King Fahd University of Petroleum & Minerals SEC524 Computer and Network Forensics Lectures 11 and 12 PDF

Summary

These lecture notes from King Fahd University of Petroleum & Minerals cover computer forensics analysis and verification. They detail the importance of data analysis and verification in digital forensics, along with specific steps for investigations. A few examples of investigation scenarios and analysis are given in the doc.

Full Transcript

King Fahd University of Petroleum & Minerals
College of Computer Sciences & Engineering

SEC524 Computer and Network
Forensics

Lectures 11 and 12
Computer Forensics Analysis
and Verification
These slides are based on:
Guide to Computer Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 9)

ENISA: Introduction to Network Forensics (Ch. 2)
 Outline

Introduction
Data Analysis and Investigation Plans
Timeline Analysis
Aggregation & Correlation of Different Sources
Data Normalization
Forensics Verification

2
 Introduction

Important phase of digital forensics is to analyze and verify
the collected data
Determine what data to collect and analyze, and that entails:
Conducting a timeline analysis of incident
Aggregating and correlating different sources
Data normalization
Verify collected data with forensics software and/or Hex editors
Accordingly, the investigation plans will be refined and
updated

3
 Data Analysis & Investigation Plans

Examining and analyzing digital evidence depends on the
nature of the investigation and amount of data to process
Criminal investigations are limited to finding data defined in the
search warrant
Civil investigations are often limited by court orders for discovery
Private-sector investigators might be searching for company policy
violations that require examining only specific items, such as e-mail
Thus, investigations often involve locating and recovering a
few specific items, which simplifies and speeds processing
If litigation is anticipated in private-sector, the company attorney
often directs the investigator to recover as much info as possible
Investigation may expand beyond original description because of unexpected
evidence you find (Scope Creep), prompting the attorney to ask you to examine
other areas to recover more evidence

4
 Data Analysis & Investigation Plans (Cntd)

You begin a digital forensics case by creating a plan that
defines the investigation’s goal and scope, the materials
needed, and the tasks to perform
Approach taken depends on the type of investigated case
Gathering evidence for an e-mail harassment case might involve
little more than accessing network logs and e-mail server backups to
locate specific messages
The approach taken depends on whether the case is an internal
organizational investigation, or a civil or criminal investigation
carried out by law enforcement
In an internal investigation, evidence collection tends to be easy and
straightforward because private-sector investigators usually have ready access to
the necessary records and files
In a criminal cyberstalking case, you need to contact the ISP and e-mail service,
and noting that some companies have systems set up to handle these situations,
but others do not
5
 Data Analysis & Investigation Plans (Cntd)

An investigation of an employee suspected of industrial
espionage can require the most work
Before initiating this type of investigation, make sure the
organization, whether it’s a private company or a public agency, has
set up rules of use and limitations of privacy rights
You might need to plant a software or hardware keylogger, and you
need to engage the network administrator’s services to monitor
Internet and network activities
You might want to do a remote acquisition of the employee’s drive,
and then use another tool to determine what peripheral devices
have been accessed

6
 Data Analysis & Investigation Plans (Cntd)

As a standard practice, you should follow these basic steps
for all digital forensics' investigations:
1. Use a target drive that have been inspected and cleared of any
possible malware, along with a disk-to-disk forensic copying tool to
reformat the target drive to the same original drive configuration
2. Inventory the hardware on the suspect’s computer, note the
condition of the computer when seized, check the system’s BIOS
date and time values, and document all physical hardware
components as part of your evidence acquisition process
3. Record how you acquired data from the suspect drive (e.g., note
that you created a bit-stream image, which tool you used, and the
hash value created to verify the image)
4. List all folders and files on the image/drive while noting where
specific evidence is found, and its relevance to the investigation

7
 Data Analysis & Investigation Plans (Cntd)

As a standard practice, you should... (Cntd):
5. Examine the contents of all data files in all folders, starting at the
root directory of the volume partition
Exception is for cases with the defined scope of work stated in a search warrant
or discovery demand where you can look for only the specific items listed in the
warrant or discovery demand
6. For all password-protected files that might be related to the
investigation, make your best effort to recover file contents (use
password-recovery tools for this purpose, such as AccessData
Password Recovery Toolkit (PRTK),...)
7. Identify the function of every executable file that doesn’t match
known hash values, and make note of any system files or folders
that are out of place
8. Maintain control of all evidence and findings, and document
everything as you progress through your examination

8
 Data Analysis & Investigation Plans (Cntd)

Refining and modifying the investigation plan:
In private-sector cases (e.g., employee abuse), the limits of the
scope of the investigation might not be specified
For these cases, it’s important to refine the investigation plan as
much as possible by trying to determine what the case requires
The investigation should be broad enough to encompass all relevant
evidence yet not so wide-ranging that you waste time and resources
analyzing data that’s not going to help the case
For example, suppose an employee is accused of operating an online business
using company resources during work hours
Use this timeframe to narrow the set of data you’re searching, and because
you’re looking for unauthorized Internet use, you focus the search on temporary
Internet files, Internet history, and e-mail communication
While reviewing e-mails related to the case, you might find references to
spreadsheets/Word documents containing financial info related to the online
business, and, in this case, it makes sense to broaden the range of data you’re
looking for to include these types of files
9
 Timeline Analysis

Timestamps have always been a very important artefact of
almost every forensic investigation
An alert or event that happened at a particular point in time raises
suspicion and leads to the analysis in the first place
Many investigations start with time-related questions such as
When did that host get infected?
How often did the user access that website?
When did the user last access that particular file?
How long has this suspicious file been in that directory?
When did the intruder get access to our internal network?
How long did it take the intruder to access that server?
How frequently has process XYZ failed?
When did we apply the patch that could have prevented the
intrusion?
10
 Timeline Analysis (Cntd)

An investigator will need to:
Have a deep understanding of where to look for timestamps
How to correctly interpret timestamps
How to convert the many different timestamps formats there are
How to correlate timestamps coming from various sources, different
operating systems and multiple time zones
The most obvious source for timestamps are the well-known
timestamps every file has (usually referred to as MAC times)
There are other sources for timestamps such as:
Meta-data embedded within files (e.g. last printed), server log files,
Windows Event Logs, LastWrite timestamps of MS Windows Registry
keys, meta-data from the file system itself, web-browsing and e-mail
artefacts, database timestamps, network captures, etc.

11
 Timeline Analysis (Cntd)

Trusted Timestamping: Adding extra guarantees that
specific info existed or was created at a specific given time
This can involve placing trust in a Time Stamping Authority (TSA)
Some network appliances allow enabling Trusted Timestamping
(TTS) on log file entries
Paradigm of looking at single or few timestamps during an
investigation has shifted towards building comprehensive
timelines (involving millions of timestamps from many
sources)
Freely available open source tools exist that help the
analyst in creating and investigating these timelines
For example, Plaso is an open-source tool designed to extract
timestamps from various files (e.g., host images, firewall logs, proxy
logs, web server logs, mail server logs, packet captures, etc.)
12
 Timeline Analysis (Cntd)

A comprehensive, but not complete, list of time-related
activities that have a major role in forensic investigations:
Correlate different traces from multiple sources to one another, e.g.,
user receives an e-mail
user's host connects to URL
a file is being downloaded
an office file is being created in the local file system
an office application is being started
a temporary file is being created in the local file system
another URL is being accessed by the host
another file is being downloaded
an executable file is being created in the local file system
an executable file is being started
a Windows Registry key is being created
“suspicious” network traffic shows up in logs
internal systems start behaving “weird” (lateral movement)

13
 Timeline Analysis (Cntd)

A comprehensive, but not complete... (Cntd):
Develop context around events or alerts
Add additional data sources to the investigation
See events that occurred “near” other events
Detect times of high system activity
Detect events at “unusual” times (outliers)
Concentrate on few important events (don’t need the “full picture”)
May detect system clock manipulation
May detect log tampering (e.g., through correlating timestamps)
Differentiate between automated/sys. activities & human activities
Differentiate between regular sys. tasks and least frequent activities
Create human-readable histograms
Normalize timestamps from different sources/formats/time zones
Provide info about deleted data even if the data is not recoverable
14
 Aggregation & Correlation of Different Sources

Analysis of logs and other incident data in digital forensics
means that events will be aggregated to reduce the total
number of events, and group “similar” events together
before examination
Need to make sure that the records are comparable and
can be correlated to the information items they contain
For example, timestamps, IP addresses, process identifiers, user
identifiers, vulnerability identifiers (CVE), etc.
In log normalization, each log data field is converted to a
particular data representation and categorized consistently
One of the most common uses of normalization is storing
dates and times in a single format
Normalizing the data makes analysis and reporting much
15 easier when multiple log formats are in use
 Aggregation & Correlation of... (Cntd)

There are tools for log normalization and aggregation
Examples: Kibana and Squert (both can be used from a web
browser to view and analyze data, with the data coming from
Elasticsearch databases for Kibana, and Squil databases for Squert)
Both tools allow viewing event-data in different forms of display as
curves, charts, graphs, etc. with individual displays combined into
dashboards

Kibana GUI Squert GUI

16
 Data Normalization

IP Addresses Normalization
Due to DHCP and NAT, the IP addresses are generally not static
information, and are not globally unique
Events correlation by IP addresses would be impossible in such case
To overcome this problem, investigators must be aware of this fact
and get the logs from DHCP servers and NAT gateways so that
events can later be correlated
Time Normalization faces two major problems:
1. Timestamp may be incorrect, because time was not synchronized
to a central time source (e.g., NTP), has fallen out of synch,
botched the switch to/from daylight savings time, etc.
2. Timestamps may be in a format that cannot be correctly parsed by
the analyzing software

17
 Data Normalization (Cntd)

Time Normalization (Cntd)
Best practice recommendations include:
Use clock synchronization (NTP) on all systems for high accuracy
Monitor correct operation, especially when switching to/from daylight saving time
Log time zone info in the form of an offset, not the name of the time zone
Include full four-digit year in all timestamps
Standardize time formats as much as possible
Normalize timestamps to UTC as early as possible in the log chain

18
 Forensics Verification

Validation vs. Verification?
Validation: confirm that a process/product is functioning as intended
Needed for validating forensics tools and processes/methods
Not our focus though it is important!
Verification: prove that two sets of data are identical by calculating
hash values or using another similar method

Purpose of forensic verification?
Demonstrate that the image created have an exact one-for-one
correspondence with the original suspect data
Proves that any analysis the investigator performs does not modify
the image in any way (i.e., integrity protection)

19
 Forensics Verification (Cntd)

Digital forensics tools generate hash values (e.g., MD5 and
SHA-1) when they acquire a data image file
When the data image file is loaded in a forensics tool,
another hash is run and then compared with the original
hash value to verify whether the image file is correct
If the hashes don’t match, the tool identifies that the digital
evidence is corrupted, and the investigator must create a
new forensic image of the original data
If the original data is no longer available, the investigator
must list the mismatched hash values in a report, which
should state that, as a result, the findings might not be
accurate

20
 Forensics Verification (Cntd)

Many of todays forensics tools directly support forensics
verification
For example, in AccessData FTK Imager, when you select the Expert
Witness (.E01) or SMART (.S01) format, additional options are
available for hashing all the data
FTK Imager then inserts a report into the.E01 or.S01 file that lists
MD5 and SHA-1 hash values
Autopsy has a similar feature called E01 Verifier for verifying an
Expert Witness image file
If a forensic tool doesn’t support it, then a Hex editor (e.g.,
WinHex) should be able to assist in this matter

21