Forensics

Lesson 1: Introduction
About the Instructor
Chuck Easttom chuck@chuckeasttom.com www.ChuckEasttom.com
Certifications A+,Network+, iNet+, Server+, Linux+, MCP (Windows 2000 Pro, VB 6 [Desktop
and Distributed]), MCAD, MCSE, MCDBA, MCSA, MCT, MCTS (Windows Server 2008, SQL
Server 2008, Visual Studio 2010, Windows 7), MCITP(Windows 7 and SQL Server 2008)
CIW Security Analyst, CEH, CHFI, ECSA, EC Council Certified Instructor, CISSP, ISSAP,
and others.
Education: B.A. and M.Ed. from Southeastern Oklahoma State University. Ph.D. in progress
from Northcentral University.
Publications: 11computer science books. Currently working on #12
Worked as a subject matter expert for CompTIA in the creation of the Security+, Server+, and
Linux+ exams as well as revising the CTT+.
7 Computer science related provisional patents
Experience: many years in IT, 10+ years of teaching/training.
Creates study guides for Ucertify.com http://www.ucertify.com/blog/chuck-easttom.html
Frequent expert witness in computer related computer cases
About class
Text book Hacking Exposed Computer Forensics,
Second Edition: Computer Forensics Secrets &
Solutions
Publisher: McGraw-Hill Osborne Media; 2 edition
(September 10, 2009)
ISBN-10: 0071626778
ISBN-13: 978-0071626774
It is also available via Kindle
Course is 21 hours
Computer Forensics Certifications
EC Council Certified Hacking Forensic Investigator
http://www.eccouncil.org/certification/computer_hacki
ng_forensic_investigator.aspx
Certificate Forensic Computer Examiner (IACIS)
http://www.iacis.com/
Certified Computer Examiner http://www.isfce.com/
GIAC certified Forensics Examiner
http://giac.org/certifications/forensics/


What is computer forensics?
Computer forensics is considered to be the use of
analytical and investigative techniques to identify,
collect, examine and preserve evidence/information
which is magnetically stored or encoded.
First Responders play a critical role. If you handle
the situation wrong at the outset, it may be
impossible to prosecute the perpetrators.
What is computer forensics (continued)
If you manage or administer information systems and
networks, you should understand computer forensics.
Forensics is the process of using scientific knowledge
for collecting, analyzing, and presenting evidence to
the courts. (The word forensics means to bring to
the court. ) Forensics deals primarily with the recovery
and analysis of latent evidence. Latent evidence can
take many forms, from fingerprints left on a window to
DNA evidence recovered from blood stains to the files
on a hard drive.
-http://www.us-cert.gov/reading_room/forensics.pdf
Computer forensics
Science of investigation
Forensics process
Preparation
Collection
Analysis
Reporting
Types of Investigations
(found in chapter 1 of hacking Exposed Computer
Forensics Second Edition)
Theft of trade secrets
Corporate malfeasance
External Breach
Civil discovery
Criminal Investigations
Computer crimes
Terrorism
Child Pornography

The investigator
Investigator Bias
Qualifications
Training
Certifications
CHFI, GIAC, Encase, CISSP
Traits
Validation of findings
Proper handling of evidence
Complete investigation
Technically competent
Compliance with laws
The lab
Chapter 3 of the Hacking Exposed Computer
Forensics book)
Spoliation of evidence from environment
Temperature control
Fire and power protection
Flood protection
Spoliation of evidence via network
isolation
Spoliation of evidence via physical access
Locks
Evidence lockers

Proper Case Management

Follow the law
Follow good practices
Confidentiality
DOCUMENT DOCUMENT DOCUMENT
DOCUMENT
Evidence gathering principles

Touch as little as possible
Establish clear procedures
Document everything
Use tested and accepted techniques and tools

The process is:
Identify
Collect & preserve
Analyze
Present
Forensics Guidelines
1) Make a digital copy of the original evidence.
Investigators make a copy of the evidence and work
with the copy to reduce the possibility of inadvertently
changing the original evidence.
2) Authenticate that the copy of the evidence.
Investigators must verify the copy of the evidence is
exactly the same as the original.
3) Analyze the digital copy. The specific procedures
performed in an investigation are determined by the
specific circumstances under which the investigation is
occurring.
Document Damages
Another important step is to document the specific losses
suffered due to the attack. Losses typically include:
Labor cost spent in response and recovery. (Multiply the
number of participating staff by their hourly rates.)
If equipment was damaged, the cost of that equipment.
If data was lost or stolen, what was the value of that
data? How much did it cost to obtain that data and how
much will it cost to reconstruct it?
Any lost revenue including losses due to down time,
having to give customers credit due to inconvenience, or
any other way in which revenue was lost.
Documenting the exact damages due to the attack is just
as important as documenting the attack itself.

Warrants
According to the Supreme Court, a "'seizure' of property occurs when there
is some meaningful interference with an individual's possessory interests in
that property, "United States v. Jacobsen, 466 U.S. 109, 113 (1984), and the
Court has also characterized the interception of intangible communications
as a seizure in the case of Berger v. New York, 388 U.S. 41, 59-60 (1967).
Now that means that law enforcement need not take property in order for it
to be considered seizure. Merely interfering with an individuals access to his
or her own property constitutes seizure. And Berger v. New York extends that
to communications. Now if law enforcements conduct does not violate a
person's "reasonable expectation of privacy," then formally it does not
constitute a Fourth Amendment "search" and no warrant is required. Now
there have been many cases where the issue of reasonable expectation of
privacy has been argued. But to use an example that is quite clear, if I save
a message in an electronic diary I clearly have a reasonable expectation of
privacy, but if I post such a message on a public bulletin board, I can have
no expectation of privacy. In less clear cases a general rule is that courts
have held that law enforcement officers are prohibited from accessing and
viewing information stored in a computer if it would be prohibited from
opening a closed container and examining its contents in the same situation.

Warrants Continued
In computer crime cases, two consent issues arise particularly often.
First, when does a search exceed the scope of consent? For
example, when a person agrees to the search of a location, for
example their apartment, does that consent authorize the retrieval of
information stored in computers at the location? Second, who is the
proper party to consent to a search? Can roommates, friends, and
parents legally grant consent to a search of another person's
computer files? These are all very critical questions. That must be
considered when searching a computer. In general courts have held
that the actual owner of a property can grant consent. For example a
parent of a minor child can grant consent to search the living
quarters and computers. However a roommate who shares rent can
only grant consent to search living quarters and computers that are
co-owned by both parties. A roommate cannot grant consent to
search the private property of the other person.

Chain of custody
Keep a record of
Discoverer of the evidence
Collection location
Date and time of collection
Names of everyone who had access
Names of everyone who owned the evidence
US Laws
TITLE 18 > PART I > CHAPTER 121
2703. Required disclosure of customer communications or records
http://www.law.cornell.edu/uscode/18/usc_sec_18_00002703----000-.html
TITLE 18 > PART I > CHAPTER 47
1029. Fraud and related activity in connection with access devices
http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001029----000-
.html
TITLE 18 > PART I > CHAPTER 47
1030. Fraud and related activity in connection with computers
http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-
.html



Other Federal Laws to know
The Electronic Communications Privacy Act of
1986
The Communications Decency Act of 1996
No Electronic Theft Act of 1997
Digital Millennium Copyright Act
Children's Internet Protection Act
CAN-SPAM Act of 2003
Identity theft Enforcement and Restitution Act of
2008


File Systems
The general purpose of a file system is to handle
files. This includes:
Managing access to files is an issue that is handled by
the file system.
Establishing who has access rights to a given file must be
managed in some systematic manner. This includes
permissions for reading, writing, and executing the file.
File system recovery (with Journaling File Systems)
.

File Systems - Journaling
Journaling is basically the process whereby the file system keeps a
record of what file transactions take place so that in the event of a
hard drive crash the files can be recovered. Journaling file systems
are fault tolerant because the file system will log all changes to files,
directories, or file structures. The log in which changes are recorded
is referred to as the file systems journal. Thus the term journaling file
systems.
There are actually two types of journaling: physical and logical. With
physical journaling, the system logs a copy of every block that is
about to be written to the storage device, before it is written. The log
also includes a checksum of those blocks, to make sure there is no
error in writing the block. With logical journaling only changes to file
metadata are stored in the journal.
File Systems FAT
FAT (File Allocation Table) is an older system, that was popular with
Microsoft operating systems for many years. FAT was first implemented in Microsoft
standalone Disk BASIC. FAT stores file locations by sector in a file called
eponymously, the File Allocation table. This table contains information about which
clusters are being used by what particular files, and which clusters are free to be
used. The various extensions of FAT (FAT16, FAT32) differ in the number of bits
available for file names. For example FAT16 only supports 16 bit file names, whereas
FAT32 supports 32 bit file names.
The hard drive is divided into one or more partitions. Each partition is then divided up
into identically sized clusters. Cluster sizes vary depending on the type of FAT file
system being used and the size of the partition, but are usually between 2 KB and 32
KB.
The File Allocation Table (FAT) is really a list of entries that map to each cluster on the
partition. Each entry records one of five things:
The cluster number of the next cluster for this file.
If this cluster is the end of a chain, then it will have a special end of cluster chain (EOC) entry.
Bad clusters have a special entry in the File Allocation Table
Reserved clusters have a special entry in the File Allocation Table
Open, or available clusters, are also marked in the File Allocation Table
NOTE: Floppy disks use FAT 12
File Systems NTFS
Microsoft eventually introduced a new file system, to replace FAT. This file system is
called New Technology File System (NTFS). This is the file system used by Windows
NT 4, 2000, XP, Vista, 7, Server 2003 and Server 2008. On major improvement of
NTFS over FAT was the increased volume sizes NTFS could support. The maximum
NTFS volume size is 2
64
1 clusters. At of this writing, no version of Windows currently
supports volumes that large.
NTFS also introduced a number of other interesting features. Perhaps the most
notable is its support of the Encrypted File System (EFS). This allows the end user to
easily encrypt and decrypt individual files and folders.
There are several individual files that are key to this file system. Two of the most
fundamental are the MFT (Master File Table some sources call it the Meta File Table)
file and the cluster bitmap. The MFT describes all files on the volume, including file
names, timestamps, security identifiers, and file attributes such as "read only",
"compressed", "encrypted", etc. This file contains one base file record for each file and
directory on an NTFS volume. It serves the same purpose as the file allocation table
does in FAT and FAT32. The cluster bitmap file is a map of all the clusters on the hard
drive. This is an array of bit entries where each bit indicates whether its corresponding
cluster is allocated/used or free/unused.
Unlike FAT/FAT32, NTFS is a journaling file system, as we previously described.
NTFS uses the NTFS Log ($Logfile) to record information about changes to the
volume

NTFS Continued
v1.0 with NT 3.1,
v1.1 with NT 3.5
v1.2 with NT 3.51 and NT 4
v3.0 from Windows 2000 ("NTFS V5.0" or "NTFS5")
v3.1 from Windows XP "NTFS V5.1"
Windows Server 2003 "NTFS V5.2
Windows Server 2008 and Windows Vista (mid-2005) "NTFS V6.0
Windows Server 2008 R2 and Windows 7 (occasionally "NTFS V6.1"
.
NTFS Files
File Systems EXT
Extended File System, was the first file system created specifically for Linux. There
have been many versions of EXT, the current version is 4. The EXT 4 file system can
support volumes with sizes up to 1 exabyte (10
18
bytes or 1 billion gigabytes)and files
with sizes up to 16 terabytes. This is frankly a huge file and volume size, and no
current hard drives come even close to that volume size. For an administrator, one of
the most exciting features of EXT 4 is that it is backward compatible with EXT 2 and
EXT 3, making it possible to mount drives that use those earlier versions of EXT.
EXT was not originally a journaling file system, but journaling was added in later
versions. Journaling was first introduced in EXT3. EXT 3 and 4 support three specific
types of journaling. The most secure and safe level is called journal. With the journal
level, metadata and file contents are written to the journal before being written to the
main file system. The next level, slightly less secure than journal is called ordered.
With this level only metadata is written to the journal. However, changes to files are
not journaled until they have been committed to the disk. Finally, the least secure level
is writeback. Only metadata is written to the journal, and it might be written to the
journal before or after it is actually committed. EXT4 introduced checksums in the
journal to prevent errors. EXT3 did not have check summing for the journal.


File Systems Reiser
The Reiser File System is a popular journaling file system, used primarily with Linux.
Reiser was the first file system to be included with the standard Linux kernel, and first
appeared in kernel version 2.4.1. Unlike some file systems, Reiser supported
journaling from its inception, where as EXT did not support journaling until version 3.
Reiser File System is open source and was invented by Hans Reiser.
Several Linux distributions have used Reiser as their file system including SuSE and
Debian. However many of those distributions are moving away from Reiser because
its future development may be hampered. The problem is not with the file system
itself, but rather that the inventor, who was also responsible for supporting and
updating the file system, has been convicted of murdering his wife
File Systems Berkley Fast File Systems
The Berkley Fast File System is also known as the
Unix File System. As its name(s) suggest it was
developed at Berkley specifically for Unix. Like many
file systems, Berkley uses a bitmap to track free
clusters, indicating which clusters are available and
which are not. Like EXT, Berkley also includes the
FSCK utility. This is only one of many similarities
between Berkley and EXT. In fact some sources
consider EXT to just be a variant of the Berkley Fast
File System
Types of Data
Active Data, is the information that you and I can
see. Data files, programs, and files used by the
operating system. This is the easiest type of data to
obtain.
Archival Data, is data that has been backed up and
stored. This could consist of backup tapes, CD's,
floppies, or entire hard drives to cite a few examples.
Latent Data, is the information that one typically
needs specialized tools to get at. An example would
be information that has been deleted or partially
overwritten.

Basics
Secure
Scene
Personnel
preserve
Document
Document the items
Document the procedures
Preserve chain of custody
Attention to detail
Make a forensic copy
Dont analyze the actual drive in question.
Make a forensic copy.
At the scene
Immediately determine if a destructive program is
running on the computer. If one is running, the
investigator should pull the power plug. This will
ensure no further evidence is lost. Place tape across
all open disk drives so that no media is inadvertently
placed in the disk drives. The system date and time
should be collected from the BIOS setup. This time
should be compared with a reliable time source (e.g.,
one synchronized with an atomic clock), and any
discrepancies noted. This may be important if it is
necessary to correlate events between two computers,
or between the activities of a user and the times
associated with particular files on the computer.
At the scene continued
Document the computer and its surroundings
Use video tape if available
If the computer is running, take a photograph of the
screen.
Take photographs of the front, side, and back of the
computer.
Note any and all connected devices
Physically open the computer and take photographs
of the inside of the computer
Making a forensic copy of the drive
Knoppix security distribution http://s-t-d.org/
Penguin sleuth kit http://www.linux-forensics.com/
Forensically wipe the destination drive
A forensic wipe can be accomplished with the dd
command:
dd if=/dev/zero of=/dev/hdb1 bs=2048
Verify via grep
grep v 0 /dev/hdb1
dd
dd is a common Unix program whose primary purpose is
the low-level copying and conversion of raw data
The name is an allusion to mainframe JCL DD
statement.
It is jokingly said to stand for "disk destroyer", "data
destroyer", or "delete data", since, being used for
low-level operations on hard disks, a small mistake,
such as reversing the if and of parameters, can
possibly result in the loss of some or all data on a
disk
Making a forensics copy (continued)
Netcat reads and writes bits over a network connection.
The command to run on the forensics server is:
# nc l p 8888 > evidence.dd
This sets up the listen process on the forensics serve prior
to sending the data from the subjects computer. On the
subjects computer we use the dd command to read the
first partition:
# dd if=/dev/hda1 | nc 192.168.0.2 8888 w 3
We pipe the output of the dd command to netcat, which
sends the bits over the network to the specified network
address and port on our listening forensic computer.
The argument w 3 indicates that netcat should wait 3
seconds before closing the connection upon finding no
more data.
Calculate the hash
After we create the image we must verify its integrity.
You must calculate the hash of the source hard drive
by issuing the following command from the subjects
computer:
# md5sum /dev/hda1 | nc 192.168.0.2 8888 w 3

This command calculates the MD5 hash of the source
hard drive and pipes the results over the network to
our forensic server
Compare the hash
We capture this information by setting up a listening process on the
forensic computer as demonstrated in the first command below:
# nc l p 8888 >> evidence.md5
The command
# md5sum evidence.dd >> evidence.md5
calculates the MD5 hash of our forensic image and appends it to the
previously created MD5 file. The >> command appends the output of
the command to an existing file.
WARNING: If we were to use a single > the file evidence.md5 would
have been overwritten by the output of the command, rather than
appended.
If our hashes match then the imaging was successful and analysis can
begin
What to check
Files
Browser
System logs
Deleted files
Handling Images as evidence
Preserve the original digital image. This is critical.
You may need to enhance images to see some
detail, but that enhancement should be done to a
copy. You should retain the original image exactly as
you found it. The original file must never be written
over or deleted
Preserve images in their original format.

Undelete files- Undelete plus
Undelete Plus is available from http://www.undelete-
plus.com for $29.95. What makes this tool worthy of
mention is that it is very easy to use. You simply
select a drive, and click the scan button and it will list
any deleted files it finds.
Undelete files - DiskDigger
This product is available at
http://dmitrybrant.com/diskdigger and is freeware.
This makes it an attractive product. The site does
accept donations, but you are free to download and
use this product at no charge. This utility has a
wizard interface that walks the user through the
process

Lab 1
Use Disk Digger to recover files from your computer

Estimated time: 20 minutes
Video



Encase Demo
http://www.youtube.com/watch?v=O4ce74q2zqM
Forensic Tools
Encase
The Sleuth Kit http://www.sleuthkit.org/sleuthkit/
Helix http://www.e-fense.com/h3-enterprise.php
FREE 30 Day trial
The Disk Investigator
http://www.theabsolute.net/sware/dskinv.html
Microsoft Computer Online Forensic Evidence
Extractor(COFEE)
http://www.microsoft.com/industry/government/soluti
ons/cofee/

Links
http://www.computerforensicsworld.com/
http://www.forensicswiki.org/wiki/Main_Page
http://www.computerforensics.com/
http://www.computerforensics.com/
FBI Computer Forensics
http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/co
mputer.htm
United States Secret Service
http://www.secretservice.gov/ectf.shtml
Federal Bureau of Investigation
http://www.cert.org/tech_tips/FBI_investigates_cri
me.html


A collection of forensics tools
http://www.forensicswiki.org/wiki/Tools