Está en la página 1de 26

Computer Forensics

Jake Cunningham
Network Analyst
Office of Information Technologies
UMASS Amherst.
Computer Forensics
Todays Topics
This lecture is intended to give a general overview of
the field of Computer Forensics. Due to time
constraints I have left out specific details about
tools,techniques and operating procedures.
Definitions
Situations one may conduct a forensic analysis.
Role of the Forensic Investigator
Legal Issues to Consider
Computer Forensics
Definitions:
The Merriam-Webster Dictionary defines
forensic(s) as:
the application of scientific knowledge to legal
problems; especially : scientific analysis of
physical evidence (as from a crime scene)
Computer Forensics
Definitions:
Weitse Venema and Dan Farmer (Authors of The
Coroners Toolkit) defined Computer Forensics as:
Gathering and analyzing data in a manner as free from
distortion or bias as possible to reconstruct data or
what has happened in the past on a system
(http://www.fish.com/forensics/class.html)
Computer Forensics
When might one do a forensics analysis of a computer?
Analyze an intrusion or unauthorized use.
Trace the activities of the intruder on the system
Analyzing and/or reverse engineer malware installed/left
behind by an intruder.
Monitor/Analyze authorized users behavior on a
computer
Employees use (or mis-use) of a computer
Law Enforcement in the course of a criminal investigation
Computer Forensics
Six Steps of Incident Handling:
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
Computer Forensics is the Identification
step of Incident Response.
Computer Forensics
Role of Forensic Investigator
During an incident you may:
Have the role of the Incident Handler and work with
a forensic investigator
Have the role of the Forensic Investigator and work
with a Incident Handler
Have the roll of both Incident Handler and Forensic
Investigator.
Computer Forensics
As with any investigation, its the Forensics
Investigators job to:
Collect evidence (from systems,interviews etc)
Reconstruct past events
Identify:
What happened.
Where it happened.
When it happened.
How it happened.
Who was involved *.
Why the perpetrator(s) did it *.
Computer Forensics
What Happened?
Was there an incident What is it?
What was changed on the system?
What activity happened on the system?
What files/applications were modified, accessed, or
created?
Where did it happened?
What systems/services were affected?
What relationships do those systems have to others?
Where did the intruder/user come from (local/remote)
Where did the intruder/user go to using the affected
computer?
Computer Forensics
When did it happen?
When did the suspicious/anomalous activity start?
When did it end?
When did important/key events occur?
How did it happen?
Virus what was the infection vector?
Intruder How did they gain access or elevate privileges on
the system?
Authorized user How did they gain access to files,web
sites or conduct inappropriate behavior?
Computer Forensics
Collecting Evidence:
Rule #1 of Incident Response or Forensic
Investigation:
ALWAYS TAKE GOOD NOTES!
Document everything! You WILL forget the details
if you dont write them down.
Computer Forensics
Collecting Evidence:
To ensure that evidence is not altered,corrupted or
destroyed:
Make sure you understand the OS and the ramifications of
your actions on the system while collecting evidence.
Always work with tools that you are familiar with and are
known to be good.
For example: Use a customized incident response CD with
statically linked binaries.
Always analyze the filesystem and storage media bit copies
rather than the original evidence disk.
Computer Forensics
Collecting Evidence:
Interview parties involved (if timing is appropriate)
Take inventory of all devices involved. (make, model, s/n)
If system(s) up and running consider:
Gather running process info
Get a dump of memory
Gather info about active network connections
- Screen captures (if appropriate)
Make bit copies of physical media (Hard Disks,floppies,Zip
Disks,thumb drives etc.)
Computer Forensics
Collecting Evidence:
Tools to gather process and network info
Unix:
ps, lsof, top, (look in /proc Linux), netstat
Windows:
Task Manager, fport, pslist,ps, tcpview, netstat
Computer Forensics
Collecting Evidence:
What to look for in process, network info
Depends on nature of investigation
System Intrusion/Computer User Investigation:
Processes listening on suspicious network ports
Verify well know process names listening on well known ports
Non-standard process names
Look for open or established network connections.
Check for remote shares and remote user logins
Computer Forensics
Collecting Evidence:
Tools to make bit copies of media
Encase (commercial)
FTK imager (commercial)
Safeback (commercial)
dd,dfldd, for Unix and Windows (open source)
Various Hardware based duplicators (commercial)
Too many to list them all.
Computer Forensics
Collecting Evidence:
Tools to analyze bit copies of media
(some examples too many to list them all)
Encase (commercial)
FTK (commercial)
ProDiscover (commercial)
X-WAYS Forensics (commercial)
SMART for Linux (commercial)
Shadow (commercial)
Sleuthkit/Autopsy (free)
Computer Forensics
Collecting Evidence:
What to look for when analyzing filesystem bit
copies:
Depends on nature of investigation
System Intrusion:
Timeline of events
When were files Modified,Accessed,Created (MAC times)
Show all deleted Files
Recover deleted files
Analyze log files and/or auditing data
Recent logins
Computer Forensics
Collecting Evidence:
Filesystem Analysis cont.
Computer user investigation:
Log files, auditing records to determine logins, login times,
where logged in from.
Web sites visited (web browser history)
Contents of web browser cache
Contents of images,emails and documents
Show and recover deleted files
Search filesystem for keywords
Computer Forensics Legal Issues to
Consider:
Note:
I am not a lawyer I am by no means a legal expert.
This is NOT legal advice. These are simply things to
consider when performing a forensic analysis or
responding to an incident.
ALWAYS check with the legal counsel of your
employer before conducting a forensic analysis, or
investigation.
Computer Forensics- Legal Issues to
Consider:
While investigating ALWAYS avoid:
violating someones rights
Breaking the law yourself
Compromising the investigation by not following proper
procedure.
Computer Forensics - Legal Issues to
Consider:
One should be aware of Federal ,State,Provincial and Local
computer laws when responding to an incident or performing a
forensic analysis. (to cover yourself, not necessarily to
prosecute)
U.S. Federal Laws to consider:
Computer Fraud and Abuse Act (18 U.S.C. 1030):
Criminalizes attacks,intrusions and damage to protected computers
Wiretap Act (18 U.S.C. 2511)
Criminalizes interception of voice and electronic communications.
Electronic Communications Privacy Act (ECPA 18 U.S.C. 2701-
12)
Governs access to stored voice and electronic communications and
data.
Computer Forensics- Legal Issues to
Consider:
Does company policy allow for analysis of computer
without court subpoena?
Have employees signed a waiver or consented to an
acceptable use policy which allows:
Network monitoring/traffic interception
Access to any stored data on company computers
Does the waiver or policy cover personal computers
connected to the company network?
There are many things to consider, this is simply to
give you an idea of some of the issues you may
encounter.
Computer Forensics: Anti-Forensics
Anti-Forensics: Destroying or Hiding data to limit the
success of a forensic investigation.
Defilers Toolkit Alters inode data on ext2
filesystems.
http://www.phrack.org/phrack/59/p59-0x06.txt
Metasploit Antiforensics
http://www.metasploit.com/projects/antiforensics/
Burneye Encrypts ELF binaries
Attempts to defeat reverse engineering
burndump is a burneye un-wrapper.
Computer Forensics: Anti-Forensics
Anti-Forensics continued
File encryption, encrypted filesystems, encrypted
disks
Magnetic Degausser Destroy the magnetic field on
magnetic media.
Commercial secure deletion or disk wiping
programs.
Good ol fashioned physical destruction of media
(sledge hammer etc)
Computer Forensics
Conclusion:
Every incident/investigation is unique.
The right thing to do comes from experience and
lessons learned.
Any questions?

También podría gustarte