Week 3 and 4 - Tutorials.pdf

Full Transcript

Computer Forensics COMP 30034 Week 3 and 4 – Tutorial Disclaimer The PowerPoint presentations of the Module (COMP 30034) (Computer Forensics) are created merely to guide me during the delivery of this module in my class. The content included in the slides are only indicative to remind me the sequence which I will be following during the delivery. The content presented in the slides is free from any plagiarism and copyright violations and wherever needed appropriate referencing/citations have been provided. In addition to the content in this PowerPoint presentations, I will also be verbally delivering other important content in the class as well as also writing on the board, some information related to the topic being covered wherever necessary. The student is therefore advised to refer to the text books, reference books and any supplementary materials recommended in the Module Information Guide (MIG) or in the PowerPoint presentations for complete understanding of the topic. Before we start Software Autopsy Digital Forensic (https://www.autopsy.com/download/) Image Files http://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E01 http://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E02 Introduction Cyber activity has become an important part of our daily lives. Importance of computer forensics: 85% of business and government agencies detected security breaches detected security breaches. The FBI estimates that the United States loses up to $10 billion a year to cybercrime. History of Forensics Francis Galton (1822-1911) Made the first recorded study of fingerprints. Leone Lattes (1887-1954) Discovered blood groupings (A,B,AB, & O). Calvin Goddard (1891-1955) Allowed Firearms and bullet comparison for solving many pending court cases. Albert Osborn (1858-1946) Developed essential features of document examination. Hans Gross (1847-1915) Made use of scientific study to head criminal investigations FBI (1932) A Lab was set up to provide forensic services to all field agents and other law authorities across the country. Definition of Computer Forensics Definition: “A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format.” -Dr. H.B. Wolfe What is Computer Forensics? “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.” "Forensic Computing is the science of capturing, processing and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a Court of Law.” Need for Computer Forensics “Computer forensics is equivalent of surveying a crime scene or performing an autopsy on a victim.” –{Source: James Borek 2001} Presence of most electronic documents. Search and identify data in a computer. Digital evidence can be easily destroyed, if not handled properly. For recovering: Deleted files Encrypted files Corrupted files Ways of Forensic Data Collection Forensic Data collection can be categorized: Background: Data gathered and stored for normal business reasons. Foreground: Data specifically gathered to detect crime, or to identify criminals. Issues related to collecting evidence: Proper documentation. Duplicating media. Preserving evidence. Tests should be repeatable. Categories of Forensics Data Computer forensics focuses on three categories of data: Active Data. Latent Data. Archival Data. Computer Facilitated Crimes Dependency on computer has given way to new crimes. Computers are used as tools for committing crimes. Computer crimes pose new challenges for investigators due to their: Speed. Anonymity. Fleeting nature of evidence. Type of Computer Crimes Fraud by computer manipulation. Damage to or modifications of computer data or programs. Unauthorized access programs/applications. to computer and Unauthorized reproduction of computer programs. Financial crimes – identity theft, fraud, forgery, theft of funds committed by electronic means committed by electronic means. Counterfeiting – use of computers and laser printers to print checks, money orders, negotiable securities, store coupons. Modes of Attacks Cyber crime can be categorized into two categories, depending on the way the attack takes place. Insider Attacks: Breach of trust from employees within the organization. External Attacks: Hackers either hired by an insider or by an external entity with aim to destroy competitor’s reputation. Examples of Evidence Examples of how evidence found in a computer may assist in the prosecution or defence of a case are manifold. A few of these examples are: Use/abuse of the Internet. Production of false documents and accounts. Encrypted/password protected material. Abuse of systems. Email contact between suspects/conspirators. Theft of commercial secrets. Unauthorized transmission of information. Records of movements. Malicious attacks on the computer systems themselves. Names and addresses of contacts. Stages of Forensic Investigation in Tracking Cyber Criminals Tracking Cyber Criminals Key Steps in Forensic Investigations Step 1: Computer crime is suspected. Step 2: Collect preliminary evidence. Step 3: Obtain court warrant for seizure (if required). Step 4: Perform first responder procedures. Step5: Seize evidence at the crime scene. Step 6: Transport them to the forensic laboratory. Step 7: Create 2 bit stream copies of the evidence. Step 8: Generate MD5 checksum on the images. Step 9: Prepare chain of custody. Step 10: Store the original evidence in a secure location. Step 11: Analyse the image copy for evidence. Step 12: Prepare a forensic report. Step13: Submit the report to the client. Step 14: If required, attend the court and testify as expert witness. Rules of Computer Forensics Rule for Forensic Investigator Examination of a computer by the technically inexperienced person will almost certainly result in almost certainly result in rendering any evidence found inadmissible in a court of law. What do Digital Forensics Experts Do? ⚫ Gather evidence ⚫ Preserve data integrity (Chain of evidence) ⚫ Identify critical information ⚫ Analyze evidence ⚫ Present evidence Digital Forensics Tools Commercial Packages ⚫ Encase ⚫ Forensics Tool Kit (FTK) Open Source Software ⚫ Sleuth Kit libraries ⚫ Autopsy GUI Solving Computer Forensic Case Using Autopsy ⚫ ⚫ A complaint was made to the authorities describing alleged Wi-Fi hacking activity. When the authorities reached the spot, they found an abandoned Dell computer which is suspected that this computer was used for hacking purposes. Schardt uses "Mr.Evil" nickname when he goes online. He is also accused of parking his car in wireless range (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numbers, usernames & passwords. We're going to solve 20important questions that will be related to this case by examining the images of his computer. Tasks performed During the course of investigation, analysis of the evidence would require performing the 12 basic tasks of computer forensics: ⚫ Generating an image hash and confirming the integrity of the image ⚫ Determining the Operating System used on the disk ⚫ Determining the date of OS installation ⚫ Determining the registered owner, account name in use and the last recorded shut down date and time ⚫ Determining the account name of the user who mostly used the computer and the user who last logged into it ⚫ Determining the hacker handle of the user and tying the actual name of the user to his hacker handle ⚫ Determining the MAC and last allocated IP address of this computer ⚫ Locating the programs installed in this computer that could have been used for hacking purposes ⚫ Collecting information regarding the IRC service that was used by the owner ⚫ Searching the Recycle Bin for relevant information ⚫ Listing the Newsgroups that the owner of the computer has registered to ⚫ Determining the SMTP email address in use So now let's start our investigation ⚫ We will find the solution for these given tasks from the disk image of the suspect. ⚫ Q1. What is the image hash? The HASH of image is AEE4FCD9301C03B3B054623CA261959A. How? Click on Data source --> Select the image Dell Latitude CPi, E01 --> Click on Metadata MD5: AEE4FCD9301C03B3B054623CA261959A ⚫ Q2: What operating system was used on the computer? Microsoft Windows XP was used. How? Click on results --> Extracted Content --> Operating System Information ⚫ Q3: When was the install date? 2004-08-19 22:48:27 How? Click on results --> Extracted Content --> Operating System Information ⚫ Q4. Who is the registered owner? The owner is Greg Schardt How? Click on results --> Extracted Content --> Operating System Information ⚫ Q5. What is the computer account name? The account name is N-1A9ODN6ZXK4LQ How? Click on results --> Extracted Content --> Operating System Information ⚫ Q6. When was the last recorded computer shutdown date/time? The last recorded shutdown time of the computer is 2004/08/27-10:46:27 How? Click on Data Sources select 4Dell Latitude --> vol2 ->WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVer sion\Prefetcher\ExitTime ⚫ Q7. How many accounts are recorded (total number)? There are 5 accounts Mr, Administrator, Guest, Support388945a0, Help Assistant How? Click on Results --> Operating System User Accounts ⚫ Q8.Who was the last user to logon to the computer? Mr. Evil The system will obtain the last user who logged on from the key ‘DefaultUserName’. This information can be uncovered from the following path How? Click on Data Sources select 4Dell Latitude >WINDOWS/SYSTEM32/CONFIG/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENTVERSION/WINLOGON/DEFAULT USER NAME --> vol2 -- ⚫ Q9. List the network cards used by this computer? Compaq WL110 Wireless LAN PC Card, Xircom Card Bus Ethernet 100 + Modem 56(Ethernet Interface). How? Click on Data Sources select 4Dell Latitude --> >WINDOWS\system32\config\software\Microsoft\Windows NT\CurrentVersion\NetworkCards\ vol2 -- ⚫ Q10. What is the IP address and MAC address of the computer? IP=192.168.1.111, MAC=00:10:a4:93:3e:09 How? Click on Data Sources select 4Dell Latitude --> vol2 --> Program Files/Look@LAN/irunin.ini ⚫ Q11. Search for programs/tools that aided in the crime (Wireless Hacking) The programs which will be used for hacking purpose Look@LAN: Look@Lan is an advanced network monitor that allows you to monitor your net in few clicks. Cain: Cain and Abel is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Network Stumbler: NetStumbler is a tool for Windows that facilitates detection of Wireless LANs using the802.11b, 802.11a and 802.11g WLAN standards. It runs on Microsoft Windows operating systems from Windows 2000 to Windows XP. mIRC: mIRC is an Internet Relay Chat client for Windows, created in 1995.5. Ethereal/Wireshark Wireshark is a free and open-source packet analyzer. It is used for network trouble shooting, analysis, software and communications protocol development, and education.6. 123WASPWASP will display all passwords of the currently logged in user that are stored in the Microsoft PWL file. ⚫ Q12. Which Email client is used by Mr. Evil? Outlook Express, Forte Agent, MSN Explorer, MSN (Hotmail) Email How? Click on Data Sources select 4Dell Latitude >WINDOWS\system32\config\software\clients\Mail --> vol2 -- ⚫ Q13. What is the SMTP email address for Mr. Evil? The SMTP email address is [email protected] How? Click on Data Sources select 4Dell Latitude --> vol2 -->Program Files\Agent\Data\Agent.ini ⚫ Q14. How many executable files are in the recycle bin? There are 4 files in recycle bin How? Click on Data Sources select 4Dell Latitude --> vol2 -->Recycler ⚫ Q15. Are there any malware on the computer? Yes there is a zip bomb malware by the name of unix_hack.giz in this system. How? Click on Results --> Extracted Content --> Interesting Items --> Possible Zip Bomb-->Interesting Files ⚫ Q16. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the userid? user=Mini Me, [email protected], nick=Mr, anick=mrevilrulez How? Click on Data Sources select 4Dell Latitude --> vol2 -->Program Files\mIRC\mirc.ini ⚫ Q17. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data? File name is Interception How? Click on Data Sources select 4Dell Latitude --> vol2 --> Document andSettings\Mr.Evil\intercerption ⚫ Q18. Which internet browser was used? Internet explorer How? Click on Data Sources select 4Dell Latitude --> vol2 --> Document andSettings\Mr.Evil\intercerptionscroll down and see User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC;240x320) ⚫ Q19. What websites victim was accessing? login.passport.com, mobile.msn.com, www.passportimages.com How? you can also copy all texts from intercept file and search for the.com it will show you the websites which were visited. ⚫ Q20. What is the web-based email address for the main user? [email protected] was found in web history. How? Click on Results --> Extracted Content --> Web History Conclusion ⚫ Computers Forensics is a vast field of study and includes topics like Processing Crime Scenes, Operating Systems and File Structures, Recovering Graphic Files and Defeating Steganography, Email Investigations, Mobile Device Investigations, Report Writing. Future The need for standards Acquisition procedure: develop step-by-step instructions to be followed Certification Investigators Tools Operating Systems Research Create more meaningful audit data Ensure integrity and availability of audit data Privacy and Digital Forensics Develop detection techniques Develop automation processes Documentation File systems Over 50 different FS currently in use Most are poorly documented Malware “fingerprint” of bad programs Good system state Accessible databases Every OS, version, patch level References: Sammons, J. (2015) The Basics Of Digital Forensics: The Primer For Getting Started In Digital Forensics (Second Edition). Syngress Casey, E. (2007) Handbook of Computer Crime Investigation. Amsterdam: Academic. Casey, E. (2011) Digital Evidence and Computer Crime. Amsterdam: Elsevier Academic Press. Hasan, R. Saarbrücken: Publishing. (2012) LAP Forensic Computing. LAMBERT Academic