SlideShare a Scribd company logo

Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011

Download as PPT, PDF
John Bambenek, profile picture
John Bambenek

The seminar covers various aspects of cybercrime and computer forensics, including types of computer crime, legal issues, and the importance of chain of custody in evidence collection. Key topics include the differences between incident response and forensics, data acquisition methods, as well as tools like hashing for ensuring data integrity. Additionally, the seminar emphasizes the complexity of evidence collection from hard drives, memory, networks, and other digital sources.

Technology
Related topics:
Digital Forensics
1 of 23
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Cybercrime and Computer Forensics Seminar Chicago Bar Association Mar 25th , 2011 John C. A. Bambenek Chief Forensic Examiner, Bambenek Consulting jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312-725-HACK (4225)
Agenda  Types of Actionable Computer Crime  Incident Response versus Forensics  Laws Related to Computer Forensics  Chain of Custody and Data Acquisition  Hard drive Forensics  Registry Examination  Memory Forensics  Network Forensics  Log / Server Forensics  File Metadata
Types of Actionable Computer Crime  Identity Theft  Electronic Fraud (ACH or Credit Card)  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling  Trade Secret Theft  National Security Issues
Obstacles to Cybercrime Prosecution  Relatively new are in the law / law not caught up with technology  International in scope / non-extradition treaty countries  Limited resources & skillsets within law enforcement  Near constant level of criminal activity  Organized crime involvement and sophisticated business models  Security tool development lags criminal tool development
Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
Laws Relating to Forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
Legal Issues Relating to Forensics  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted
What kinds of evidence can be collected?  Physical drives  System memory  Network transmissions  System/Server Logs  Other sources?
Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Cryptographic hashing  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
Hashing  Hashing uses an encryption algorithm to generate a pseudo-random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Chicago Bar Association.” vs “Chicago Bar Association!”  MD5:  03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38  SHA1:  7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a
Hard drive data acquisition  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
Hard drive basics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
Hard drive basics  So you have a drive image, now what?  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
MAC times  MAC times stand for “modified”, “accessed”, “changed” and may also include a creation time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm Jan 11th , you’d look for any file with a MAC time near that same time).
Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
Memory Forensics  Must be done on a “live” machine, memory disappears without power*  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
Network forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
Log forensics  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
E-mail Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IP Address of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
E-mail headers Return-path: <kthompson@davismcgrath.com> Envelope-to: jcb@bambenekconsulting.com Delivery-date: Tue, 15 Mar 2011 12:13:56 -0500 Received: from mailhost.davismcgrath.com ([12.233.219.123]) by thebox.pentex-net.com with esmtp (Exim 4.69) (envelope-from <kthompson@davismcgrath.com>) id 1PzXoi-0000mf-Fw for jcb@bambenekconsulting.com; Tue, 15 Mar 2011 12:13:56 -0500 Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com (Rockliffe SMTPRA 9.3.1) with ESMTP id <B0002606529@mailhost.davismcgrath.com> for <jcb@bambenekconsulting.com>; Tue, 15 Mar 2011 12:16:42 -0500 From: "Kevin A. Thompson" <kthompson@davismcgrath.com> To: <jcb@bambenekconsulting.com> References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com> <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> In-Reply-To: <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> Subject: RE: CBA - CLE/Seminar? Date: Tue, 15 Mar 2011 12:16:39 -0500 Message-ID: <020b01cbe334$bf146320$3d3d2960$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAA Content-Language: en-us
File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google
Questions? John Bambenek jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312 – 725 – HACK (4225)

More Related Content

PPTX
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
John Bambenek
 
PPTX
Intro to cyber forensics
Chaitanya Dhareshwar
 
PDF
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
PPT
Cyber Crimes & Cyber Forensics
jahanzebmunawar
 
PPTX
Anti forensic
Milap Oza
 
PDF
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
PDF
Digital Forensics
Vikas Jain
 
PPT
Cyber forensic standard operating procedures
Soumen Debgupta
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
John Bambenek
 
Intro to cyber forensics
Chaitanya Dhareshwar
 
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Cyber Crimes & Cyber Forensics
jahanzebmunawar
 
Anti forensic
Milap Oza
 
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Digital Forensics
Vikas Jain
 
Cyber forensic standard operating procedures
Soumen Debgupta
 

What's hot (20)

PPTX
Computer forensics
Ramesh Ogania
 
PPT
Digital Forensics
Nicholas Davis
 
PPTX
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Pankaj Choudhary
 
PPT
Role of a Forensic Investigator
Agape Inc
 
PPT
computer forensics
Akhil Kumar
 
PDF
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPT
Computer Forensic
Tawhidur Rahman
 
PDF
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
PPT
Introduction to computer forensic
Online
 
PPTX
Chapter 3 cmp forensic
shahhardik27
 
PDF
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
PPTX
Digital forensic tools
Parsons Corporation
 
DOCX
Digital forensics Steps
gamemaker762
 
PPT
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
PDF
Cyber Forensics Module 2
Manu Mathew Cherian
 
PPT
Computer Forensics
alrawes
 
PPT
Computer +forensics
Rahul Baghla
 
PDF
The Future of Digital Forensics
00heights
 
PPT
Computer forensics
Lalit Garg
 
PDF
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Computer forensics
Ramesh Ogania
 
Digital Forensics
Nicholas Davis
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Pankaj Choudhary
 
Role of a Forensic Investigator
Agape Inc
 
computer forensics
Akhil Kumar
 
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer Forensic
Tawhidur Rahman
 
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
Introduction to computer forensic
Online
 
Chapter 3 cmp forensic
shahhardik27
 
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Digital forensic tools
Parsons Corporation
 
Digital forensics Steps
gamemaker762
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Cyber Forensics Module 2
Manu Mathew Cherian
 
Computer Forensics
alrawes
 
Computer +forensics
Rahul Baghla
 
The Future of Digital Forensics
00heights
 
Computer forensics
Lalit Garg
 
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Ad

Viewers also liked (7)

PPTX
Digital Forensics: Yesterday, Today, and the Next Frontier
The Lorenzi Group
 
PPTX
Sri Lankan Context for Electronic Commerce
Upekha Vandebona
 
PDF
Computer forensic
Singgih Prasetya
 
PPTX
Computer forensic 101 - OWASP Khartoum
OWASP Khartoum
 
PPTX
Computer forensics powerpoint presentation
Somya Johri
 
DOC
Master of Ceremony Script
Bella Meraki
 
DOC
Emcee Script
Sini.sinta Kita
 
Digital Forensics: Yesterday, Today, and the Next Frontier
The Lorenzi Group
 
Sri Lankan Context for Electronic Commerce
Upekha Vandebona
 
Computer forensic
Singgih Prasetya
 
Computer forensic 101 - OWASP Khartoum
OWASP Khartoum
 
Computer forensics powerpoint presentation
Somya Johri
 
Master of Ceremony Script
Bella Meraki
 
Emcee Script
Sini.sinta Kita
 
Ad

Similar to Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011 (20)

PDF
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
PPTX
Computer forensics
deaneal
 
PPTX
Razorback slides-1.1
Sourcefire VRT
 
PDF
Debian Linux as a Forensic Workstation
Vipin George
 
PPT
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
PPTX
Digital Forensics
Oldsun
 
PPTX
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
PPTX
Msra 2011 windows7 forensics-troyla
CTIN
 
PPTX
Digital Forensic ppt
Suchita Rawat
 
PPTX
First Responders Course- Session 1 - Digital and Other Evidence [2004]
Phil Huggins FBCS CITP
 
PPTX
Digital Forensics (compter) lab 2 2023.pptx
moehab2020
 
ODT
Operating System Forensics
ArunJS5
 
PPT
Computer Forensics &amp; Windows Registry
aradhanalaw
 
PPTX
Analysis of digital evidence
rakesh mishra
 
DOCX
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
ODP
Ece seminar 20070927
Todd Deshane
 
PPTX
Computer forensics libin
libinp
 
DOCX
CHAPTER 7 Authentication and Authorization On
MaximaSheffield592
 
PPT
Registry forensics
Prince Boonlia
 
PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Computer forensics
deaneal
 
Razorback slides-1.1
Sourcefire VRT
 
Debian Linux as a Forensic Workstation
Vipin George
 
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
Digital Forensics
Oldsun
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
Msra 2011 windows7 forensics-troyla
CTIN
 
Digital Forensic ppt
Suchita Rawat
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
Phil Huggins FBCS CITP
 
Digital Forensics (compter) lab 2 2023.pptx
moehab2020
 
Operating System Forensics
ArunJS5
 
Computer Forensics &amp; Windows Registry
aradhanalaw
 
Analysis of digital evidence
rakesh mishra
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Ece seminar 20070927
Todd Deshane
 
Computer forensics libin
libinp
 
CHAPTER 7 Authentication and Authorization On
MaximaSheffield592
 
Registry forensics
Prince Boonlia
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 

More from John Bambenek (18)

PPTX
THOTCON - The War over your DNS Queries
John Bambenek
 
PPTX
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
PPTX
I'm All Up in Your Blockchain - Hunting Down the Nazis
John Bambenek
 
PPTX
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
PPTX
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
John Bambenek
 
PPTX
SANSFIRE - Elections, Deceptions and Political Breaches
John Bambenek
 
PPTX
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
PPTX
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
PPTX
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
PPTX
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
PPTX
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
PPTX
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
PDF
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
PPTX
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 
PDF
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
PDF
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
PDF
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
PPTX
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
John Bambenek
 
THOTCON - The War over your DNS Queries
John Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
John Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
John Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
John Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
John Bambenek
 

Recently uploaded (20)

PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
August Patch Tuesday
Ivanti
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Approach and Philosophy of On baking technology
30anthuong17
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
A Presentation on Artificial Intelligence
memembruh336
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
A Presentation on Touch Screen Technology
memembruh336
 

Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011

  • 1. Cybercrime and Computer Forensics Seminar Chicago Bar Association Mar 25th , 2011 John C. A. Bambenek Chief Forensic Examiner, Bambenek Consulting jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312-725-HACK (4225)
  • 2. Agenda  Types of Actionable Computer Crime  Incident Response versus Forensics  Laws Related to Computer Forensics  Chain of Custody and Data Acquisition  Hard drive Forensics  Registry Examination  Memory Forensics  Network Forensics  Log / Server Forensics  File Metadata
  • 3. Types of Actionable Computer Crime  Identity Theft  Electronic Fraud (ACH or Credit Card)  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling  Trade Secret Theft  National Security Issues
  • 4. Obstacles to Cybercrime Prosecution  Relatively new are in the law / law not caught up with technology  International in scope / non-extradition treaty countries  Limited resources & skillsets within law enforcement  Near constant level of criminal activity  Organized crime involvement and sophisticated business models  Security tool development lags criminal tool development
  • 5. Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
  • 6. Laws Relating to Forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
  • 7. Legal Issues Relating to Forensics  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted
  • 8. What kinds of evidence can be collected?  Physical drives  System memory  Network transmissions  System/Server Logs  Other sources?
  • 9. Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Cryptographic hashing  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
  • 10. Hashing  Hashing uses an encryption algorithm to generate a pseudo-random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Chicago Bar Association.” vs “Chicago Bar Association!”  MD5:  03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38  SHA1:  7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a
  • 11. Hard drive data acquisition  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
  • 12. Hard drive basics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
  • 13. Hard drive basics  So you have a drive image, now what?  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
  • 14. MAC times  MAC times stand for “modified”, “accessed”, “changed” and may also include a creation time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm Jan 11th , you’d look for any file with a MAC time near that same time).
  • 15. Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
  • 16. Memory Forensics  Must be done on a “live” machine, memory disappears without power*  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
  • 17. Network forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
  • 18. Log forensics  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
  • 19. E-mail Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IP Address of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
  • 20. E-mail headers Return-path: <kthompson@davismcgrath.com> Envelope-to: jcb@bambenekconsulting.com Delivery-date: Tue, 15 Mar 2011 12:13:56 -0500 Received: from mailhost.davismcgrath.com ([12.233.219.123]) by thebox.pentex-net.com with esmtp (Exim 4.69) (envelope-from <kthompson@davismcgrath.com>) id 1PzXoi-0000mf-Fw for jcb@bambenekconsulting.com; Tue, 15 Mar 2011 12:13:56 -0500 Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com (Rockliffe SMTPRA 9.3.1) with ESMTP id <B0002606529@mailhost.davismcgrath.com> for <jcb@bambenekconsulting.com>; Tue, 15 Mar 2011 12:16:42 -0500 From: "Kevin A. Thompson" <kthompson@davismcgrath.com> To: <jcb@bambenekconsulting.com> References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com> <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> In-Reply-To: <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> Subject: RE: CBA - CLE/Seminar? Date: Tue, 15 Mar 2011 12:16:39 -0500 Message-ID: <020b01cbe334$bf146320$3d3d2960$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAA Content-Language: en-us
  • 21. File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
  • 22. Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google