1 / 36

Computer Forensics

Computer Forensics. Ryerson University February 16, 2005 S/Sgt. Paul Poloz, Royal Canadian Mounted Police. Current Posting. Integrated Cyber Intelligence Team Technological Crime Branch Technical Operations Directorate, HQ Royal Canadian Mounted Police Ottawa.

sagira
Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics Ryerson University February 16, 2005 S/Sgt. Paul Poloz, Royal Canadian Mounted Police

  2. Current Posting Integrated Cyber Intelligence Team Technological Crime Branch Technical Operations Directorate, HQ Royal Canadian Mounted Police Ottawa

  3. Staff Sergeant Paul Poloz • Graduated from Ryerson in 1989. • Uniform and plainclothes work for 6 years on the west coast • French language training • Peacekeeping mission in Haiti • Technological Crime Branch • Eight years experience • Computer forensics, tech crime investigations • Secondment to Ottawa Police Service • Secondment to National Child Exploitation Investigation Coordination Centre

  4. Staff Sergeant Paul Poloz • Declared expert witness in criminal court and testified numerous times. • Lecture at the Canadian Police College and other venues on computer forensics and tech crime investigations. • Recently completed a part-time MBA at University of Ottawa

  5. Topics Covered • Definition of computer forensics • Brief history of computer forensics • Computer forensic methodology • Incident response • Location of evidence • Continuity • Statements • Tech crime investigations • Case study

  6. Definition of Computer Forensics • Computer Forensics deals with the preservation, identification, extraction and documentation of computer evidence. • New Technologies Inc. (NTI) Website. • Usually performed for judicial process. • Criminal • Civil • CF usually performed on data at rest

  7. History of Computer Forensics • PC’s (introduction to late 1990’s) • Intel CPU based PC’s – non-standard hardware and software • FAT file system • Forensics done on DOS platform despite Windows OS • In- house RCMP utilities to facilitate file residue analysis, hard disk lock, file listing, drive duplication. • Limited searching capabilities • Multiple disk images made of original during forensic process • “Standalone” forensics

  8. History of Computer Forensics • Mainframes and Mini’s • Not much demand for forensics • Limited usage • Limited access • Forensics done on ad-hoc basis, computer experts tasked by police

  9. History of Computer Forensics • Late 1990’s saw the emergence of GUI based tools • Standardized hardware • Proliferation of file systems • Internet gaining in popularity • A variety of file systems processed under one platform • Many different vendors to choose from • The Internet, networking • Pieces of puzzle scattered

  10. History of Computer Forensics • Image galleries • Sophisticated search capabilities • GREP subset, sound-alike, “fuzzy-searches” • Sorting, hashing (data – reduction) • Report generation • Data (file system and residue) stored and accessed as files • Data authentication (embedded hashes) • Sophisticated Scripting Languages

  11. CF – Present State • New technology introduced at a rapid rate. Other technology gaining in popularity • LANs, wireless, RAID, SANs, • Remote storage technologies • OS’s with default encrypted filesystems. • Huge storage capacities • Data reduction techniques • Multiprocessor architecture • Linguistic issues • unicode

  12. Objectives • Ensure that not one bit of data on a hard disk is altered. • Imaging techniques • Analyze all of the data. • Problems with large data sets • Encryption • Present the findings tailored to the intended audience. • Unbiased • Many people involved in the judicial system have limited knowledge of I.T.

  13. File Residue • Many file systems contain file residue • Example FAT – deleted, hidden, bad clusters, file slack • Valuable evidence can be located • Wiping utilities prove to be problematic

  14. Basic Forensic Process • Seize computer (may include on-site examination, write blocker?) • Remove hard disk from CPU chassis • Image acquisition • Analysis performed using image (unless for a quick triage) • Off-the-shelf products (SMART, Encase, FTK) • ILOOK • Linux • In-house utilities and solutions • Native O/S

  15. Basic Forensic Process • Search for text (i.e. grep search) • Examine graphic images • Uncompress, undelete, decrypt, extract residue • Gather evidence • Create final report

  16. Hazards of Using the Target O/S • A virus could destroy evidence. • Trojans/modified commands. • Dates associated to file may be altered. • File residue may be overwritten. • Altering evidence introduces doubt into the integrity of the data.

  17. Tainting the process • Use of untrained personnel to perform the forensic examination. • Power-up the target computer. • Use the target computer’s operating system to open files and examine data. • Install software to the target hard disk. • Improper shut-down. • Continuity issues. • Data integrity issues

  18. Case Study Number 1 • Hacker investigation • Investigation in 2002 of a crime committed in 1996. • Phf exploit committed by perpetrator. BSD Unix platforms, with ISP’s as victims. • Gained access to password file (but not shadow password file). • Attempts were made to get pawwrod hashes. • Investigation involved seizing old BSD backup tapes from 3 locations.

  19. Case Study Number 1 • Forensics done on Linux platform • Use of special utilities to determine tape format • Search Internet for appropriate restore software • Evidence copied to CDROM then processed on Window platform.

  20. Case Study Number 2 - Predator • IRC chat room. • Identify targets of local jurisdiction • Engage supect • Assess suspect’s culpability • Ascertain if offence is/ or will be commited. • Search warrant (dial-up account) • Set-up meeting and surveillance • Meet suspect and gather RPG to search residence.

  21. Case Study Number 2 - Predator • Arrest suspect and hold in custody • Execute search warrant and seize exhibits • On-site examination for RPG and determine severity of offence (evidence for Show Cause). • Process suspect. • Forensic processing at lab

  22. Cyber Crime Incident Response • What is an incident? • Computer as a target • Unauthorized access • Mischief to data • Port Scans? • Computer as a tool • Threats • Hate Crime • Child Pornography • Fraud, etc

  23. Incident Response* • Educate users to raise security awareness • Build a centralized incident reporting centre • Establish escalation procedures • Ensure that service-level agreements include provisions for security compliance • Decide in advance under what circumstances you’d call the police • Establish communication procedures should this become a media event.

  24. Incident Response* • Is threat external or internal to company • Will event be reported to the police? • Your initial actions can make or break the case • Call police as soon as possible. • Lots of gray areas • Management may not want police involvement • Incident may be trivial • Incident may be civil

  25. Incident Response* • Detect incident • Analyze the incident • Contain or eradicate the problem • Provide workarounds or fixes • Prevent re-infection • Log events • Preserve evidence • Conduct post-mortem and apply lessons learned * CIO cyberthreat response & reporting Guidelines

  26. Incident Response • If management is undecided whether to involve police or not • Contain incident (take affected resources offline) • Observe and document machine state • Symptoms of incident • Unexplained processes • Etc

  27. Incident Response • Preserve evidence • Log files, password file, other suspicious data • Original source (i.e. hard disk) is best evidence but copies often used. • Photograph or screen captures • Consider hashing of preserved files. • Gather evidence from those involved • Make detailed notes of everything you do • Write report so that non-technical personnel grasp the concepts, but be complete.

  28. Documentation • Notes – made at the time of the incident while it is occurring. Record your actions as you’re doing them. The notes are for yourself but may be disclosable. • Statement – transcribe notes. Describe your actions with respect to incident. Used to aid investigators, and to refresh your memory. Plain language in as much detail as possible. • Report – comprehensive report of incident. May include information derived from other sources.

  29. Evidence Handling Continuity is paramount • Must be able to convince a judge that evidence is accurate and wasn’t tampered with. • Locks and special lockers

  30. Tech Crime Investigation • Distributed Denial Of Service case study. • Fictitious but entirely plausible • A Toronto based company with a web presence experiences server performance problems. Service degraded to the point where there is a loss of business. • Sys-admin reviews logs and notices large amounts of traffic from multiple IP addresses. • Police notified. • Several log entries show traffic coming from the same IP address.

  31. Tech Crime Investigation • Several IP addresses are identified by sys-admin and police as being suspect. • Traceroute, whois, DNS look-up etc traces IP to an ISP in Calgary. • Police contact ISP and are given Vancouver as the geographical location of the subscriber. • Investigation continues with assistance of local police force. A search warrant for subscriber information is executed on the ISP.

  32. Tech Crime Investigation • In compliance with the search warrant the subscriber’s name, address, credit card number, and usage history are given to police. • Surveillance and computer checks on the residence indicates that a man and woman reside there (Male subject is ISP subscriber). • Search warrant executed on the residence, computer seized, occupants questioned. Occupants deny involvement. • Forensics reveals Back Orifice Trojan on computer

  33. Tech Crime Investigation • IP address responsible for Trojan is located. • Evidence linking the originator of the Trojan with DDOS is found. • IP address is administered by an ISP in Dallas. • FBI contacted and assist with a preservation order. FBI determines that suspect lives in Dallas. • MLAT request initiated by local authorities. • Subscriber details obtained via MLAT and given to Canadian authorities.

  34. Tech Crime Investigation • FBI or Dallas Police assist by searching residence subject to MLAT request. • Interview of suspect, further investigation • Extradition request.

  35. Additional resources • http://www.asrdata.com/SMART/ • Linux based Forensic Software • http://www.forensics-intl.com/ev-info.html • NTI website – good articles • http://www.dmares.com/maresware/linksto_forensic_tools.htm • “Mares Ware” excellent links • http://www.accessdata.com/Product04_Overview.htm • Forensic Tool Kit (FTK) – Windows platform • http://www.guidancesoftware.com • Encase – Forensic Software – Windows platform

  36. Additional resources • www.linux-forensics.com • Information and links regarding Linux forensics • http://www.ojp.usdoj.gov/nij/sciencetech/publications.htm#publicationcollections • First responders Guide • http://www.cio.com/research/security/incident_response.pdf • Incident response guidelines

More Related