Professional Documents
Culture Documents
Forensics
Roadmap
Incidents & Crimes and Responding to
them
Vulnerabilities, Threats, Incidents/Crimes
Types of incidents/crime
Roadmap
Forensic Investigations
Objectives of investigations
The process
How to handle evidence
Components of computers
Central Processing Unit (CPU)
Basic Input and Output System (BIOS)
Memory
Peripherals (disks, printers, scanners,
etc)
6
Boot Sequence
What happens when you turn the
computer on?
CPU reset: when turned on, CPU is reset and
BIOS is activated
Power-On Self Test (POST) performed by BIOS:
Boot Sequence
Disk boot: Loading of the operating system from
disk into memory. The bootstrap is in Read-OnlyMemory.
IMPORTANT POINTS
CMOS chip contains important evidence on the
configuration. If the battery powering CMOS is
down, important evidence may be lost (Moussaoui
case, 2003)
If the computer is rebooted, the data on the hard
disk may be altered (for example the time stamps
on files).
Hence the importance of booting from a floppy
and accessing the CMOS setup during the boot
up.
11
Disk Storage
Data is stored on the disk over concentric
circles called tracks (heads). When the
disks are stacked, the set of tracks with
identical radius collectively are called a
cylinder. The disk is also divided into
wedge-shaped areas called sectors.
Disk capacity is given by the product of
number of cylinders, tracks, and sectors.
Each sector usually stores 512 bytes.
13
Disk Storage
Zoned Bit Recording (ZBR) is used
by disk manufacturers to ensure
that all tracks are all the same
size. Otherwise the inner tracks
will hold less data than the outer
tracks.
14
Disk Storage
The tracks on disks may be one of
Boot track (containing partition and boot
information)
Tracks containing files
Slack space (unused parts of blocks/clusters)
Unused partition (if the disk is partitioned)
Unallocated blocks (usually containing data
that has been deleted)
(When the program execution is complete, the
allocated memory reverts to the operating
systems. Such unallocated memory is not
physically erased, just the pointers to it is
deleted)
15
17
18
Data Representation
While all data is represented ultimately
in binary form (ones and zeroes), use of
editors that provide hexadecimal or
ascii format display of data are valuable
in forensics. They allow you to see
features that are otherwise not visible.
Popular tools for viewing such files
include Winhex (www.winhex.com), Hex
Workshop (www.hexworkshop.com ), and
Norton Disk Edit (www.symantec.com)
20
Data Representation:
Important point
One should be careful in
using such editors, since
data can be destroyed
inadvertently.
21
Computer Networks
How are internet communications
organised?
How the internet protocols work?
What are some of the
vulnerabilities caused by the
internet protocols?
22
Networking
The Internet Model:
Application Layer (http, telnet, email client,)
Transport Layer: Responsible for ensuring data delivery.
(Port-to-Port) (Protocols: TCP and UDP) (Envelope name:
segment)
Network Layer:
Physical Layer:
23
Protocol Layering
Routing
(Source:
Host A
Host B
http://www.albany.edu/~goel/classes/spring2002/MSI416/internet.ppt)
Application Layer
Application Layer
Message
Transport Layer
Transport Layer
Packet
Router
Network Layer
Network Layer
Datagram
Link Layer
Network Layer
Datagram
Link Layer
Frame
Physical Network
Link Layer
Frame
Physical Network
24
Protocols
(Source:
http://www.albany.edu/~goel/classes/spring2002/MSI416/internet.ppt)
8:50
Index.html
25
TCP
Some Protocol
Vulnerabilities
UDP
Some Protocol
Vulnerabilities
Digital Evidence
Sources of evidence on the
internet?
Evidence can reside on the
computers, network equipment
(routers, for example), and on servers
Various tools are available to extract
evidence from these sources
28
29
Evidence on workstations,
Servers
Locations (continued)
Evidence on Workstations,
Servers, Network: Important
Points
32
Types of Evidence
Physical evidence (computers, network
equipment, storage devices,)
Testimonial evidence
Circumstantial evidence
______________________
Admissible evidence (evidence that a
court accepts as legitimate)
Hearsay evidence
33
Hearsay Evidence:
Exception
A memorandum, report,
record, or data compilation, in
any form, of acts, events, conditions, opinions, or
diagnoses, made at or near the time by, or from
information transmitted by, a person with knowledge, if
kept in the course of a regularly conducted business
activity, and if it was the regular practice of that
business activity to make the memorandum, report,
record or data compilation, all as shown by the
testimony of the custodian or other qualified witness, or
by certification that complies with Rule 902(11),
Rule 902(12), or a statute permitting certification, unless
the source of information or the method or circumstances
of preparation indicate lack of trustworthiness.
Source: Federal Rules of
Evidence:http://www.law.cornell.edu/rules/fre/rules.htm
34
Characteristics of
Evidence
Characteristics of
Evidence
36
2. Notification of incident
1. Whom to notify,
2. what to document,
3. choice of language
38
3. Protection of evidence
1. Audit records
2. Time-tagged actions taken in the
investigation
3. Details of all external conversations
4. Collecting evidence
4. Containment
1. Decision whether to shut down the
system
2. How to shut down the system without
losing or corrupting the evidence
39
5. Eradication
Evidence Collection
Principles
Maintain chain of custody of the
evidence
Maintaining Chain of
Custody
42
Memory:
In MS-Windows 2000,
setting up the Registry to enable capturing
memory.dmp manually
Using Dumpchk.exe to generate memory dump
44
45
46
47
49
Objectives of the
Investigative
Process
Acceptance: Process has wide
acceptance
Reliability: Methods used can be trusted
to support findings
Repeatability: Process can be replicated
Integrity: Trust that the evidence has
not been altered
Cause & Effect: Logical relationship
between suspects, events, evidence
Documentation: Recording of evidence
50
Computer Forensics
How to handle evidence?
What to search/seize?
What kind of evidence to gather?
How?
Documenting the evidence gathered
How to maintain the authenticity of
evidence?
51
Incident Handling
How to handle incidents?
MEDIUM
Property destruction, illegal download
of music/files or unauthorised software,
unauthorised use of system for personal
data, acts by disgruntled employees,
illegal hardware access/tress pass, theft
(minor)
54
56
Application detected
incidents
Abnormal behavior of an
application
Inappropriate use of application
(eg., unauthorised access)
Unauthorised change of data (eg.,
defacement of web pages,
alteration of data,)
58
Whether to report
incidents?
60
Whether to report
incidents?
61
62
63
65
Policies
Who can add or delete users?
Who can access machines remotely
Who has root level access to what
resources (SetUID and sudo
privileges)
Control over pirated software
Who can use security related software
(network scanning/snorting, password
cracking, etc.)
Policy on internet usage
67
System backups
Systems backups help investigation
by providing benchmarks so that
changes can be studied
Unix:
dump: dump selected parts of an object
file
cpio: copy files in and out of cpio
archives
tar: create tape archives and add or
extract files
dd: Convert and copy a file
68
System backups
Windows:
Programs | Accessories | System
Tools | Backup
NTBACKUP: Part of NT Resource kit
Backup : From disk to disk
69
What to search/seize?
Public investigations (criminal, usually
by law enforcement agencies) vs.
Corporate investigations.
Public investigations, with search
warrants, can seize all computers &
peripherals, but fourth amendment
provides protection
Corporate investigators may not have
the authority to seize computers, but
may only allow one to make bit-stream
copies of drives
72
73
77
80