Free Blocks” 33 . Desktop Folder file1.jpg file3.

a typical disk has many kinds of files and data segments on it: Directory FILE1 FILE2 Deleted Word file FILE3 FILE4 FILE5 FILE4 Deleted Word file JPEG3 34 .As a result.

Formatting a disk just writes a new root directory. 35 .

Formatting a disk just writes a new root directory.

Directory

FILE1

FILE2

Deleted Word file

FILE3

FILE4

FILE5

FILE4

Deleted Word file

JPEG3

36

Example: Disk #70: IBM-DALA-3540/81B70E32

Purchased for $5 from a Mass retail store on eBay Copied the data off: 541MB Initial analysis: • Total disk sectors: 1,057,392 • Total non-zero sectors: 989,514 • Total files: 3 The files:
drwxrwxrwx 0 root -r-xr-xr-x 0 root -rwxrwxrwx 0 root 0 Dec 31 1979 ./ 9 May 11 1998 MSDOS.SYS 93880 May 11 1998 COMMAND.COM -r-xr-xr-x 0 root 222390 May 11 1998 IO.SYS

37

Image this disk to a file, then use the Unix “strings” command:
% strings 70.img | more Insert diskette for drive and press any key when ready Your program caused a divide overflow error. If the problem persists, contact your program vendor. Windows has disabled direct disk access to protect your lo To override this protection, see the LOCK /? command for m The system has been halted. Press Ctrl+Alt+Del to restart You started your computer with a version of MS-DOS incompatible version of Windows. Insert a Startup diskette matching this OEMString = "NCR 14 inch Analog Color Display Enchanced SV Graphics Mode: 640 x 480 at 72Hz vertical refresh. XResolution = 640 YResolution = 480

38

% strings cont.STCm EET. and each languag provided on a separate CC-ROM or as a separa EAS.STC 39 .. ling the Trial Edition ---------------------------IBM AntiVirus Trial Edition is a full-function but time-li evaluation version of the IBM AntiVirus Desktop Edition pr may have received the Trial Edition on a promotional CD-RO single-file installation program oveœr a network..STC ELR. The Tria is available in seven national languages.STCq ELS.

.img cont. MAB-DEDUCTIBLE MAB-MOOP MAB-MOOP-DED METHIMAZOLE INSULIN (HUMAN) COUMARIN ANTICOAGULANTS CARBAMATE DERIVATIVES AMANTADINE MANNITOL MAPROTILINE CARBAMAZEPINE CHLORPHENESIN CARBAMATE ETHINAMATE FORMALDEHYDE MAFENIDE ACETATE 40 ..% strings 70.

Roughly 1/3 of the discarded hard drives have significant amounts of confidential data. we found: . From sampling 150 hard drives collected between 1998 and 2002.Trade secrets .Financial records .Highly personal information [Garfinkel & Shelat 03] 41 .Thousands of credit cards .Medical information .

Network Forensics packets flows logfiles 42 .

“Network Forensics” has many different meanings. Capture and Analysis of: • packets in flight • packets after the fact • just packet headers • network flows • log files storage Internet 43 .

Internet storage 44 .Packets can be analyzed in flight or after capture.

Systems can capture the entire packet or just the packet header 0 4 IHL 8 ToS flags 16 24 total length fragment offset header checksum 32 identification TTL protocol IP Header 20 bytes source IP address destination IP address IP options (optional) source port destination port Default tcpdump capture size 68 bytes TCP Header 20 bytes sequence number Acknowledgement number off res ECN Control Window Urgent pointer Checksum TCP options and padding data Average packet size 500 bytes 45 .

! 525 complete packets 46 .. .Complete packets allows for reconstruction..

http: P www2.58754 > www2. size.http > 192.cnn.370616 10:52:16.370700 10:52:16.983731 IP IP IP IP IP IP IP IP IP 192.cnn.371114 10:52:16.58755: .com. timestamps.com.981228 10:52:19.1. ! 525 packet headers 10:52:16.102.com.http > 192. ports.http > 192.961475 10:52:19.102.http > 192. etc.168. cnn1.102.1.cnn.With just headers.net.102.1.cnn.294858 10:52:16.http: S www2.58766: cl4.455120 10:52:19.102.58761: P 47 .58754: . 192.dyn.956986 10:52:19.102.1.102.. .cnn.58754 > www2.net. destination.168.168.cnn.1.com.com.168.1.168.cnn.com.http: . i7.102. you can only get source.cnn.cnn.1.58754: S 192.http > 192.1.58755: .168.102..168.1.168. i7.http > 192.com.168.58754 > www2.

http > 192.58755: .102.1.58754: S 192.1.102.1.168.102.168.com.http 192.102.cnn.58766: cl4.58761: P Count Source 46 i7.102.102.168.236.236.com.net.168.net.58769 72.http i7.22.236.http: P www2.102.cnn.58755 26 69.Packet headers can be used to reconstruct “flows” 10:52:16.1.http 192.58759 192.58778 192.58755 i7.58754 > www2.1.63.1.102.http: .1.102.29.http 192.cnn.29.168.168.168.981228 10:52:19. i7.net.168.1.cnn.63.http 192.168.com.58754 69.168.58754: .294858 10:52:16.956986 10:52:19.1.cnn.236.22.138.http > 192.102.1.dyn.370616 10:52:16.1.58776 19 192.http > > > > > > > > > > > > > > > > > Destination 192.63.176.168.168.29.1.102.http 10 64.176. 192.http 64.102.1.1.168.168.102.29.102.58769 13 192. i7.58776 192.58757 48 .com.http 192.58765 17 64.168. cnn1.63.168.102.102.http 10 64.370700 10:52:16.102.cnn.1.168.168.51.net.102.1.168.102.63.58754 16 i7.138.58765 64.153.http > 192.168.com.168.cnn.29.102.http > 192.http 13 192.32.com.58754 > www2.cnn.http 14 192.1.com.961475 10:52:19.236.102.168.1.371114 10:52:16.http 21 192.net.455120 10:52:19.http > 192.63.cnn.1.cnn.168.102.58755: .cnn.1.cnn.58758 12 64.cnn.32.58754 > www2.http > 192.102.1.29.1.http 24 www2.58758 www2.168.http 17 192.236.168.1.http: S www2.http 34 192.983731 IP IP IP IP IP IP IP IP IP 192.102.153.com.com.1.51.58759 13 72.1.net.cnn.102.cnn.

Internet Each Cisco NetFlow record contains: • Total bytes & packets • S&D IP addresses • S&D ports (UDP or TCP) • flags • start & end time • min & max packet size • VLANs & ifaces • Vendor proprietary data V210 49 .Many switches and routers will report “netfow” data directly.

Daily amount of free space .Calendar syncs . Here’s what’s on my MacBook: Date & Time of: .11 network found .Every log-in and log-out Other information: .OS installation .Every 802.Each computer and router generates log files.Every associated network - 50 .Every file installed .Wake from sleep & time slept .Every program that crashed .

Log files are kept on each host. Internet Logfile Repository 51 . they can be aggregated into a central location A central repository makes the logs more resistant to attack.

• Restrict information Also good for debugging networks: • Duplicate requests • Incomplete transactions • Discovery of vulnerabilities without scanning storage • Cleartext usernames & passwords 52 . • Leaking protected health Information.” Primary use is to discover inappropriate data transfer or service use: • Use of outside chat or web mail services.Some vendors call this “deep packet inspection” or “deep packet analysis.

weeks or months Long term archive Reports 53 .Network Forensics Architecture User input Network Traffic Monitor Packets from network Analysis Engine Visualization Engine Conclusion Database Reporting Engine Packet Database ! Connections ! Data objects archive rules Continuously cycling record of the last few days.

” 54 . Passive Monitoring Options: . .Attack assessment . . .Set up a switched monitoring port. Active Monitoring Options: .Monitor packets at endpoints Critical uses: .Policy enforcement “A DVR for an Internet connection.Packet monitoring is similar to wiretapping.Full-duplex networks may require two monitoring ports.Use an ethernet “hub” with a packet sniffer.Monitor with a proxy or router.

Internet Wiretapping History 1983 — Netwatch – Graphical display of Internet Traffic 1990 — First reports of hostile packet sniffers 1995 — Ardita (Harvard FAS monitored by FBI) 1997 — FBI / DOJ / Carnivore 1999 — Emergence of commercial tools 2003 — Cisco Systems adds “Lawful Intercept Controls” to switches to allow eavesdropping on VoIP conversations “without detection” 2007 — FBI reportedly adopts large-scale Internet surveillance techniques. 55 .

Ardita penetrated military and commercial systems throughout the world.simson.1996: Julio Caesar Ardita used Harvard FAS as a jump-off point From Harvard.net/ref/1996/ardita. FBI installed TCP/IP stream reassembler with keyword trigger developed by US Army Details at: http://www.pdf 56 .

epic.315.org/privacy/carnivore/omnivoreproposal.86 • Triggers on: • SMTP username • RADIUS $2.html 57 .1997: US Department of Justice develops “Omnivore” Hodge-podge of technologies: • Monitoring of IP and ❚❚❚❚❚❚❚❚ protocols • Intercepts stored on ZIP disks • Solaris X.000 development cost http://www.

RADIUS username • IP address.1998: Omnivore renamed “Carnivore” (“gets at the meat”) Targeting Techniques: • email usernames. Renamed Digital Collection System 2000 (DSC2000) Reportedly abandoned in favor of commercial and open source tools 58 . DHCP mac address Analysis: • Logins & Logouts • Email “pen register” (SMTP & RFC822) • telnet Apparently designed for medium-sized dial-up ISPs.

Is it reasonable to capture all the packets? In 1991. Los Alamos captured all information in and out of the lab’s T1 on DAT tape: • 8 gigabytes/day (50%) Disks have gotten bigger faster than network connections have gotten faster. Connection T1 10 Mbit T3 OC3 OC12 GB/Day (50% ) 8 GB 54 GB 170 GB 512 GB 2. This is an engineering problem.000 GB 59 .

Network Forensic issues: Scaling issues: • Amount of data • Quality of data (lost packets) Analysis issues: • String search • Correlation Ultimate goal of work: • Reconstruction • Exploration Vendor: • Open Source • Commercial 60 .

Full-content “deep analysis” solutions: Open Source • Wireshark • Snort • Squil Commercial in-memory: • NFR • Intrusic • McAfee • NetWitness Commercial archiving systems: • CA eTrust Network Forensics • Chronicle Solutions • NIKSUN NetDetector • Sandstorm NetIntercept • Network Intelligence . ! 525 complete packets 61 ...

Flow-based systems: “blind” to data Advantages: • More economical • Finds rogue servers and consultants Can’t discover: • Missing encryption • Inappropriate encryption • Protocols on wrong ports Internet V210 62 .

..Flow-based vendors Arbor Networks GraniteEdge Networks Lanscope Mazu Networks Q1 Labs .and many more Internet V210 63 .

Internet Logfile Repository 64 ..Log files: options Open Source Options: • syslog Commercial Options: • LogLogic • Netforensics • Q1 Labs • Many other options..

1+8!/+!>>X.&($'3!&$(4$&)1/+5!$.!+/)!31<$(.' ! "#$!%$&'()*$+)!.")"&-!$..$+!"-!$#!"+>.!&$(4$1<1+8!)#')!&('4)14$.!)#$!%$&'()*$+)B.!)#$!1*&/()'+4$!/./(*'+4$!'&&('1.1.!'+3!NH!/..! 6/20!!"#1.141$+)0!!>.!)#'+!2#1)$.-&$(<1.$U!'+3! C$4)1/+!D#1$./(.!1+!'))/(+$7.$!'))/(+$7..'!..!.7&.0!!W/*$+! 4/+.!'($!-"0#"1"/$#)56!(#%&.!&'))$(+5!4/*A1+$3!21)#!)#$!8$+$('667!6/2!'))$+)1/+!)#')!)#$.-&$(<1.!T$0805! 4/*&'('A6$!($&($./"-&!?@C!$#%!=?@C5&7&5!5&$%&.!)/!&$(4$1<$!'!6'4.!0&#%&.$!/+67! SH!/.!.1.&-&#)&%!"#!+$#$0&+&#)!.%=.5!)#')!9:!&('4)14$.!+$.$!)#$!.5!2$!($4/**$+3!)#')!)#$!%$&'()*$+)!)'.-!B./(!1+4($'.!41)$!&//(!?&$/&6$!*'+'8$*$+)@!A7!.!/.1)7!/-)4/*$.!Q(/8('*!#1($.-&E!!#1($.!6'4.&56!).-&$(<1.$(..'65!4'.$#.E! ! G4&.$! '.5!'+3!FIH!*1+/(1)75!4/*&'($3!)/!MKH!/.!'($!FGH!.-&$(<1.(..&!%"7&.$'' &"'.!1+!MIIK!2$($!OIH!..!'+3!FFH!/./66/21+8!'4)1/+..!T4'($$(U!CVC!'))/(+$7.")"/$5!&5&+&#)!/.!+/!31.1)70!!9/+/(.)1)-)$!FKH!/.18+1.(/)(.!.)$&.0! ! "#$!%$&'()*$+)B.!&'7!)/!.!1+!MIIK!2$($!NFH!.' 3!5.!I0F!./(.7!)#$1(!(/6$!1+!.$!FSH!/.$!*'+'8$(.!'A/-)!$-!%"7&.'1(0!!"#$!%$&'()*$+)!3/$.0! ! 2&/)".&!5".!4-(($+)67!I0O!..#'&1+8!2/(.!6/2$(!)#'+!)#$!'<$('8$!2#1)$5!'+3!)#$!'<$('8$!2/*'+! 1.14'+)!'-)#/(1)7!1+!($4(-1)*$+)5!#1(1+85!&(/*/)1/+5!&$(.(/*!'+!"#$%&'($)&!*(+$#!../(.!O[H!#18#$(!'*/+8!*1+/(1)1$.!'+3!FSH!/.5!'+3!4/*&$+./&5!2#/./(4$!1.(-"..1+8!31<$(.$*'6$5!4/*&'($3!)/!OLH! /.!MIIK0! ! R1+/(1)1$...'.$!KKH!/.!'))/(+$7!2/(.!4/*&(1.0.!..&!%"7&.!31<$(.<<./(.0!!>*/+8!XCYKL!'))/(+$7.&!)*&!=&>$.!.!6$'3$(.!)#$!6'2!.!+/+Y./(7!>...')1.!9:!/-)4/*$.)'()1+8!8('3$5!4-(($+)!8('3$5!&(/*/)1/+.0!!P*&6$*$+)!)('1+1+8!/.$*'6$!'+3!KNH!*1+/(1)70! ! <".$3!/+!)#$.U!'+3!1+!'))1)-3$..!'($!-+.-&$(<1.$'0 (-1)(-2.)$#)! ).-6)5!'))/(+$7.&!-(E-)$#)"$556!+.0!!"#$($!2'.18+*$+)5!'+3!4'($$(!3$<$6/&*$+)0!!"#$!C$4)1/+!D#1$.!+/+Y.1.$!'+3!)-(+/<$(!1.! +/)!$*&#'..'4)1/+U!'*/+8!'66! 3$*/8('&#14!8(/-&.7"#0!).5!*1+/(1)1$.! )('+.#&6!@&#&.0!!P3$+)1.)($.$+)')1/+!')!'66!6$<$6.!31<$(.-0!!"#$7!4/*&(1.-&$(<1.)14'667!-"0#"1"/$#)!.5!'+3! 2/*$+!4/*&(1.$($+4$!1+!($4$+)! '))(1)1/+!A$)2$$+!*$+!'+3!2/*$+0! ! "#$($!'($!'6.!+.)'.&-.$*'6$! '+3!MKH!*1+/(1)70!!P+!&'()14-6'(5!)*&!?)).! 4'($$(!3$<$6/&*$+)5!6$'3./&-!+$#$0&+&#)!"#1.$+1/(1)75!8('3$5!'+3!4/*&/+$+)0! ! ^'.$5! 0./(*'+4$!'&&('1.)'+)!J0C0!>))/(+$7.&>.!($.!213$.4#//6!8('3-')1+8!46'.1=$!4'($$(!3$<$6/&*$+)5!'+3!)//6...!'3<'+4$*$+)!/&&/()-+1)1$.$-).!"!#$%&%'()'*&+.#+&#)!5&0$5!:..!461*')$! 1.-*">!)/!.!)/!13$+)1.$/&!$#%F../!.#!3*"&1-!$./&E!!FGH! .!&11&/)-!/+!'!+-*A$(!/./(!./.'6!'($!3$.1+31+8.1/+..&0!! "#$($!1.0! ! D"#.'89:'.)+&#)!)*$#!:*")&-0!!P+!MIIK5!)#$! '))(1)1/+!(')$!2'.&'($+470!!"#1.'' ! 1345'2("%6#.&+&56!/./(4$!1.-&!)*$#!)*&!8929!5&0$5!:.!5&$7&!)*&!=&>$.!'+3!KKH!/..!.5!.1)7!461*')$0!!"#$7! #'<$!.&!$#!&4).7!6$<$(./(!4#'+8$5!.)+&#)!&7&#!+./(4$!1../(!&$(.-&!$-!)*&!1&%&.$4)-')1+8!4#'+8$0! ! ! Document Forensics 65 .$!.-&$(<1.)$&.-$.!'! ($./4-..!2/(.!'))/(+$7!2/(.!T$0805!_/A!.!/.!CVC.C../(7!>JC>..!6/2$(!)#'+!)#$!'<$('8$!*'+5!4/+)(/661+8!.')1/+0!!\/(!$]'*&6$5!)#$!'<$('8$! *1+/(1)7!XC!'))/(+$7!1.#.$5A-!<.-%&.-6).!*1+/(1)1$..$*'6$5!4/*&'($3!)/!FIH!1+!)#$!J0C0!6$8'6!6'A/(!&//65!'+3!KLH!*1+/(1)75!4/*&'($3!)/!KMH!1+! )#$!6'A/(!&//60!!"#$!%$&'()*$+)B../(.&$41'667!'*/+8!*1+/(1)1$.!'+3!1+!$.!1+!)#$! Z1)18')1+8!%1<1.!..!)#$!46'.&"5' 76".1)7!'+3!)#$1(! 4/**1)*$+)!)/!1)0!!Q-A61467!4/**1)!)#$!%$&'()*$+)!)/!&'(1)7!A/)#!1+!31<$(.5! 1+46-31+8!."#0!"-!-&.)')1.-..!T2#/!'($!31<$(.

Uses for Document Forensics Which computer generated this document? Who edited this document? What was changed? When? Is this document “authentic?” 66 .

67 .Approaches for Data and Document Analysis: Look for hidden data: • Deleted information. Look for inconsistent data: • Indicates possible tampering. previous versions • GIDs embedded in Microsoft Word document Look for characteristic data: • Indicates authorship • Indicates program used to create document.

$! '.&56!).)+&#)!&7&#!+.-&!$-!)*&!1&%&./..' 3!5...!($.org/cia-iran.$U!'+3! C$4)1/+!D#1$./(4$!1.!'($!-+.&!)*&!=&>$.!..$#.-&$(<1.'!.0!!P*&6$*$+)!)('1+1+8!/.!'($!-"0#"1"/$#)56!(#%&.$!'+3!)-(+/<$(!1.!)#$!46'..!6/2$(!)#'+!)#$!'<$('8$!2#1)$5!'+3!)#$!'<$('8$!2/*'+! 1.$*'6$5!4/*&'($3!)/!FIH!1+!)#$!J0C0!6$8'6!6'A/(!&//65!'+3!KLH!*1+/(1)75!4/*&'($3!)/!KMH!1+! )#$!6'A/(!&//60!!"#$!%$&'()*$+)B.!6'4.!6$'3$(.!5&$7&!)*&!=&>$.!'+3!NH!/./(./(*'+4$!'&&('1.1)7!461*')$0!!"#$7! #'<$!.&!$#!&4).7!6$<$(.&!5".$!*'+'8$(.&$41'667!'*/+8!*1+/(1)1$.htm) 68 .$-).#!3*"&1-!$../(7!>.-&!)*$#!)*&!8929!5&0$5!:./(.-0!!"#$7!4/*&(1.1+31+8.! 6/20!!"#1.'' ! 1345'2("%6#.&>.'1(0!!"#$!%$&'()*$+)!3/$.'65!4'.0.$5A-!<.)$&./(!&$(.!T2#/!'($!31<$(.!)/!13$+)1. (2003) (http://www.!T4'($$(U!CVC!'))/(+$7.!1+!'))/(+$7.0!!"#$($!2'.!&'7!)/!.U!'+3!1+!'))1)-3$.18+1.5! 1+46-31+8!.-&$(<1.$3!/+!)#$.1/+.C./(4$!1.!CVC..")"&-!$.!0&#%&.141$+)0!!>.7&.!+/!31.-%&.1.5!'+3!4/*&$+./(!1+4($'.!+/)!31<$(.!4-(($+)67!I0O!.! 4'($$(!3$<$6/&*$+)5!6$'3.!'+3!FFH!/..$!/+67! SH!/.')1./(..!T$0805! 4/*&'('A6$!($&($.!'))/(+$7!2/(./(4$!1.!)#$!1*&/()'+4$!/.$!)#$!../4-.-.7"#0!)..$+)')1/+!')!'66!6$<$6.$5! 0.$!.18+*$+)5!'+3!4'($$(!3$<$6/&*$+)0!!"#$!C$4)1/+!D#1$.-&$(<1.#'&1+8!2/(.0!!P3$+)1.0! ! 2&/)".&'($+470!!"#1..!&11&/)-!/+!'!+-*A$(!/.1+8!/+!>>X. (2004) ! ! ! "#$!%$&'()*$+)!.0!!W/*$+! 4/+.!)#'+!2#1)$.-&$(<1.$'' &"'.)$&.$($+4$!1+!($4$+)! '))(1)1/+!A$)2$$+!*$+!'+3!2/*$+0! ! "#$($!'($!'6. Adobe PDF files: • The New York Times published a PDF file containing the names of Iranians who helped with the 1953 coup.!9:!/-)4/*$.com/ privacy/blair.org/feds/dojattorney-diversity.!.&!%"7&.)'+)!J0C0!>))/(+$7.&-.5!2$!($4/**$+3!)#')!)#$!%$&'()*$+)!)'.!/.!MIIK0! ! R1+/(1)1$. (2000) (http://cryptome./(.-$.thememoryhole.!'+3!FSH!/.0! ! "#$!%$&'()*$+)B./!.!.!'+3!KKH!/.!)#$!6'2!...$*'6$! '+3!MKH!*1+/(1)70!!P+!&'()14-6'(5!)*&!?))."#0!"-!-&./(7!>JC>.!1+!MIIK!2$($!OIH!..&!%"7&.!+/+Y..)')1.$!FSH!/.!1+!MIIK!2$($!NFH!.#.7!)#$1(!(/6$!1+!.(/*!'+!"#$%&'($)&!*(+$#!./(.'.(-".&+&56!/..0! ! D"#.)($.1)70!!9/+/(.#+&#)!5&0$5!:.-6)./66/21+8!'4)1/+.1+8!31<$(..&($'3!&$(4$&)1/+5!$.!'! ($.-&E!!#1($.&"5' 76".!.!I0F!./(!.')1/+0!!\/(!$]'*&6$5!)#$!'<$('8$! *1+/(1)7!XC!'))/(+$7!1.computerbytesman.!461*')$! 1.<<.1)7!'+3!)#$1(! 4/**1)*$+)!)/!1)0!!Q-A61467!4/**1)!)#$!%$&'()*$+)!)/!&'(1)7!A/)#!1+!31<$(.$!KKH!/.1)7!/-)4/*$../"-&!?@C!$#%!=?@C5&7&5!5&$%&.!+$./&E!!FGH! .!41)$!&//(!?&$/&6$!*'+'8$*$+)@!A7!.$*'6$5!4/*&'($3!)/!OLH! /.1..!O[H!#18#$(!'*/+8!*1+/(1)1$.!2/(.-&$(<1..$+!"-!$#!"+>.$+1/(1)75!8('3$5!'+3!4/*&/+$+)0! ! ^'.0!!>*/+8!XCYKL!'))/(+$7.!'))/(+$7!2/(.)+&#)!)*$#!:*")&-0!!P+!MIIK5!)#$! '))(1)1/+!(')$!2'.!6/2$(!)#'+!)#$!'<$('8$!*'+5!4/+)(/661+8!..!31<$(.'6!'($!3$.&!-(E-)$#)"$556!+.!.!/.5!'+3!FIH!*1+/(1)75!4/*&'($3!)/!MKH!/.'4)1/+U!'*/+8!'66! 3$*/8('&#14!8(/-&..!)/!&$(4$1<$!'!6'4.5!.!213$.)'()1+8!8('3$5!4-(($+)!8('3$5!&(/*/)1/+.$'0 (-1)(-2.)'.htm) !"!#$%&%'()'*&+..14'+)!'-)#/(1)7!1+!($4(-1)*$+)5!#1(1+85!&(/*/)1/+5!&$(.! )('+../(*'+4$!'&&('1.5!'+3! 2/*$+!4/*&(1.!.&0!! "#$($!1.!'A/-)!$-!%"7&.!'3<'+4$*$+)!/&&/()-+1)1$.)14'667!-"0#"1"/$#)!.-*">!)/!.1=$!4'($$(!3$<$6/&*$+)5!'+3!)//6.!1+!)#$! Z1)18')1+8!%1<1.!'($!FGH!.E! ! G4&..'89:'.!+.1.!'+3!1+!$.)1)-)$!FKH!/.")"/$5!&5&+&#)!/.$4)-')1+8!4#'+8$0! • Intelligence report by Blair Government was found to be plagiarized from a postgraduate student at the Monterey Institute of International Studies based on transaction log (2003) (http://www.(/)(.!T$0805!_/A!..!31<$(.!*1+/(1)1$.$!'))/(+$7.)$#)! ).$/&!$#%F.-&$(<1..%=.!4/*&(1.5!)#')!9:!&('4)14$..$(.!&'))$(+5!4/*A1+$3!21)#!)#$!8$+$('667!6/2!'))$+)1/+!)#')!)#$.&-&#)&%!"#!+$#$0&+&#)!.(.$*'6$!'+3!KNH!*1+/(1)70! ! <"./&-!+$#$0&+&#)!"#1.!+/+Y.!Q(/8('*!#1($.! +/)!$*&#'./(!4#'+8$5!..-6)5!'))/(+$7.!.-&$(<1.htm) • Multinational Force-Iraq report (2005) Microsoft Word Files: • SCO Word file revealed its anti-Linux legal strategy.5!*1+/(1)1$.4#//6!8('3-')1+8!46'.!&$(4$1<1+8!)#')!&('4)14$.Privacy and Security violations result when improperly sanitized documents are released.#&6!@&#&.!)#$!%$&'()*$+)B../&5!2#/..' • US DoJ published a PDF file “diversity report” with embarrassing redacted information.-!B.

Why is data left in documents? 1. Information that is written but never read.” 3. 69 . Failure to implement “complete delete. 2. Confusion between “covering data” and removing it.

U!'+3!1+!'))1)-3$.0!!W/*$+! 4/+.$!)#$!.!'))/(+$7!2/(.!5&$7&!)*&!=&>$.!31<$(.141$+)0!!>.0.&-.!.-*">!)/!.1)7!'+3!)#$1(! 4/**1)*$+)!)/!1)0!!Q-A61467!4/**1)!)#$!%$&'()*$+)!)/!&'(1)7!A/)#!1+!31<$(.! +/)!$*&#'.0! ! "#$!%$&'()*$+)B.!9:!/-)4/*$.!+/+Y.!.5!)#')!9:!&('4)14$.-0!!"#$7!4/*&(1.!.$!FSH!/.!'))/(+$7!2/(.&"5' 76".!0&#%&.1...0! ! D"#.$!/+67! SH!/..!T4'($$(U!CVC!'))/(+$7.&!$#!&4).!6'4.!)/!13$+)1.'!.14'+)!'-)#/(1)7!1+!($4(-1)*$+)5!#1(1+85!&(/*/)1/+5!&$(..!T2#/!'($!31<$(.5!*1+/(1)1$.0!!P3$+)1.(/)(.')1./4-.$U!'+3! C$4)1/+!D#1$.$3!/+!)#$.!'($!-+.5!'+3!4/*&$+.!.'4)1/+U!'*/+8!'66! 3$*/8('&#14!8(/-&.!1+!'))/(+$7.!..4#//6!8('3-')1+8!46'.!1+!MIIK!2$($!OIH!.'' ! 1345'2("%6#.!6$'3$(.!4-(($+)67!I0O!.$5A-!<.(/*!'+!"#$%&'($)&!*(+$#!.0! ! 2&/)"..5!'+3!FIH!*1+/(1)75!4/*&'($3!)/!MKH!/.")"/$5!&5&+&#)!/.$*'6$5!4/*&'($3!)/!OLH! /. !"!#$%&%'()'*&+.!6/2$(!)#'+!)#$!'<$('8$!*'+5!4/+)(/661+8!.&!%"7&..&+&56!/.#+&#)!5&0$5!:.!'+3!FSH!/.-6)5!'))/(+$7.-%&..7!6$<$(.1+8!/+!>>X.#!3*"&1-!$.!CVC.1.#.!2/(.$+)')1/+!')!'66!6$<$6.&$41'667!'*/+8!*1+/(1)1$.-.C.-&$(<1.$'' &"'.<<.1+31+8.!1+!)#$! Z1)18')1+8!%1<1.0!!"#$($!2'.! )('+.Most Acrobat leakage is a result of Microsoft Word.!'+3!NH!/.&!%"7&./(..!.-!B.!+/!31./(*'+4$!'&&('1./(..' 3!5.$!.7&.!'A/-)!$-!%"7&.1=$!4'($$(!3$<$6/&*$+)5!'+3!)//6.!+/+Y.-$./"-&!?@C!$#%!=?@C5&7&5!5&$%&./(!&$(.1)7!/-)4/*$./(*'+4$!'&&('1.")"&-!$..!'! ($.-&E!!#1($./66/21+8!'4)1/+./!..../(4$!1..-&$(<1.5!'+3! 2/*$+!4/*&(1./(.0!!>*/+8!XCYKL!'))/(+$7.&>./.)+&#)!)*$#!:*")&-0!!P+!MIIK5!)#$! '))(1)1/+!(')$!2'.1)70!!9/+/(.!'+3!KKH!/.$!'+3!)-(+/<$(!1.!)#$!46'.18+*$+)5!'+3!4'($$(!3$<$6/&*$+)0!!"#$!C$4)1/+!D#1$.$4)-')1+8!4#'+8$0! ! ! 70 .!/.! 6/20!!"#1.!'3<'+4$*$+)!/&&/()-+1)1$.1/+.'6!'($!3$.!)#$!1*&/()'+4$!/..$($+4$!1+!($4$+)! '))(1)1/+!A$)2$$+!*$+!'+3!2/*$+0! ! "#$($!'($!'6..E! ! G4&.$*'6$! '+3!MKH!*1+/(1)70!!P+!&'()14-6'(5!)*&!?)).!T$0805!_/A!.-&$(<1.$!*'+'8$(.!O[H!#18#$(!'*/+8!*1+/(1)1$.7!)#$1(!(/6$!1+!.)14'667!-"0#"1"/$#)!.1)7!461*')$0!!"#$7! #'<$!../&5!2#/.!+/)!31<$(.$!'))/(+$7.&56!).)')1.!+.!T$0805! 4/*&'('A6$!($&($.&0!! "#$($!1./(7!>JC>..&!5".18+1.$#.$!KKH!/.!'+3!FFH!/./(!4#'+8$5!.!4/*&(1.!)/!&$(4$1<$!'!6'4.&($'3!&$(4$&)1/+5!$..'89:'..-&$(<1.&!)*&!=&>$.!6/2$(!)#'+!)#$!'<$('8$!2#1)$5!'+3!)#$!'<$('8$!2/*'+! 1.$5! 0.$*'6$!'+3!KNH!*1+/(1)70! ! <"..!'($!FGH!..0!!P*&6$*$+)!)('1+1+8!/.'./&-!+$#$0&+&#)!"#1..!&'))$(+5!4/*A1+$3!21)#!)#$!8$+$('667!6/2!'))$+)1/+!)#')!)#$.!.$-).)1)-)$!FKH!/.$/&!$#%F.$'0 (-1)(-2.)+&#)!&7&#!+.)($.!41)$!&//(!?&$/&6$!*'+'8$*$+)@!A7!.)'()1+8!8('3$5!4-(($+)!8('3$5!&(/*/)1/+.(-".5! 1+46-31+8!..&'($+470!!"#1./(.'65!4'../(!1+4($'.1.' ! "#$!%$&'()*$+)!.)$&./(4$!1.!)#$!6'2!.')1/+0!!\/(!$]'*&6$5!)#$!'<$('8$! *1+/(1)7!XC!'))/(+$7!1."#0!"-!-&..!213$.&-&#)&%!"#!+$#$0&+&#)!.5!2$!($4/**$+3!)#')!)#$!%$&'()*$+)!)'.)$#)! ).!/..-&$(<1.!&11&/)-!/+!'!+-*A$(!/.-&$(<1.)'.'1(0!!"#$!%$&'()*$+)!3/$.!MIIK0! ! R1+/(1)1$.-&!$-!)*&!1&%&.$(.!($.(./(4$!1.$+!"-!$#!"+>.)$&./(!.!*1+/(1)1$.1+8!31<$(..!461*')$! 1..!&'7!)/!..!Q(/8('*!#1($./(7!>.!1+!MIIK!2$($!NFH!.!&$(4$1<1+8!)#')!&('4)14$.!31<$(.! 4'($$(!3$<$6/&*$+)5!6$'3.7"#0!).$*'6$5!4/*&'($3!)/!FIH!1+!)#$!J0C0!6$8'6!6'A/(!&//65!'+3!KLH!*1+/(1)75!4/*&'($3!)/!KMH!1+! )#$!6'A/(!&//60!!"#$!%$&'()*$+)B../(.$! '.!+$.!)#$!%$&'()*$+)B./&E!!FGH! .#&6!@&#&.-&$(<1.$+1/(1)75!8('3$5!'+3!4/*&/+$+)0! ! ^'.)'+)!J0C0!>))/(+$7.!)#'+!2#1)$.%=.&!-(E-)$#)"$556!+.5!.!'($!-"0#"1"/$#)56!(#%&.-&!)*$#!)*&!8929!5&0$5!:.!'+3!1+!$.#'&1+8!2/(.!I0F!.-6).

Microsoft Word encourages people to use the highlight feature to eradicate data. 71 .

71 .Microsoft Word encourages people to use the highlight feature to eradicate data.

Microsoft Word encourages people to use the highlight feature to eradicate data. 71 .

71 .Microsoft Word encourages people to use the highlight feature to eradicate data.

When Microsoft Word generates the PDF file. “Secret Data” is covered with the black box 72 .

Tools for recovering hidden data in Acrobat files: Adobe Illustrator • Move the boxes • Turn the boxes yellow Adobe Acrobat Reader • Select and copy the text 73 .

Adobe’s Illustrator can read and edit PDF files. 74 .

Select each “block box.” 75 .

76 .Change the color of the box to yellow.

Behold the “redacted” data. 77 .

"Slot 5" CDH SAT SAT SAT SAT JPEG MSAT SAT DIR "20" Dir: 5 SSAT: 10 MSAT: 15 TEXT 1: 20 TEXT 2: 35 JPEG: 55 "55" TEXT 1 "30" TEXT 1 TEXT 2 JPEG 78 . Microsoft Word implements a “file system” inside every file.Data can be left in a Word document in unallocated sectors.

Tools for recovering hidden Word data: Unix strings(1) command reveals: • Deleted text • Names and/or usernames of author and editors • Paths where document was saved • GUID of system on which it was saved Note: Text may be UTF16 (remove NULLs or use more intelligent processing) Other tools: • Antiword (http://www.winfield.nl/) • catdoc • wvText • MITRE’s Heuristic Office File Format Analysis toolkit (HOFFA) 79 .demon.

Tools for finding Microsoft Word files Use Google! • inurl:www.gov.number-10.uk filetype:doc confidential 80 .

Case study of inconsistent data: State of Utah vs. Carl Payne 81 .

• Payne created a “back door” on his last week of employment. had a falling out with the company and was terminated on October 30th. 82 . Carl Payne State’s Claims: • Victim ISP suffered devastating attack on November 6th. one of the company’s founders. 1996.State of Utah vs. • All files erased • All router configurations cleared. • Payne had the necessary knowledge to carry out the attack. • Carl Payne. 1996. • Payne’s accounts were used for the attack.

• Alibi defense: was having breakfast with a friend when attack took place.State of Utah vs. 83 . • Testimony of the expert.” • All of Payne’s account passwords had been changed when he was terminated. • Testimony of the Fibernet employees Payne’s Defense: • “I didn’t do it. Carl Payne State’s Evidence: • 140 pages of printouts made by a local expert on the day of the attack.

/etc/shadow (printed November 6. 1996) 84 .

1970 Source: Solaris Documentation 85 .Solaris /etc/shadow: setup:ANImj3G8/T3m2:64455::::::: Field 1: Username Field 2: Encrypted Password Field 3: Password Aging • Number of days since January 1.

00 sec) mysql> 86 .Decoding “6645” • August 25. 1987 mysql> select from_days(to_days'1970-01-01')+6445). +---------------------------------------+ | from_days(to_days('1970-01-01')+6445) | +---------------------------------------+ | 1987-08-25 | +---------------------------------------+ 1 row in set (0.

1996 87 . 1996 by prosecution expert witness) 9818 = November 18. 1987 9807 = November 7. 1996 6445 = August 25./etc/shadow (Printed November 6. 1996 9800 = October 31.

Lessons of Utah vs. Payne
Not all “Evidence” is equal (Chain-of-custody is vital) Evidence may not prove what you think it proves Computer evidence lends itself to forgery Most data isn’t tampered... • ... but most data isn’t used for evidence. • If data is going to be used for evidence, there is an incentive to tamper with it.

88

Memory Forensics

What was really happening on the subject’s computer?

89

Computer systems arrange memory in a hierarchy.
Architectural Registers EAX EBX ECX EDX ESI EDI Main Memory

Active Register File R001 R002 R003 R004 ... Rnnn

L1 Cache

L2 Cache

Disks

90

There are many ways to get access to the memory. • ATA drives support DMA • So Firewire supports DMA 91 . Unix/Linux: /dev/mem Windows: Device Drivers Hardware memory imagers Firewire • Firewire designed as a replacement for hard drives.

. Rnnn L1 Cache L2 Cache Disks OHCI 1394 Controller DMA Controller iPod or PC 92 ..It’s pretty easy to attack a system with an iPod Architectural Registers EAX EBX ECX EDX ESI EDI Main Memory Active Register File R001 R002 R003 R004 .

Many different kinds of information can be retrieved from a computer’s memory. 93 . Reading: • Current contents of the screen • Cryptographic Keys • Passwords (BIOS & programs) • Programs • All data Writing: • Patch programs on the fly • Change security levels DMA bypasses the operating system and the CPU.

Cell Phone Forensics Who did you call? Where have you been? 94 .

used CELL SITES: Recovery of phone information • Phones in the area 95 .Cell Phone Forensics: What can be done PHONE: Recovery of personal information (even after deletion) • SMS messages • Phone log • Phone book PHONE: Recovery of service information • Cell sites passed.

Cell phone forensics: Precautions
Turning on the phone can damage data! • But sometimes you can’t access the data any other way

96

Paraben’s tools for cell phone forensics
Paraben “Device Seizure” to image the phone’s content. • Acquires phone flash and some of GSM SIM card • Understands some of the phone’s internal databases • Views some of the photos, messages, etc. • Only covers specific phones “Device Seizure Toolbox” has lots of different cables. “StrongHold Box” prevents phone from calling home. Project-a-Phone captures screens http://www.paraben-forensics.com/

97

Cell Phone Forensics: References & Resources
Guidelines on Cell Phone Forensics (NIST SP 800-101) • August 2006 • http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250) • http://csrc.nist.gov/publications/nistir/nistir-7250.pdf PDA Forensic Tools: An Overview and Analysis (NISTIR 7100) • http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf

98

} Software Forensics Who authored a program? Are two programs similar? How old is a program? 99 .R_OK)==0){ errx(1."File exists: %s\n".if(dirlist.argv[1]).push_back(argv[1]).outfiles). } /* Must be copying from file1 to file2.size()==0){ if(argc!=2){ fprintf(stderr.\n\n")."Please specify a directory or just two AFF files. return afcopy(argv[0]. usage(). } vector<string> outfiles. outfiles. Make sure file2 does not exist */ if(access(argv[1].

Detection and Countermeasures 100 .Anti-Forensics: Techniques.

investigations and investigators Goals of Anti-Forensics: • • • • Avoiding detection Disrupting information collection Increasing the examiner’s time Casting doubt on a forensic report or testimony (Liu and Brown. 2006) • Forcing a tool to reveal its presence • Subverting the tool — using it to attack the examiner or organization • Leaving no evidence that the AF tool has been run 101 .What is Anti-Forensics? Computer Forensics: “Scientific Knowledge for collecting. analyzing. and presenting evidence to the courts” (USCERT 2005) Anti-Forensics: tools and techniques that frustrate forensic tools.

Physical destruction makes forensic recovery impossible. 102 .

g. File Shredders • Microsoft Remove Hidden Data Tool. cipher.One traditional Anti-Forensic technique is to overwrite or otherwise destroy data.) Disk Sanitizers. ccleaner Metadata Erasers • Example: timestomp Hard problem: What should be overwritten? 103 . disk sanitizers. Overwriting: Eliminate data or metadata (e. Free Space Sanitizers. Microsoft Word metadata “washers.exe.” timestamp eliminators.

Burneye) & Rootkits Steganography Data Hiding in File System Structures • • • • • • Slacker — Hides data in slack space FragFS — Hides in NTFS Master File Table RuneFS — Stores data in “bad blocks” KY FS — Stores data in directories Data Mule FS — Stores in inode reserved space Host Protected Areas & Device Configuration Overlay *Onion routing also protects from traffic analysis 104 . Onion Routing*) Program Packers (PECompact. SSH.Anti-Forensic tools can hide data with cryptography or steganography. TrueCrypt) Encrypted Network Protocols (SSL. Cryptographic File Systems (EFS.

• Tools leave tell-tale signs. • Memory injection and syscall proxying • Live CDs. • Statistical properties are different after data is overwritten or hidden. Bootable USB Tokens • Virtual Machines • Anonymous Identities and Storage (don’t worry. examiners know what to look for. we have slides for each of these) 105 .Anti-Forensics 3: Minimizing the Footprint Overwriting and Data Hiding are easy to detect. AF tools that minimize footprint avoiding leaving traces for later analysis.

Memory Injection loads code without having the code on the disk. • Buffer overflow exploits — run code supplied as (oversized) input Userland Execve — Runs program without using execve() — Bypasses logging and access control — Works with code from disk or read from network 106 .Memory Injection and Userland Execve: Running a program without loading the code.

Syscall proxying: Running a program without the code! Syscall Proxying • Program runs on one computer. used in Impact Client Application Server Application Client stub server stub Client runtime Network server runtime Client Kernel Server Kernel 107 . syscalls executed on another. • Program not available for analysis • May generate a lot of network traffic • Developed by Core Security.

Live CDs. Bootable USB Tokens. Most forensic information is left in the file system of the running computer. These approaches keep the attacker’s file system segregated: — In RAM (CDs & Bootable USB Tokens) — In the Virtual Machine file (where it can be securely deleted) 108 . Virtual Machines: Running code without leaving a trace.

Anonymous Identities and Storage: The attacker’s data may be anywhere. Today these accounts are far more powerful. Withdraw BGP address Being used by spammers today (http://www. little-patrolled services to anyone with a credit card • EC2: 10 ¢/CPU hour (Xen-based virtual machines) • S3: 10 ¢/GB-Month With BGP.nanog.pdf) 109 .” 1. • Yahoo and GMail both have 2GB of storage • APIs allow this storage to be used as if it were a file system Amazon’s Elastic Compute Cloud (EC2) and Simple Storage Service (S3) provide high-capability.org/mtg-0602/pdf/feamster. it’s possible to have “anonymous IP addresses. Conduct attack 3. Announce BGP route 2. Attackers have long made use of anonymous e-mail accounts.

Create files that cause EnCase to crash.Attacking the Investigator: AF techniques that exploit CFT bugs. snort and ethereal. Craft packets to exploit buffer-overflow bugs in network monitoring programs like tcpdump. Successful attacks provide: ➡ Ability to run code on the forensic appliance ➡ Erase collected evidence ➡ Break the investigative software ➡ Leak information about the analyst or the investigation ➡ Implicate the investigator 110 .

zip The clever adversary will combine this chaff with real data.Attacking the Investigator: Denial-of-Service Attacks against the CFT Any CFT resource whose use is determined by input can be overwhelmed. e.: 100 215 TB TB Real Data 54 TB 500 TB Chaff A B C D 111 . • Create millions of files or identities • Overwhelm the logging facility • Compression bombs — 42.g.

1. Analysis and Reporting Technology) drives report: • Total number of power cycles • Total time hard drive has been on Network Forensics can be detected with: • Hosts in “promiscuous” mode responding differently — to PINGs.Anti-Forensic Tools can detect Computer Forensic Tools: cat-and-mouse.168.1.168. IP address) • Reverse DNS queries for packets sent to unused IP addresses to: 192.100? 192.20.20.3. SMART (Self-Monitoring. — to malformed packets — to ARPs • Hosts responding to traffic not intended to them (MAC vs.3.250 from: 64.100 Attacker who is 64.10 112 .

— Augment network sniffers with traffic analysis 113 .Countermeasures for Anti-Forensics Improve the tools — many CFTs are poorly written. Save data where the attacker can’t get at it: — Log hosts — CD-Rs Develop new tools: — Defeat encrypted file systems with keyloggers.

forensicswiki.org/ Find out more at the Forensics Wiki: 114 .http://www.

In Conclusion: Many forensic techniques in use today can be circumvented Circumvention tools are widely available Common approaches: • • • • Overwriting data Encrypting data Anonymous identities & resources Exploit bugs in computer forensic tools to hide New approaches: • Minimizing or eliminating memory footprints • Virtual machines • Direct attacks against computer forensic tools http://www.pdf 115 .simson.net/ref/2007/slides-ICIW.

Research directions in Computer Forensics Environmental Data Survey Projects • Phone systems • Hard drives & data storage devices • Network hosts and traffic Theory and Algorithm Development: • Brian Carrier 2006 PhD • Cross-Drive Analysis • Carving Fragmented Objects with Validation Tool Development • Easy-to-use tools • Batch tools • Data correlation 116 .

Being a practitioner is hard: • Many skills • Many tools • In-depth knowledge of many different systems What is the forensics research agenda? 117 .Forensics. Conclusion Forensic analysis is a growth area.

html http://faculty.washington.Other Resources http://www.htm 118 .edu/toconnor/426/426links.org/ http://www/forensicwiki.forensicswiki.ncwc.edu/dittrich/forensics.com/ http://staff.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.