CNS 320: COMPUTER FORENSICS & INCIDENT RESPONSE

Week 1

Copyright 2013, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Your Fearless Leader (I am Geek. See my alphabet soup!)

John McCash CompTIA Sec+, GCIH, GAWN(expired), GCFA, GCFE, EnCE, GREM, SANS Lethal Forensicator 23-years in IT Specialized in Security for the last 15 years, and Forensics & Incident Response for the last 4 Extensive experience in digital forensics, incident response , and security/system/network administration on diverse platforms in very heterogenious environments BS and MS in CS from Bradley University (1988) Currently works for a major telecommunications equipment provider (Technical Lead of APT Response Team), and is a contributor to the 2 SANS forensic blog.

Course Description
Introduction to the topics of Computer Forensics and Incident Response on Windows Systems PREREQUISITES:

Familiarity with Windows and Linux computer usage Familiarity with Windows and Linux Administration & Internals Helpful

Content in Flux

Course originally developed with an eye toward process and legal issues (Ive stripped out almost all of that old content, but a few elements remain) Materials are still under revision Im trying to provide a significant amount of technical and practical content which you may be able to actually apply I will work with you as a class to make this course as interesting as possible without (I hope) leaving many of you in the dust Be aware that the most interesting & useful of the content will require its underpinnings to be force-fed at a rather rapid rate, which will increase the difficulty Students at the SANS Institute refer to this process as drinking from the fire hose
4

Apologies in Advance
Course Design Challenges

Selecting digestible information subsets Organizing the material In many disciplines, specifics follow logically from generalities based on consistent rules IMHO Forensics is much more empirical, more like an infinite progression of narrowly defined specialties, with lots of case-by-case variation Ive attempted to select material for the class which is both representative and useful
5

Why all the deep background? (assuming you dont expect to be designing your own forensic tools)

Forensic tools frequently do squirrely things You will need to recognize when this happens, and possibly figure out what the results should have been by hand You will likely need to explain to a nontechnical person (or a jury) exactly how/why a tool produced a given result You will want to know that certain information is available (and where) even when a tool youve had to use did not provide it
6

Push-Button Forensic Tools

Good In that they can free up time for a Forensic Analyst and enable him to spend that effort on more problematic areas Bad In that they can be error-prone, and a lazy or clueless analyst relying on their output can make improperly-based assertions which can be refuted, or at the least cast doubt on other findings Always cross-check & verify results on which important assertions are based using different tools, and properly explain any significant anomalies You should always know, at least in a general way, from what artifact a result was obtained, and be able, with reasonable effort, to backtrack & manually step through the methodology used to create it Note that these statements represent my moderate viewpoint on a somewhat controversial topic
7

Syllabus

As you can see, weve got a lab as a classroom Well be making use of that each week I hope to cover practical application of each element immediately after introducing it in lecture 30-50% of each class period will be devoted to lab

Syllabus

DIGITAL EVIDENCE DEFINITION & USAGE (Briefly)

Authentication and Chain of Custody Courtroom Usage Collection Examination Analysis Reporting
9

FORENSIC PROCESSES

Syllabus

WINDOWS FORENSIC TOOLS & ARTIFACTS

Incident Response Lifecycle

Windows Disk Partitioning NTFS Registry Fundamentals Malware Detection & Analysis in Memory Link Files & Win7 Jumplists Application Metadata Log Analysis Timelines
Preparation Identification Containment Eradication Recovery Follow-Up & Lessons Learned

10

Syllabus

Additional material, if theres time

Browser & Web Forensics

Internet Explorer Firefox Google Chrome

CNS-320 Week-By-Week

Week 1:

Lab: Physical & Logical Imaging Lab: NTFS Examination & Analysis

Week 2

Week 3

Lab: Registry Examination & Analysis

Quiz over week 1-3 content

Week4

Week Week Week Week

6: Labs 7: Quiz #2 9: Labs 10: Quiz #3, Review

12

D2L

We will be using D2L, one of CDMs Course Management Systems. The system can be found at https://d2l.depaul.edu.

Lectures (Powerpoint) Assignments Grades Documents Syllabus Etc

13

Class Participation

Please feel free to interrupt. There are no stupid questions, only stupid instructors. Be a loudmouth! Youll get more out of the class that way. So will everyone else. The only reason you have an instructor instead of just reading out of a book and taking tests is so you can ask about things that arent in the materials. The more questions you ask, the more youll learn, as will the rest of the class. If I say something that makes no sense, for gods sake stop me! I probably just 14 confused at least half of you!

Labs

Familiarize you with tools hands-on Ensure everyone can perform demonstrated tasks Let you ask questions when tools dont perform as expected Despite not being graded, this is the most important portion of the class

15

Communications with Instructor

Email is preferred.

Please include CNS 320 in the subject line of all email communications

You may request a scheduled telephone/web conference. My email address is jmccash@cdm.depaul.edu Cell phone 847-660-3373 (Please call only between 5:00 PM and 9:00 PM) Office hours: Thursdays, 9:00-10:30 pm
16

Grading

Three Quizzes (20% each) Final Exam (40%)

17

Final Exam

Final 11/15/2012 Exam Format

Short Answer

Content will be drawn from lecture slides & notes

18

Primary Textbook
Windows Forensic Analysis Toolkit 3rd Edition

By: Harlan Carvey Publisher: Syngress Pub. Date: January 15, 2012 Print ISBN-13: 978-1-59749-727-5 Web ISBN-13: 978-1-59749-728-2

Available as an ebook at http://proquestcombo.safaribooksonline.com.e zproxy1.lib.depaul.edu/book//9781597497275

19

Optional Reference
File System Forensic Analysis
By: Brian Carrier Publisher: Addison-Wesley Professional Pub. Date: March 17, 2005 Print ISBN-10: 0-321-26817-2 Print ISBN-13: 978-0-321-26817-4
Available as an ebook at http://proquestcombo.safaribooksonline.com.ezp roxy2.lib.depaul.edu/book/networking/forensicanalysis/0321268172

20

Other Course Materials

Other course materials will be available on the web, including the DePaul University Libraries' website at http://www.lib.depaul.edu/ Lecture slides & reading assignments will be posted on D2L each week the night before class

21

Partial list of Forensic Blogs (for future reference or research)

Didier Stevens - http://blog.didierstevens.com/ ForensicIT.EU - http://forensicit.eu/ SANS Computer Forensics, Investigation, and Response - http://computerforensics.sans.org/blog Matthieu Suiche - http://www.msuiche.net/ Volatility - http://volatility.tumblr.com/ Computer Forensics/E-Discovery Tips/Tricks and Information (Mark McKinnon) http://cfed-ttf.blogspot.com/ int for(ensic){blog;} (Andreas Schuster) - http://computer.forensikblog.de/en/ A Geek Raised by Wolves (Jesse Kornblum) - http://jessekornblum.livejournal.com/ (Lance Mueller) Computer Forensics, Malware Analysis & Digital Investigations http://www.forensickb.com/ Windows Incident Response (Harlan Carvey) - http://windowsir.blogspot.com/ forensic . seccure . net (Mariusz Burdach) - http://seccure.blogspot.com/ Forensic Computing (Mike Murr) - http://www.forensicblog.org/ Forensic Focus Blog (Jaimie Morris) - http://forensicfocus.blogspot.com/ Forensic Incident Response (Hogfly) - http://forensicir.blogspot.com/ Hacking Exposed Computer Forensics Blog http://hackingexposedcomputerforensicsblog.blogspot.com/ digfor (Andre Ross) - http://digfor.blogspot.com/ Computer Forensics and Incident Response - http://breach-inv.blogspot.com/ ForensicZone - http://forensiczone.blogspot.com/ The Digital Standard - http://thedigitalstandard.blogspot.com/

22

Computer Forensics Podcasts

Forensic 4cast http://www.forensic4cast.com/ Cyberspeak http://cyberspeak.libsyn.com/ Inside the Core (Mac) http://insidethecore.com/

23

Academic Integrity

Student Resources at DePaul.

Plagiarism is a major form of academic dishonesty involving the presentation of the work of another as one's own. Plagiarism includes but is not limited to the following: The direct copying of any source, such as written and verbal material, computer files, audio disks, video programs or musical scores, whether published or unpublished, in whole or part, without proper acknowledgement that it is someone else's. Copying of any source in whole or part with only minor changes in wording or syntax, even with acknowledgement. Submitting as one's own work a report, examination paper, computer file, lab report or other assignment that has been prepared by someone else. This includes research papers purchased from any other person or agency. The paraphrasing of another's work or ideas without proper acknowledgement.

24

Definition of Plagiarism

Plagiarism involves using the work of another person and presenting it as your own.

Outright copying of someone else's writing is the most clear-cut form of plagiarism. But other forms exist. Mosaic Paraphrase Insufficient acknowledgement

25

Other plagiarism resources

North Carolina State University Georgetown University Stanford University Northwestern University

26

Terminology

Internet Security Glossary - RFC 4949

by R. W. Shirey http://www.ietf.org/rfc/rfc4949.txt

Microsoft Solutions for Security Glossary

http://www.microsoft.com/security/glossa ry.mspx
http://www.sans.org/resources/glossary. php

SANS Glossary of Security Terms

27

Terminology

Legal Terms

Nolos Legal Dictionary Findlaw Legal Dictionary

28

Outline of Tonights Material Digital Evidence & Forensic Processes

Digital Evidence

What is it? How do we find it? How do we preserve it?

Memory Imaging using FTK Imager Physical Disk Imaging Logical Disk Imaging

Lab: FTK Imager Usage

29

What/Where is Digital Evidence?

Everybody knows its on computer hard disks Where else can digital evidence be found?

Think outside the box for a minute. Its almost everywhere

30

What/Where is Digital Evidence?

Computer Hard Drives, Memory, BIOS Settings Printers, Copiers/Multifunction Devices, and other computer peripherals may actually be complete embedded computer systems Integrated components may also be embedded systems Flash Drives with significant storage capacity are now very small, and can easily be hidden Network Hardware; Switches, Routers, Firewalls, WAPs, Web Proxy Gateways SIEMS & other log aggregation systems Phones, other portable electronic devices, game consoles & peripherals, even some refrigerators The Cloud
31

Data is Easily Hidden

32

Sometimes even a whole system

33

Example of Reliability & Completeness Issues

Casey Anthony acquitted in 2011 Discrepency between results of parsing of a Firefox v2 history.dat file with NetAnalysis and Cacheback used to cast doubt on the forensic analysis

Firefix v2 history.dat file was recovered from unallocated space NetAnalysis reported 8878 records (there were actually 9075 possibly determined by hand) and one visit to chloroform.html Cacheback 2.8 RC2 reported 8571 records and 84 visits (incorrect!) to chloroform.html. After subsequent revision, Cacheback matched 9048 records in the file.

34

Digital Forensic Artifacts

Any change made as a result of an event of interest Locards Exchange Principal Our job is to sift Digital Evidence for Forensic Artifacts

35

Forensic Processes

Goals

Collect evidence, ensuring its integrity over the entire forensic lifecycle Analyze & Report on Evidence Present findings, deriving facts about the issue of concern from the evidence, and ensuring that all such derived facts are properly qualified

36

Formal Forensic Frameworks and Processes (NIST)

National Institute of Standards and Technology (NIST) special publication 800-86, Guide to Integrating Forensic Techniques into Incident Response

37

Formal Forensic Frameworks and Processes (DFRWS)

38

Digital Forensics Specialties

Network Forensics Log Analysis OS Forensics

Mobile Device Forensics

Windows UNIX

Apple iOS Android Other

MacOS-X Linux Solaris, HPUX, IRIX Other

Malware Forensics Application Forensics

Embedded Systems Forensics

Databases Web Apps

39

Evidence Preservation

Physical evidence items protected using chain of custody process

Documents every individual with access to item at any time from collection forward Minimizing number of entries is key

Digital items protected using redundant copies and cryptographic hashes

40

Chain of Custody

Chain of custody establishes Authenticity (legal term)

Goal: To ensure no alteration of the original evidence during collection, storage or analysis Requires documenting procedures used in the collection, storage and analysis of evidence

41

Chain of Custody

A piece of paper or electronically stored information, without any indication of its creator, source, or custodian may not be authenticated under Federal Rule of Evidence 901.

42

Real-World Chain of Custody and Evidence Handling Procedures

(One stringent example. Not the only way.) Physical Elements

Prenumbered evidence tags & tamper evident bags w/labels for collector, date/time, location, signature.

Specific number ranges provided to designated evidence collectors to provide redundant collector identification

Paper log forms (may be a single form, but if two, no overlap other than reference number)
Inventory collection Chain of custody transfer information

Evidence lockup database

43

Physical Evidence Collection

Evidence items tagged, bagged, labeled by collector Bag & tag numbers and in-situ collection information for each item documented on paper inventory collection forms Collection process may be recorded using timestamped photos or audio/video recordings. These recordings may themselves be treated as evidence items, requiring tamper-evident handling. Evidence tag # is permanently assigned to evidence item Evidence bag # & label info provide chain of custody assurance from collection to log-in 44

On-Site Electronic Evidence Collection

Reasons

Triage (to determine whether an evidence item is to be physically collected or not, or to identify subsets of existing evidence, such as a very large RAID array, that must be collected) Volatile data which may otherwise not survive transport to evidence lockup (well discuss this in more detail next week)

45

On-Site Electronic Evidence Collection

Digital evidence collected onto pre-wiped virgin media, then tagged, bagged, time/date/location noted, & signed for, just like physical evidence Documentation

Written account of actions Potentially tool log files, which could be written to the same media as the collected evidence Collection process may be recorded using timestamped photos or audio/video recordings. These recordings may themselves be treated as evidence items, requiring tamper-evident handling.

46

Evidence Log-In

Performed back at evidence lock-up

Data from paper inventory collection forms is transcribed into evidence lockup database Data from tamper evident evidence bags is also transcribed into database If no collector noted on forms, this is inferred from numbers, and that fact noted Copies of collection recordings may be attached Chain of custody form initially filled out & entered by receiving lockup representative, including lockup receipt date/time Items scheduled for examination 47

Initial Evidence Examination

1.

2.

3.

4.

5.

6.

Chain of custody form updated by technician Bag opened by evidence technician and evidence physically examined for descriptive info omitted at time of original collection Additional data documented by technician & recorded into database with notation as to source. Electronic info may also be added. All technician activities documented and possibly audio/video recorded Forensic imaging of original evidence may also be done at this point Original evidence then returned to lockup 48

Subsequently

Chain of custody form joins evidence item permanently Each time evidence is returned to lockup, chain of custody data is updated in database Multiple copies of all forensic data may be made for subsequent direct examination, but chain of custody on these need not be tracked
49

Chain of Custody at this Point

1.

2.
3. 4.

Collector Evidence lockup 1st Examining Evidence Technician Evidence lockup

Minimizing the number of entries is key to good chain of custody procedure

50

Chain of Custody Paper Form Elements

Evidence tag number Original collection bag number Collector name Date & time collected Data for each custodian (multiple blanks for subsequent entries):

Name & Organizaton Date & time received Signature Notes (to identify bag opening & any irregularities)
51

Inventory Paper Form Elements

Evidence number of item Evidence collection bag number Evidence # of collection recording Collector name Collection date/time Collection location (address, room, etc.) Unique evidence description (could include explicit fields for color, model, serial#, and possibly a space for attached photo)
52

Imaging

An image is a bit-for-bit copy of a piece of digital evidence (disk, flash, RAM, DVD etc.) Forensic images can be stored and accessed in a variety of standard formats such as Raw, E01, or AFF Images are typically validated as unchanged by use of one or more of a number of cryptographic hash algorithms (md5, sha1, sha256) On dead systems, disk imaging should be performed via a hardware write-blocker to ensure that original evidence is unchanged On live systems, it is almost certain that the image hash for a disk in use or system memory will not match Exact methodologies will vary from organization to organization
53

Physical vs. Logical Imaging

Physical Image Full image of complete physical disk device content Logical Image Image of a logical volume mounted on a live system.

Portion of a physical device RAID spread across several different physical devices Mounted encrypted volume Mounted network volume
54

Hashing

Cryptographic hashes are algorithms that can be applied to arbitrarily long sequences of data bytes with the aim of producing a much shorter result which is still unique Mathematically infeasible to reverse For some such algorithms, there are known collisions & mechanisms for producing them If this is a risk, the simplest method to avoid is to use two different hashes (MD5 & SHA1 for example) Most commonly used: MD5, SHA1, SHA256
55

Cryptographic Hash Algorithms

MD5 32 character output

6830723bbaade6e72dbbfb5c91466c9e
7d6ae63b1201e68e5e686c10eabbd7ee f76cf19e b21f00291949d848e4fe0f94ac76dcc40 d68c6ffad873f515a7304f54566ce6e

SHA1- 40 character output

SHA256 64 character output

56

More Hashing Algorithms

A lgo rithm Output size Internal B lo ck (bits) state size size[1 ] Length Wo rd Ro unds size size Co llisio n GOST HA VAL 256 256/224/1 92 /1 60/1 28 M D2 1 28 M D4 1 28 M D5 1 28 P A NA M A 256 Radio Gatn Up to 608/1 ,21 6 (1 9 wo rds) RIP EM D 1 28 RIP EM D-1 28/256 1 28/256 RIP EM D-1 60 1 60 RIP EM D-320 320 SHA -0 1 60 SHA -1 1 60 SHA -256/224 256/224 SHA -51 2/384 51 2/384 Tiger(2)-1 92/1 60/1 28 1 92/1 60/1 28 256 256 384 1 28 1 28 8,736 58 wo rds 1 28 1 28/256 1 60 320 1 60 1 60 256 51 2 1 92 256 1 ,024 1 28 51 2 51 2 256 3 wo rds 256 64 64 64 32 32 256 1 60/1 28/ 96 32 864 32 48 32 64 32 1 64 Yes (21 05) Yes Yes (263.3) Yes (3) Yes (220.96) Yes With flaws (2352 o r 2704) Yes (21 8) No Yes (251 :48) No Yes (233.6) Yes (251 ) Yes (228.5:24) Yes (232.5:24) Yes (262:1 9) B est known attacks (co mplexity:rounds)[2] Seco nd P reimage Yes (21 92) No No Yes (264) No No No P reimage Yes (21 92) No Yes (273) Yes (278.4) Yes (21 23.4) No No

51 2 51 2 51 2 51 2 51 2 51 2 51 2 1 ,024 51 2

64 64 64 64 64 64 64 1 28 64

32 32 32 32 32 32 32 64 64

48 64 80 80 80 80 64 80 24

No No No No No No No No No

No No No No No No Yes (2248.4:42) Yes (2494.6:42) Yes (21 84.3)

Fuzzy Hashing

Method of measuring similarity between different files

Ssdeep is the most commonly used fuzzy hashing utility. Most effective on files containing large amounts of text, less so with purely binary data, but YMMV.

Fuzzy hashing is also referred to as context triggered piecewise hashing (CTPH) A complete explanation of CTPH can be found at http://dfrws.org/2006/proceedings/12Kornblum.pdf

58

Free Imaging & Analysis Tools

Helix3 (not Helix3 Pro or Helix3 Enterprise) - https://www.efense.com/store/index.php?_a=viewProd &productId=11&ccUser=f6e155820240b2 7967246d7ec8f9fa2d AccessData FTK Imager

http://accessdata.com/support/ado wnloads#FTKImager, as well as part

of Helix3 SANS SIFT Kit - http://computerforensics.sans.org/community/downloads

59

Commonly Used General Purpose Forensic Tool Suites

EnCase (Guidance Software) FTK Forensic Toolkit (AccessData) SANS Linux SIFT Kit (Free) Helix (Free, but discontinued)

60

SIFT Kit Contents

The Sleuth Kit (File system Analysis Tools) log2timeline (Timeline Generation Tool) ssdeep & md5deep (Hashing Tools) Foremost/Scalpel (File Carving) WireShark (Network Forensics) Vinetto (thumbs.db examination) Pasco (IE Web History examination) Rifiuti (Recycle Bin examination) Volatility Framework (Memory Analysis) DFLabs PTK (GUI Front-End for Sleuthkit) Autopsy (GUI Front-End for Sleuthkit) PyFLAG (GUI Log/Disk Examination) Regripper (Registry Analysis) 100s more tools -> See Detailed Tool Listing

61

Reading for Next Week

1. MFT Section in Chapter 4 of Windows Forensic Analysis Toolkit 3rd Edition
By: Harlan Carvey Publisher: Syngress Pub. Date: January 15, 2012 Print ISBN-13: 978-1-59749-727-5 Web ISBN-13: 978-1-59749-728-2 Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275

2. Digital Forensics: Detecting time stamp manipulation - http://computerforensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/ 3. NTFS $I30 Attributes: Evidence of Deleted and Overwritten Files http://forensicmethods.com/ntfs-index-attribute 4. Skim Chapters 5 (PC-based Partitions), 8 (File System Analysis), 11 (NTFS Concepts), 12 (NTFS Analysis), and 13 (NTFS Data Structures) of File System Forensic Analysis Try to actually read through the section on Index Attributes and Data Structures. I know its a little opaque, but its a really good reference, and I dont know of a more readable summary that goes into any significant detail.
By: Brian Carrier Publisher: Addison-Wesley Professional Pub. Date: March 17, 2005 Print ISBN-10: 0-321-26817-2 Print ISBN-13: 978-0-321-26817-4 Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensicanalysis/0321268172

62

Questions?

63