Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
2010 Organization of Bar Investigators Conference Computer Forensics, Crime & Investigators October 6, 2010 Andreas Kaltsounis Sherry Johnson Trends in Computer Usage & Crime • Computer Usage Email, Text-Messaging PDAs and Smartphones Social Networking • Computer Crime Botnets Computer Intrusions & Corporate Espionage What we Can Do • Define HOW propriety data was stolen, and HOW MUCH of it was stolen • Detect the alteration of documents, images, or other files • Track internet usage and web activity • Create a timeline of user activity on a system • Recover emails and other files that have been “deleted” • Document unauthorized access to systems or servers (intrusions) • Identify the use of anti-forensics (cleaning utilities) What we Can’t Do • Recover information if it has been truly deleted (that is, overwritten) • Tell you with certainty WHO was using a computer • Conduct an examination without access to the drive, or on a physically damaged drive Digital Forensics What types of investigations can Digital Forensics support? • Thumb (Jump) Drives • CD/DVD Forensics • Camera Forensics • Copier Hard Drives • Cell Phone Forensics Call Detail Records Text Messages GPS & Tower Location Data Forensic Evidence – Where to Start • Forensic Examinations What is Digital (Computer) Forensics Need to Substantiate: • What was being done on the computer / device • When it was being done • Who (user account) was doing it What type of information can you get from Digital Forensic analysis? • Could be as little as 4 words carved from a deleted file • Or a part of a picture carved from unallocated space Forensics 101 – Don’t Take Actions That will Change the Evidence • What not to do Allow anyone to “look around”, open, close, move, or copy Hitting a key could trigger an undesired change Not always best to pull the plug and turn the system off • What to do Have a forensic expert with you or someone you can call Document all actions taken If system is on have it checked for encryption Make decisions as to the best way to take the image [There are several forensically acceptable ways to take an image of a live system, but the actions need to be well documented.] Tying Evidence to: • Who • What • When • How • (Why) • (Where) Tying Evidence to: Who Who has been using this system? SAM Registry File Last Logon Time may not be useful if the system has been left on for days Tying Evidence to: Who Which user was the last one to use the system? • Compare Time/Date of all user NTUSER.DAT files • Compare last used NTUSER file to SYSTEM file Last Access Time/Date Tying Evidence to: Who What can be used to establish connection to suspect? • Non-Digital Forensics: Phone records Door cards Video monitors Witnesses • Check Log Files Applications used by suspect Chat file logs Tying Evidence to: Who Chat Logs Tying Evidence to: Who Is there a QUICK way check across suspect related files? • Filter on User SID • Review All Files • Sort by Last Access Tying Evidence to: Who How to DEBUNK the Malware / Virus defense? “I didn’t do it… Malware, Viruses or hackers did it” • • • Establish multiple indicators of Who was on the computer and When Prove Malware / Virus is not on the system Prove Malware / Virus found is designed to do…..and would not have created this body of evidence of wrong doing Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • gmail Password & Time / Date Last Used (Written) Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Google User ID & Password • Time / Date Used Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Documents Most Recently Used & Time / Date (Open and/or Saved) Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Recent Documents Used & Time / Date: Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Internet Form Data & Time / Date Captures any information typed into a web form Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Internet Form Data & Time / Date: Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • E-Bay User ID and Password & Time / Date: Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Shell Folders Lists default locations for the information relevant to this user Tying Evidence to: What Using the Suspect personal config file (NTUSER.DAT) • Typed URLs Created by user showing an intended action (typed or pasted ) Will be “deleted” when the user clears their Internet Explorer History The lower the number, the more recent the URL was accessed Tying Evidence to: What Where / When has the suspect gone on the web? (local Settings\ personal config folder) • User Internet History (History IE5) Websites visited Index.DAT (Master history Index File Clear History will drop and create a new file but the old file is still there until over written The user actually clicked on these links or went there!! Tying Evidence to: What Web – Internet History (History IE5) Tying Evidence to: What Web – Internet History Temporary Internet Files Tying Evidence to: What Was a File Printed? *.EMF files Tying Evidence to: What What files did suspect (try to) deleted – Recycle Bin? (separate folder for each user) Info2 file Tying Evidence to: What Files – *.LNK (Shortcut Pointers to files, drives and devices) Local Drive Tying Evidence to: What Files – *.LNK (Shortcut Pointers to files, drives and devices) Local to External Drive Tying Evidence to: What Files – *.LNK (Shortcut Pointers to files, drives and devices) External Drive Tying Evidence to: What Files – *.LNK (Shortcut Pointers to files, drives and devices) Network Drive Tying Evidence to: What What Other Devices Have Been Connected? IDE/USB/USBStore [Cameras may not always be found under USBSTORE; also look in USB.] Multifunctional devices will have a line for each function; fax, copier, printer, scanner] Tying Evidence to: What When was the file created and Who created it? Has the file been changed and When / Who has changed it? Meta Data Meta Data File Information (varies by type of file): Creator (Author) Name Last Author Date Created Date Last Printed Date Last Modified Tracked Changes by Author Last Name to Modify Hidden Objects Hidden Text # of Revisions Total Editing Time Smart Tag Captured Information [Track Changes needs to have been turned on in WORD] [Word documents can maintain past revisions and up to 10 of the last authors to edit the file.] Meta data around files (article) The New Metadata Rules What a busy attorney won’t take the time to tell you, and how it affects the legal IT department by Dona Payne, Payne Consulting, Group http://www.payneconsulting.com/pub_books/articles/pdf/ILTAPayneMetadata.pdf Tying Evidence to: What Are there Similar Files or Other Versions of the file? Meta Data based on MD5 Hash Tying Evidence to: What What applications were use recently? Prefetch - use to locate Malware Tying Evidence to: What What applications were use recently? Prefetch - use to locate cleaners (CCleaner ), defrag, backup (Carbonite- remote backup site/service) software [Listing the related / dependent files and processes for Carbonite backup] Tying Evidence to: What / Who Are there Emails and Attachments related to scope and suspect? Tying Evidence to: When Has the System Time/Date Has Been Changed? • Changes tracked in the Security.EVT registry log file • Use an Event Viewer • FSPRO Labs Eventlogxp.Com • Manually (re)setting the system time creates an Event ID # 520 • Meaning of Event IDs for different OS WWW.EventID.Net • Networked computers synchronize local clocks with a time server on the Internet or an intranet. Tying Evidence to: When Time & Date Change in Event Viewer Tying Evidence to: When / What / Who When did the Suspect and Events coincide? - Timelines Using the Suspect personal config file (NTUSER.DAT) • UserAssist shows what windows they had open • RecentDocs (also used under What) • MRU lists OpenSaveMRU MapNetworkDriveMRU Explorer\RunMRU Explorer\StreamMRU How can a suspect change critical File Times? Create / Access / Modify Laptops & Desktops • Copy from one folder to another Updates the Creation date to the current date No change to Modify date • Move from one folder to another No change to Modify or Create dates USB Storage Devices • • Copy or Move from one folder to another is the same as for laptops / desktops Copy file from USB to laptop/desktop Updates Creation date No change to Modify date • Move file from USB to laptop/desktop No change to Modify or Create dates Anti (Counter)-Forensics • Recently recognized as a legitimate field of study • “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.” (Dr. Marc Rogers of Purdue University) • “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” (Scott Berinato in his article, The Rise of Anti-Forensics) Anti (Counter)-Forensics From Wikipedia • Anti-forensics methods are often broken down into several subcategories to make classification of the various tools and techniques simpler. One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers. He has proposed the following sub-categories: data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) processes and tools. Anti (Counter)-Forensics Windows Based Windows Defrag Format and reinstall the OS Copying / Moving large amounts of data around repeatedly Anti (Counter)-Forensics OS (Re)Installation Anti (Counter)-Forensics Registry Cleaners PCTools Registry Doctor XP Medic (XPMedic.com) Registry Patrol (registrypatrol.com) Anti (Counter)-Forensics Software Examples Metasploit – Anti-Forensic Toolkit Anti-Forensic Investigation Arsenal (MAFIA) Transmogrify Trail-obfuscation program In most file types the header of the file contains identifying information. A (.jpg) would have header information that identifies it as a (.jpg), a (.doc) would have information that identifies it as (.doc) and so on. Transmogrify allows the user to change the header information of a file, so a (.jpg) header could be changed to a (.doc) header. In a forensic examination searching for images (.jpg) on a machine, it would simply see a (.doc) file and skip over it. Slacker A program used to hide files within the file slack space on a Windows computer Darik’s Boot and Nuke – disk wiping software Anti (Counter)-Forensics Software Examples Timestomp Goal is to allow for the deletion or modification of time stamp related information on files. There are (4) four date time and date stamps files display useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table. Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. The Windows operating system records at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance the change(s) will be noticed at a casual glance. Anti (Counter)-Forensics Wiping Tools Eraser (free & ready to install) CCleaner (free) Window Washer ($29.95) Erases browser history, cookies & cache Protects passwords and personal information Permanently deletes unwanted files Frees up space on HD Removes cookies and unnecessary files sets automatic cleanings Evidence Eliminator ($29.95) Erase all tracks of internet activity Internet & windows tracks erasing Anti (Counter)-Forensics Wiping Tools (example) – CCleaner Anti (Counter)-Forensics Wiping Tools (example) – CCleaner Useful Tools Read-Only Hard Drive Viewing Live image Peraben P2 explorer Smart Mount Mount Image Pro Used For: Running Software Used on Suspect’s System Running Anti-Virus / Anti-Malware Software Against Suspect’s System Safe Way to Walk Through Suspect’s System As They Used it without having to restore their system Gaining Access To: • Emails • ISP Data • Cloud Computing • Electronically Stored Information (ESI) I Need Electronic Evidence So How Do I Get It? • Forensic Expert Trained and Certified Identify the Goal and the Scope of the Examination • Search Warrants & Subpoenas Questions??? Contact Information Andreas Kaltsounis Department of Defense Inspector General Defense Criminal Investigative Service Seattle Resident Agency (206) 553-0699 x222 [email protected] Sherry Johnson Fraud & Digital Forensic Investigation, LLC Digital Forensic Examiner Certified Fraud Examiner (206) 551-6227