Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011
1. Cybercrime and Computer
Forensics Seminar
Chicago Bar Association
Mar 25th
, 2011
John C. A. Bambenek
Chief Forensic Examiner, Bambenek Consulting
jcb@bambenekconsulting.com
http://www.bambenekconsulting.com
312-725-HACK (4225)
2. Agenda
Types of Actionable Computer Crime
Incident Response versus Forensics
Laws Related to Computer Forensics
Chain of Custody and Data Acquisition
Hard drive Forensics
Registry Examination
Memory Forensics
Network Forensics
Log / Server Forensics
File Metadata
3. Types of Actionable Computer Crime
Identity Theft
Electronic Fraud (ACH or Credit Card)
Spamming
Website Defacement / Denial of Service
Unauthorized Access / Misuse of Access
Cyberbulling
Trade Secret Theft
National Security Issues
4. Obstacles to Cybercrime Prosecution
Relatively new are in the law / law not caught up with technology
International in scope / non-extradition treaty countries
Limited resources & skillsets within law enforcement
Near constant level of criminal activity
Organized crime involvement and sophisticated business models
Security tool development lags criminal tool development
5. Incident Response vs. Forensics
Incident response = “Something bad happened, fix it”
Forensics = Acquisition of evidence for potential litigation
Can include e-Discovery
Organizations should have prepared in advance for this decision
Some incidents are not worth pursuing in criminal or civil court
Forensics is much more time-consuming and expensive
In both cases, how someone “got in”, what did they do once there
May not be concerned with attribution
7. Legal Issues Relating to Forensics
Ownership of Hardware
Big issue with Cloud Computing
Ownership of Data
Expectation of Privacy
Not supposed to monitor users if they reasonably believe their actions are private
Chain of Custody / Evidence Preservation
Hard to have a case if chain of custody is broken or evidence has been corrupted
8. What kinds of evidence can be collected?
Physical drives
System memory
Network transmissions
System/Server Logs
Other sources?
9. Chain of Custody
Physical possession of data is standard chain of custody
How do you prove chain of custody on electronic information?
Cryptographic hashing
Prevention of evidence contamination
Analyze only digital copies
Use “write-blockers” for physical drives
Difficult for “live system” analysis
Keeping notes for all tasks performed on “live system”
10. Hashing
Hashing uses an encryption algorithm to generate a pseudo-random string
of text to represent a unique file (or hard drive)
Small changes cause large changes in the hash
Example: “Chicago Bar Association.” vs “Chicago Bar Association!”
MD5:
03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38
SHA1:
7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a
11. Hard drive data acquisition
Can be done on a “live system” or a system that is off
On a “live system” data is constantly changing, which can be problematic
Involves a bit-copy of a drive into a “virtual drive” file for examination
Hashes taken before and after to ensure no data is contaminated
Drive left in safe, all analysis done on copies “virtual drive”
12. Hard drive basics
Hard drives are collections of ones and zeroes, even when mostly empty
File tables connect files to actual “addresses” on the drive to where the
data that comprises that file is stored and attributes of the file (like MAC
times).
When files are deleted, the actual data still exists. The file is simply
“unlinked” from the addresses it uses on the drive and those parts of the
drive can be later overwritten with new files.
Government standards require multiple “wipes” of a drive to confirm deletion
Data may hide also in “slack space”
13. Hard drive basics
So you have a drive image, now what?
Search for all deleted files
Search for all files added, deleted or modified at a certain time
Search files for specific strings
Search for files of a specific type
Examine key system files (configuration files, startup scripts, system registry)
Depends heavily on the nature of the incident
Iterative process that is more art than science
14. MAC times
MAC times stand for “modified”, “accessed”, “changed” and may also
include a creation time.
All files have MAC times associated with them (even deleted ones).
These times can help provide a search pattern for “important” files to an
incident. (i.e. if something happened at 3pm Jan 11th
, you’d look for any file
with a MAC time near that same time).
15. Windows Registry
Windows Operating systems keep a wide variety of information in the
system registry (can be accessed live using RegEdit command).
Most recently used programs
Most recently entered commands
Most recently viewed documents
Typed URLs in IE
Unique hardware addresses for USB keys accessed on system
This can be used to create a “timeline” of activity on the machine
16. Memory Forensics
Must be done on a “live” machine, memory disappears without power*
Contains:
All running programs (even those deleted from the disk)
Any encryption keys in use (makes for easy decrypting)
In some cases, passwords
Memory is constantly changing
Evidence “changes” over time, may have to work with multiple memory files
17. Network forensics
In essence, the same as wiretapping a phone call except with data
Most network switches allow for capturing live traffic from a machine
What are you looking for:
Who is talking to this machine
Who is this machine talking to
When is it happening
What is being communicated
Encryption?
18. Log forensics
Servers associated with a subject computer may have valuable information
E-mail logs can show all mail sent from a target computer
DHCP / DNS logs may show when the machine was on and who it was
communicating with
If configured, can show who accessed a machine even if the machine has
had its own logs wiped
Web server logs can show attacks in progress and how servers were
exploited
19. E-mail Forensics
E-mails all come with headers that give a wealth of information to identify
the sender.
Can show:
IP Address of sender
Can show all mailservers users
Potentially can show true username of sender
Shows when message really sent
Gives unique message ID which can be used to track messages in mail server
logs
20. E-mail headers
Return-path: <kthompson@davismcgrath.com>
Envelope-to: jcb@bambenekconsulting.com
Delivery-date: Tue, 15 Mar 2011 12:13:56 -0500
Received: from mailhost.davismcgrath.com ([12.233.219.123])
by thebox.pentex-net.com with esmtp (Exim 4.69)
(envelope-from <kthompson@davismcgrath.com>)
id 1PzXoi-0000mf-Fw
for jcb@bambenekconsulting.com; Tue, 15 Mar 2011 12:13:56 -0500
Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com
(Rockliffe SMTPRA 9.3.1) with ESMTP id <B0002606529@mailhost.davismcgrath.com> for <jcb@bambenekconsulting.com>;
Tue, 15 Mar 2011 12:16:42 -0500
From: "Kevin A. Thompson" <kthompson@davismcgrath.com>
To: <jcb@bambenekconsulting.com>
References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com>
<e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com>
In-Reply-To: <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com>
Subject: RE: CBA - CLE/Seminar?
Date: Tue, 15 Mar 2011 12:16:39 -0500
Message-ID: <020b01cbe334$bf146320$3d3d2960$@com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAA
Content-Language: en-us
21. File Metadata
Many file types include metadata in them to indicate the creating user,
when modified, etc.
Metadata can be examined even on machines you don’t control
Cell phones can be notorious about including metadata with image files.
This may even include GPS coordinates of where a picture was taken.
Office documents (especially with track changes) can show every person
who touched a file
In some cases, can include content that has been “redacted” when viewed
normally.
22. Other data sources
Cell phones (certainly smart phones) are huge data repositories and can
even store a significant amount of computer files
Tablets and iPads
Online social network content (in particular, media)
Blog comments, forum posts
Webmail accounts
Google