King Fahd University of Petroleum & Minerals SEC524 Computer and Network Forensics Lectures 11 and 12 PDF
Document Details
Uploaded by AdaptiveCarolingianArt
King Fahd University of Petroleum and Minerals
Tags
Related
Summary
These lecture notes from King Fahd University of Petroleum & Minerals cover computer forensics analysis and verification. They detail the importance of data analysis and verification in digital forensics, along with specific steps for investigations. A few examples of investigation scenarios and analysis are given in the doc.
Full Transcript
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 11 and 12 Computer Forensics Analysis and Verification These slides are based on: Guide to Computer Forensics a...
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 11 and 12 Computer Forensics Analysis and Verification These slides are based on: Guide to Computer Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 9) ENISA: Introduction to Network Forensics (Ch. 2) Outline Introduction Data Analysis and Investigation Plans Timeline Analysis Aggregation & Correlation of Different Sources Data Normalization Forensics Verification 2 Introduction Important phase of digital forensics is to analyze and verify the collected data Determine what data to collect and analyze, and that entails: Conducting a timeline analysis of incident Aggregating and correlating different sources Data normalization Verify collected data with forensics software and/or Hex editors Accordingly, the investigation plans will be refined and updated 3 Data Analysis & Investigation Plans Examining and analyzing digital evidence depends on the nature of the investigation and amount of data to process Criminal investigations are limited to finding data defined in the search warrant Civil investigations are often limited by court orders for discovery Private-sector investigators might be searching for company policy violations that require examining only specific items, such as e-mail Thus, investigations often involve locating and recovering a few specific items, which simplifies and speeds processing If litigation is anticipated in private-sector, the company attorney often directs the investigator to recover as much info as possible Investigation may expand beyond original description because of unexpected evidence you find (Scope Creep), prompting the attorney to ask you to examine other areas to recover more evidence 4 Data Analysis & Investigation Plans (Cntd) You begin a digital forensics case by creating a plan that defines the investigation’s goal and scope, the materials needed, and the tasks to perform Approach taken depends on the type of investigated case Gathering evidence for an e-mail harassment case might involve little more than accessing network logs and e-mail server backups to locate specific messages The approach taken depends on whether the case is an internal organizational investigation, or a civil or criminal investigation carried out by law enforcement In an internal investigation, evidence collection tends to be easy and straightforward because private-sector investigators usually have ready access to the necessary records and files In a criminal cyberstalking case, you need to contact the ISP and e-mail service, and noting that some companies have systems set up to handle these situations, but others do not 5 Data Analysis & Investigation Plans (Cntd) An investigation of an employee suspected of industrial espionage can require the most work Before initiating this type of investigation, make sure the organization, whether it’s a private company or a public agency, has set up rules of use and limitations of privacy rights You might need to plant a software or hardware keylogger, and you need to engage the network administrator’s services to monitor Internet and network activities You might want to do a remote acquisition of the employee’s drive, and then use another tool to determine what peripheral devices have been accessed 6 Data Analysis & Investigation Plans (Cntd) As a standard practice, you should follow these basic steps for all digital forensics' investigations: 1. Use a target drive that have been inspected and cleared of any possible malware, along with a disk-to-disk forensic copying tool to reformat the target drive to the same original drive configuration 2. Inventory the hardware on the suspect’s computer, note the condition of the computer when seized, check the system’s BIOS date and time values, and document all physical hardware components as part of your evidence acquisition process 3. Record how you acquired data from the suspect drive (e.g., note that you created a bit-stream image, which tool you used, and the hash value created to verify the image) 4. List all folders and files on the image/drive while noting where specific evidence is found, and its relevance to the investigation 7 Data Analysis & Investigation Plans (Cntd) As a standard practice, you should... (Cntd): 5. Examine the contents of all data files in all folders, starting at the root directory of the volume partition Exception is for cases with the defined scope of work stated in a search warrant or discovery demand where you can look for only the specific items listed in the warrant or discovery demand 6. For all password-protected files that might be related to the investigation, make your best effort to recover file contents (use password-recovery tools for this purpose, such as AccessData Password Recovery Toolkit (PRTK),...) 7. Identify the function of every executable file that doesn’t match known hash values, and make note of any system files or folders that are out of place 8. Maintain control of all evidence and findings, and document everything as you progress through your examination 8 Data Analysis & Investigation Plans (Cntd) Refining and modifying the investigation plan: In private-sector cases (e.g., employee abuse), the limits of the scope of the investigation might not be specified For these cases, it’s important to refine the investigation plan as much as possible by trying to determine what the case requires The investigation should be broad enough to encompass all relevant evidence yet not so wide-ranging that you waste time and resources analyzing data that’s not going to help the case For example, suppose an employee is accused of operating an online business using company resources during work hours Use this timeframe to narrow the set of data you’re searching, and because you’re looking for unauthorized Internet use, you focus the search on temporary Internet files, Internet history, and e-mail communication While reviewing e-mails related to the case, you might find references to spreadsheets/Word documents containing financial info related to the online business, and, in this case, it makes sense to broaden the range of data you’re looking for to include these types of files 9 Timeline Analysis Timestamps have always been a very important artefact of almost every forensic investigation An alert or event that happened at a particular point in time raises suspicion and leads to the analysis in the first place Many investigations start with time-related questions such as When did that host get infected? How often did the user access that website? When did the user last access that particular file? How long has this suspicious file been in that directory? When did the intruder get access to our internal network? How long did it take the intruder to access that server? How frequently has process XYZ failed? When did we apply the patch that could have prevented the intrusion? 10 Timeline Analysis (Cntd) An investigator will need to: Have a deep understanding of where to look for timestamps How to correctly interpret timestamps How to convert the many different timestamps formats there are How to correlate timestamps coming from various sources, different operating systems and multiple time zones The most obvious source for timestamps are the well-known timestamps every file has (usually referred to as MAC times) There are other sources for timestamps such as: Meta-data embedded within files (e.g. last printed), server log files, Windows Event Logs, LastWrite timestamps of MS Windows Registry keys, meta-data from the file system itself, web-browsing and e-mail artefacts, database timestamps, network captures, etc. 11 Timeline Analysis (Cntd) Trusted Timestamping: Adding extra guarantees that specific info existed or was created at a specific given time This can involve placing trust in a Time Stamping Authority (TSA) Some network appliances allow enabling Trusted Timestamping (TTS) on log file entries Paradigm of looking at single or few timestamps during an investigation has shifted towards building comprehensive timelines (involving millions of timestamps from many sources) Freely available open source tools exist that help the analyst in creating and investigating these timelines For example, Plaso is an open-source tool designed to extract timestamps from various files (e.g., host images, firewall logs, proxy logs, web server logs, mail server logs, packet captures, etc.) 12 Timeline Analysis (Cntd) A comprehensive, but not complete, list of time-related activities that have a major role in forensic investigations: Correlate different traces from multiple sources to one another, e.g., user receives an e-mail user's host connects to URL a file is being downloaded an office file is being created in the local file system an office application is being started a temporary file is being created in the local file system another URL is being accessed by the host another file is being downloaded an executable file is being created in the local file system an executable file is being started a Windows Registry key is being created “suspicious” network traffic shows up in logs internal systems start behaving “weird” (lateral movement) 13 Timeline Analysis (Cntd) A comprehensive, but not complete... (Cntd): Develop context around events or alerts Add additional data sources to the investigation See events that occurred “near” other events Detect times of high system activity Detect events at “unusual” times (outliers) Concentrate on few important events (don’t need the “full picture”) May detect system clock manipulation May detect log tampering (e.g., through correlating timestamps) Differentiate between automated/sys. activities & human activities Differentiate between regular sys. tasks and least frequent activities Create human-readable histograms Normalize timestamps from different sources/formats/time zones Provide info about deleted data even if the data is not recoverable 14 Aggregation & Correlation of Different Sources Analysis of logs and other incident data in digital forensics means that events will be aggregated to reduce the total number of events, and group “similar” events together before examination Need to make sure that the records are comparable and can be correlated to the information items they contain For example, timestamps, IP addresses, process identifiers, user identifiers, vulnerability identifiers (CVE), etc. In log normalization, each log data field is converted to a particular data representation and categorized consistently One of the most common uses of normalization is storing dates and times in a single format Normalizing the data makes analysis and reporting much 15 easier when multiple log formats are in use Aggregation & Correlation of... (Cntd) There are tools for log normalization and aggregation Examples: Kibana and Squert (both can be used from a web browser to view and analyze data, with the data coming from Elasticsearch databases for Kibana, and Squil databases for Squert) Both tools allow viewing event-data in different forms of display as curves, charts, graphs, etc. with individual displays combined into dashboards Kibana GUI Squert GUI 16 Data Normalization IP Addresses Normalization Due to DHCP and NAT, the IP addresses are generally not static information, and are not globally unique Events correlation by IP addresses would be impossible in such case To overcome this problem, investigators must be aware of this fact and get the logs from DHCP servers and NAT gateways so that events can later be correlated Time Normalization faces two major problems: 1. Timestamp may be incorrect, because time was not synchronized to a central time source (e.g., NTP), has fallen out of synch, botched the switch to/from daylight savings time, etc. 2. Timestamps may be in a format that cannot be correctly parsed by the analyzing software 17 Data Normalization (Cntd) Time Normalization (Cntd) Best practice recommendations include: Use clock synchronization (NTP) on all systems for high accuracy Monitor correct operation, especially when switching to/from daylight saving time Log time zone info in the form of an offset, not the name of the time zone Include full four-digit year in all timestamps Standardize time formats as much as possible Normalize timestamps to UTC as early as possible in the log chain 18 Forensics Verification Validation vs. Verification? Validation: confirm that a process/product is functioning as intended Needed for validating forensics tools and processes/methods Not our focus though it is important! Verification: prove that two sets of data are identical by calculating hash values or using another similar method Purpose of forensic verification? Demonstrate that the image created have an exact one-for-one correspondence with the original suspect data Proves that any analysis the investigator performs does not modify the image in any way (i.e., integrity protection) 19 Forensics Verification (Cntd) Digital forensics tools generate hash values (e.g., MD5 and SHA-1) when they acquire a data image file When the data image file is loaded in a forensics tool, another hash is run and then compared with the original hash value to verify whether the image file is correct If the hashes don’t match, the tool identifies that the digital evidence is corrupted, and the investigator must create a new forensic image of the original data If the original data is no longer available, the investigator must list the mismatched hash values in a report, which should state that, as a result, the findings might not be accurate 20 Forensics Verification (Cntd) Many of todays forensics tools directly support forensics verification For example, in AccessData FTK Imager, when you select the Expert Witness (.E01) or SMART (.S01) format, additional options are available for hashing all the data FTK Imager then inserts a report into the.E01 or.S01 file that lists MD5 and SHA-1 hash values Autopsy has a similar feature called E01 Verifier for verifying an Expert Witness image file If a forensic tool doesn’t support it, then a Hex editor (e.g., WinHex) should be able to assist in this matter 21