Computer Forensics

By Rob Ferrill

Forensics in a Nutshell
Evidence Seizure  Investigation and Analysis  Reporting Results 

³Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system´ Farmer and Venema
Forensic and Investigative Essentials - SANS ©2004

theft of service Intellectual property theft. policy abuse Forensic and Investigative Essentials .SANS ©2004 ‡ Internal Incident  . malicious intent. denial of service. viruses.Do You Have a Plan  Planning and Policy ‡ Do you have an incident response policy in place? ‡ External Incident  Intrusions.

file servers e-  Backups ‡ Critical servers and tertiary servers  Hash databases Forensic and Investigative Essentials . e-mail.Forensic Fortifying Your Network  System time ‡ GMT or local ‡ Use Network Time Protocol  Network logs ‡ Firewalls. IDS.SANS ©2004 .

Forensic Definitions Evidence  Best Evidence  Chain of custody  Images  Dirty word list  Incident response forensics  Media analysis  Forensic and Investigative Essentials .SANS ©2004 .

Evidence  Definition: Something that tends to establish or disprove a fact  What potentially can be the smallest piece of evidence? ‡ 4 bytes ‡ An IP address in hex Forensic and Investigative Essentials .SANS ©2004 .

SANS ©2004 .  Accurate representation of original data on a system  Extracted data may be introduced as evidence Forensic and Investigative Essentials . notes. like copies. in which case other evidence.Best Evidence Rule est  Definition: Original writing must be offered as evidence unless it is unavailable. or other testimony can be used.

Chain of Custody  Chain of custody ‡ Establishes each person who has had custody of the evidence ‡ Establishes continuity of possession ‡ Proof of integrity of the handling of the evidence collected Forensic and Investigative Essentials .SANS ©2004 .

Case number and item (tag) number of evidence 8. Pertinent technical data (drive geometry) Forensic and Investigative Essentials .SANS ©2004 .Chain of Custody Items (2)  Chain of custody items 6. MD5sum is fine) of evidence if able to obtain 9. Full name and signature of person receiving evidence 7. Hash values (if available.

4. Description of evidence Forensic and Investigative Essentials .Chain of Custody Items  Chain of custody items 1. Date and time item was seized Location and who it was obtained from Make. model. 2.SANS ©2004 . and serial number Name of individual(s) who collected evidence 5. 3.

Image  What is an ³image´?  Bit-for-bit copy of the original Bit-forevidence gathered from a system  Could include: ‡ Hard drive (logical or physical) ‡ Memory ‡ Removable media Forensic and Investigative Essentials .SANS ©2004 .

Dirty Word Lists Specific keywords to your case  List that is used to search for hits on your hard drive  Modified during an investigation while you perform your analysis  Forensic and Investigative Essentials .SANS ©2004 .

SANS ©2004 .Evidence Integrity  Ensure that the evidence has not been altered  Bit-image copies Bit Locked and limited access cabinet  Use cryptographic hashes to ensure integrity of original evidence and copies Forensic and Investigative Essentials .

Evidence Hashes Electronic evidence is used as input  Non-reversible Non No two ³different´ files can create the same hash  Ideal way to ensure integrity  Forensic and Investigative Essentials .SANS ©2004 .

Forensic Incident Response  Incident response ‡ Initially focuses on verification of incident ‡ Techniques highlight gathering evidence Minimize data and evidence loss  Avoid adding data to the system through actions  Recovery and downtime major concerns  ‡ Initial concern is to triage the incident to prevent further potential damage to evidence Forensic and Investigative Essentials .SANS ©2004 .

SANS ©2004 . an image) ‡ Is not considered evidence gathering but evidence analysis ‡ Primarily used to find specific data pertaining to the crime ‡ Uses forensic workstations and automated tools to parse through gigabytes of data Forensic and Investigative Essentials .e.Media Analysis  Media analysis ‡ Focuses on processing copies of evidence gathered at incident scene (i.

4.Forensic Principles  Four forensic principles = success 1. Minimize data loss Record everything Analyze all data collected Report your findings Forensic and Investigative Essentials . 3. 2.SANS ©2004 .

May be called upon to testify 4. Explain how you took down the computer 3. May have to duplicate setup 2.SANS ©2004 .Recording Your Actions  Four reasons to take good notes: 1. Witness¶ notes can be used as a refresher Forensic and Investigative Essentials .

SANS ©2004 . A. Like. Hacker.  Some incidents are just the tip of the iceberg ‡ Usually one system compromised means you will find others ‡ Always investigate due to this fact  Wiretap? ‡ Contemplate watching the hacker enter back into the system ‡ See what he is doing and what he is after Forensic and Investigative Essentials .Think.

updates)  Forensic and Investigative Essentials .Avoiding Common Mistakes Adding your own data to the system  Killing any processes on the system  Accidentally touching timestamps  Using un-trusted commands or tools un Adjusting the system prior to evidence seizure (power off.SANS ©2004 . patching.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.