Guide to Computer Forensics and Investigations PDF

Guide to Computer Forensics and Investigations Sixth Edition Chapter 9 Digital Forensics Analysis and Validation Digital Forensics Analysis and Validation Determining What Data to Collect and Analyze Validating Forensic Data Addressing Data-Hiding Techniques 2 Determining What Data to Collect and Analyze 3 Determining What Data to Collect and Analyze Scope creep - when an investigation expands beyond the original description: Why? – Because of unexpected evidence found – Attorneys may ask investigators to examine other areas to recover more evidence Might result in – Increases the time and resources needed to extract, analyze, and present evidence 4 Determining What Data to Collect and Analyze Be sure to document any requests for additional investigation, in case you were asked : Why? – must explain why the investigation took longer than planned – why the scope widened – Why the budget changed – and so forth. 5 Determining What Data to Collect and Analyze Scope creep has become more common because: – Criminal investigations require more detailed examination of evidence just before trial – To help prosecutors fend off attacks from defense attorneys during the trail Defense attorney might find new evidence that often isn’t revealed to prosecution – It’s become more important for prosecution teams to ensure they have analyzed the evidence exhaustively before trial 6 Approaching Digital Forensics Cases Begin a case by creating an investigation plan that defines the: – Goal and scope of investigation – Materials needed – Tools needed / Software and Hardware – Tasks to perform The approach you take depends largely on the type of case you’re investigating – internal corporate – Civil or criminal carried out by law enforcement 7 Approaching Digital Forensics Cases 8 Approaching Digital Forensics Cases 2. Inventory (Document all physical hardware components) the hardware on the suspect’s computer, and note condition of seized computer 3. For static acquisitions, remove original drive and check the date and time values in system’s CMOS 4. Record how you acquired data from the suspect drive. The tool you use should also create an MD5 or SHA-1 hash for validating the image (is it for all kind of images?) Guide to Computer Forensics and Investigations, Fifth Edition 9 Approaching Digital Forensics Cases 5. Process drive’s contents methodically and logically 6. List all folders and files on the image or drive. – FTK can generate a Microsoft Access or Oracle database listing all files and folders on a suspect drive 7. If possible, examine contents of all data files in all folders. (Exceptions according to the search warrant) 8. Recover file contents for all password-protected files related to the case. (OS Forensics Password Recovery and Decryption, AccessData Password Recovery Toolkit (PRTK), or Passware Kit Enterprise) 9. Identify function of every executable file that doesn’t match hash values (Be carful of malware) 10. Maintain control of all evidence and findings and document everything Guide to Computer Forensics and Investigations, Fifth Edition 10 Refining and Modifying the Investigation Plan – In civil and criminal cases, the scope is often defined by search warrants – However, private sector cases, might not specify limitations – it’s important to refine the investigation plan as much as possible by trying to determine what the case requires. 11 Refining and Modifying the Investigation Plan Guide to Computer Forensics and Investigations, Fifth Edition 12 Using OSForensics to Analyze Data OSForensics can perform forensics analysis on the following file systems: – Microsoft FAT12, FAT16, and FAT32 – Microsoft NTFS – Mac HFS+ – Linux Ext2fs, and Ext4fs OSForensics can analyze data from several sources – Including image files from other vendors Guide to Computer Forensics and Investigations, Fifth Edition 13 Using OSForensics to Analyze Data Includes OSFMount utility which can access many formats, including: – Raw, Expert Witness, and Advanced Forensics Format (AFF) – Can also mount and examine VMware images (.vmdk), SMART images (.s01), and Virtual Hard Drive (VHD) images (.vhd) OSFMount allows you to mount local disk image files (bit-for-bit copies of an entire disk or disk partition) in Windows as a physical disk or a logical drive letter. You can run OSFMount separately or access it via the Mount Drive Image menu option. Guide to Computer Forensics and Investigations, Fifth Edition 14 Using OSForensics to Analyze Data Guide to Computer Forensics and Investigations, Fifth Edition 15 Using OSForensics to Analyze Data Guide to Computer Forensics and Investigations, Fifth Edition 16 Using OSForensics to Analyze Data Guide to Computer Forensics and Investigations, Fifth Edition 17 Using OSForensics to Analyze Data Guide to Computer Forensics and Investigations, Fifth Edition 18 Guide to Computer Forensics and Investigations, Fifth Edition 19 Validating Forensic Data Guide to Computer Forensics and Investigations, Fifth Edition 20 Validating with Hexadecimal Editors Guide to Computer Forensics and Investigations, Fifth Edition 21 Validating with Hexadecimal Editors Exercise page 367 Guide to Computer Forensics and Investigations, Fifth Edition 22 Validating with Hexadecimal Editors Guide to Computer Forensics and Investigations, Fifth Edition 23 Validating with Hexadecimal Editors Guide to Computer Forensics and Investigations, Fifth Edition 24 Validating with Hexadecimal Editors Guide to Computer Forensics and Investigations, Fifth Edition 25 In Microsoft file structures, sectors are grouped to form clusters  Cluster >>> Storage allocation units of one or more sectors Clusters range from 512 bytes up to 32,000 bytes each The question is “Why not to create the hash value per cluster”? Guide to Computer Forensics and Investigations, Fifth Edition 26 Guide to Computer Forensics and Investigations, Fifth Edition 27 Validating with Hexadecimal Editors Using Hash Values to Discriminate Data – AccessData has its own hashing database, Known File Filter (KFF) – KFF filters known program files (such as winword.exe) and contains hash values of known illegal files – It compares known file hash values with files on your evidence drive to see if they contain suspicious data. – Periodically, AccessData updates these known hash values and posts an updated KFF. Guide to Computer Forensics and Investigations, Fifth Edition 28 KFF Guide to Computer Forensics and Investigations, Fifth Edition 29 Validating with Hexadecimal Editors Guide to Computer Forensics and Investigations, Fifth Edition 30 Validating with Digital Forensics Tools Guide to Computer Forensics and Investigations, Fifth Edition 31 Validating with Digital Forensics Tools Raw format image files (.dd) don’t contain metadata – You must validate them manually to ensure integrity In AccessData FTK Imager, when selecting the Expert Witness (.e01) or SMART (.s01) format: – Additional options for validating the acquisition are available – Validation report lists MD5 and SHA-1 hash values Guide to Computer Forensics and Investigations, Fifth Edition 32 Validating with Digital Forensics Tools Guide to Computer Forensics and Investigations, Fifth Edition 33 Validating with Digital Forensics Tools Guide to Computer Forensics and Investigations, Fifth Edition 34 Addressing Data-Hiding Techniques Data hiding - changing or manipulating a file to conceal information Techniques: – Hiding entire partitions – Changing file extensions – Setting file attributes to hidden – Bit-shifting – Using encryption – Setting up password protection Guide to Computer Forensics and Investigations, Fifth Edition 35 Hiding Files by Using the OS One of the first techniques to hide data: – Changing file extensions Advanced digital forensics tools: – check file headers and compare the file extension to verify that it’s correct – If there’s a difference, the tool flags the file as a possible altered file Another hiding technique – Selecting the Hidden attribute in a file’s Properties dialog box. – Digital forensics tools can identify hidden files for investigators. Guide to Computer Forensics and Investigations, Fifth Edition 36 Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition 37 Hiding Partitions To detect whether a partition has been hidden – Account for all disk space when examining an evidence drive – Analyze any disk areas containing space you can’t account for In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS – Other forensics tools have their own methods of assigning drive letters to hidden partitions Guide to Computer Forensics and Investigations, Fifth Edition 38 Hiding Partitions Two partitions for Disk 2, labeled F and G. There is a 200 MB gap between these partitions and has no assigned letter. Guide to Computer Forensics and Investigations, Fifth Edition 39 Hiding Partitions In addition, it’s not accessible in File Explorer. But most digital forensics tools or hexadecimal editors could access it. Guide to Computer Forensics and Investigations, Fifth Edition 40 Hiding Partitions Partition gaps are 128 bytes in Windows Vista and later. The disk space between partitions F and G is 200 MB. Thus you should examine this larger-than-normal gap. Guide to Computer Forensics and Investigations, Fifth Edition 41 Hiding Partitions In ProDiscover, a hidden partition appears as the highest available drive letter. other forensics tools have their own methods of assigning drive letters to hidden partitions. Guide to Computer Forensics and Investigations, Fifth Edition 42 Marking Bad Clusters A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters – Involves using old utilities such as Norton DiskEdit – In Norton DiskEdit you can mark good clusters as bad clusters in the FAT table. – The only way they can be accessed from the OS is by changing them to good clusters. Guide to Computer Forensics and Investigations, Fifth Edition 43 Marking Bad Clusters DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media You can’t run it by using Windows command prompts. Guide to Computer Forensics and Investigations, Fifth Edition 44 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition 45 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition 46 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition 47 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition 48 Understanding Steganalysis Methods Steganography - comes from the Greek word for “hidden writing” – Hiding messages in such a way that only the intended recipient knows the message is there Steganalysis - term for detecting and analyzing steganography files Digital watermarking - developed as a way to protect file ownership – Usually not visible when used for steganography Guide to Computer Forensics and Investigations, Fifth Edition 49 Understanding Steganalysis Methods Guide to Computer Forensics and Investigations, Fifth Edition 50 Guide to Computer Forensics and Investigations, Fifth Edition 51 Steganalysis methods Steganography-only attack: Only the steganography medium (the file that contains the steganography contents “Stego-Object”) is available for analysis. Guide to Computer Forensics and Investigations, Fifth Edition 52 Known-carrier attack: The carrier (the original “Cover-Media), and steganography media (“Stego- Object”) are both available for analysis. Guide to Computer Forensics and Investigations, Fifth Edition 53 Known-message attack: The hidden message is known. Guide to Computer Forensics and Investigations, Fifth Edition 54 Chosen-steganography attack: The steganography medium and tool (or algorithm) are both known. Guide to Computer Forensics and Investigations, Fifth Edition 55 Chosen-message attack: A known message and steganography tool (or algorithm) are used to create steganography media for future analysis and comparison. Guide to Computer Forensics and Investigations, Fifth Edition 56 Known-steganography attack: The carrier and steganography medium, as well as the steganography tool or algorithm, are known. Guide to Computer Forensics and Investigations, Fifth Edition 57 Examining Encrypted Files To decode an encrypted file – Users supply a password or passphrase Many encryption programs use a technology called “key escrow” – Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure Key sizes of 128 bits to 4096 bits make breaking them with a brute-force attack nearly impossible with current technology Guide to Computer Forensics and Investigations, Fifth Edition 58 Recovering Passwords Guide to Computer Forensics and Investigations, Fifth Edition 59 Recovering Passwords Brute-force attacks – Use every possible letter, number, and character found on a keyboard – This method can require a lot of time and processing power Dictionary attack – Uses common words found in the dictionary and tries them as passwords – Most use a variety of languages Guide to Computer Forensics and Investigations, Fifth Edition 60 Brute-force attacks Needed Time Guide to Computer Forensics and Investigations, Fifth Edition 61 Guide to Computer Forensics and Investigations, Fifth Edition 62 Recovering Passwords You can build a profile for the suspect which includes (names of relatives, pets, favorite color, etc. ) Many password-protected OSs and application store passwords in the form of MD5 or SHA hash values Guide to Computer Forensics and Investigations, Fifth Edition 63 Recovering Passwords A brute-force attack requires converting a dictionary password from plaintext to a hash value – Requires additional CPU cycle time Guide to Computer Forensics and Investigations, Fifth Edition 64 Recovering Passwords Rainbow table – A file containing the hash values for every possible password that can be generated from a computer’s keyboard – No conversion necessary, so it is faster than a brute- force or dictionary attack Salting passwords – adds extra bits to a password and then hashes it – Alters hash values and makes cracking passwords more difficult Guide to Computer Forensics and Investigations, Fifth Edition 65

Guide to Computer Forensics and Investigations PDF

Document Details

Tags

Related

Summary

Full Transcript