Digital Evidence Incident Response and Computer ForensicsWhat do you see?APIEPResponse - ProceduresInvestigationForensics as a QuestionTypes of EvidenceSlide 8Forensic DuplicationUndermining Evidence AnalysisAttacking CaptureAttacking AnalysisAttacking PresentationAnalysis of Forensic ImageWhy Linux?Commands for Browsing the FilesystemFile System Analysis LabSlide 18Verification of an ImageMounting the ImageBasic Analysis of an ImageStorage LayersFile SystemsFile System Tools – E2fsFile System ToolsAnalysis and Recovery ToolsSleuthkit by Brian CarrierBuilding Sleuthkit from SourceSleuthkit ToolsAutopsy Forensic BrowserCase - Unacceptable UseAutopsy InstallAutopsy 101Autopsy 102Autopsy 103Autopsy 104Autopsy 105Autopsy 106Autopsy 107Autopsy 108ForemostSlide 42Slide 43Digital EvidenceIncident Response and Computer Forensics"For Now We See Through A Glass Darkly" -PaulWhat do you see?APIEPAcquisition – Initial Response (doc)Preservation – Hash / DocumentationIdentification – Extract Relevant Data Evaluation – Develop / Test HypothesesPresentation – Write Summary ReportResponse - ProceduresDocument EverythingCapture Network Context DataGather Live State DataCapture File System ImageHash, Duplicate and Label EverythingInvestigation Never Work on Original Data Work on a Forensic DuplicateVerify Hashes at Every StepAfter Checking Out EvidenceBefore Checking In EvidenceForensics as a QuestionWas there an event?What was the nature of the event?Are there any initial conclusions?Is there a crime?Is there a suspect?What evidence supports / disproves this?Types of EvidenceReal A thing directly related to crime (PC HDD)DemonstrativeDemonstrates the crime through illustrations, maps, etc (Data visualization)DocumentaryDocuments the crime (logs)TestimonialWitnesses, etcTypes of EvidenceExculpatory Proves InnocenceInculpatoryProves Guilt TamperingProves Malfeasance or MishandlingForensic DuplicationForensic DuplicateExplicit bit stream duplicateBinary “image” of original disk or partitiondd and relativesdcflddQualified Forensic DuplicateNot a true imageVarious Proprietary PackagesEncaseUndermining Evidence AnalysisForensic Analysis Can Possibly Be Attacked at Each Layer or Step of APIEPUndermine CaptureUndermine AnalysisUndermine PresentationAttacking CaptureDestruction of HardwareWiping the DiskTrashing ControllerEradication of DataOverwriting of EvidenceAvoidance of SuspicionStealth or Quiet AttacksMemory Resident ProcessesDifficult to capture and analyzeAttacking AnalysisEvasion of DetectionAvoid Writing to DiskMake Data look InnocentEvidence Hiding Encrypted DataFiles Within Files, ADS, Slack Space, Bad BlocksInsertionInsert Erroneous or Misleading DataRandomize File System MAC TimesAttacking PresentationTrojan Defense Malware Did it!Invisible Trojan DefenseMalware Did it and then Disappeared!It’s possible, but is it plausible?Confuse Laity With Doubt / Technology Reasonable Person - If you find one, let me knowUndermine Witness Testimony“I am an expert… with 8 hours of Training”Analysis of Forensic ImageWe’ve captured a forensic duplicateHow can we analyze the contents of a forensic image?By Using Linux!Why Linux?mount –o loop,ro /root/indecent_images.dd /mnt/evidenceMount file system images on loopback device-o loopMount image read only to prevent errors-o roUnderstands most common file systemsGreat text processing capabilitiesCommands for Browsing the Filesystemcat – concatenate to outputless – Pager like more, but does More!vi – the visual editorgrep – search for text patternsRegular Expressions gqview or other app to view imagesFile System Analysis Lab A violation of the company acceptable use policy was reported by a managerLogs indicted that the suspect was logged inProxy logs show activity on suspect PCFirst responders took an image of the systemFile System Analysis Lab UK Company policy prohibits viewing images of US football at workYour Job: Determine if the suspect was downloading illicit imagesDocument any images referencing American Football Determine if any other Violations OccurredVerification of an ImageThe File is /root/indecent_images.ddVerify the Md5sum of the Imagemd5sum /root/indecent_images.dd5a0bba797f8950ee338200ee19366cc3Mounting the ImageCreate an evidence directorymkdir /mnt/evidenceMount the image read only using the loop back device to /mnt/evidence: mount –o loop,ro /root/indecent_images.dd /mnt/evidenceBasic Analysis of an Imagestartx –Starts X-Windows (the GUI)Refer to manuals for documentationman commandls – lists filesfind – finds filescat / more / less / vi – View filesgqview / mozilla – View ImagesStorage LayersHardware / BIOSIDE V SCSI Operating SystemLinux, Windows, Solaris, Mac-OS, etcFile System MetadataExt2/3, FAT/NTFS, UFS/ZFS, MFS/HFSMAC times, ACLs, etcApplication MetadataWord, et al.File SystemsMay Take Years to Masterhttp://www.forensics.nl/filesystems FATNTFSext2ext3File System Tools – E2fsE2fs tools by Theodore T’sodumpe2fsPrints Superblock DatafsckConsistency Check debuge2fsInteractive file system debuggerFile System ToolsFat ToolsDosfstoolsLinux tools for creating and examining the FSFatbackInteractive file system examination toolDosfsckPrints our the boot blockFile system Check for FATAnalysis and Recovery ToolsSleuthkitSet of Tools for FS AnalysisAutopsyGUI for SleuthkitForemostFile Recovery ToolSleuthkit by Brian CarrierBased on The Coroner’s Toolkit Dan Farmer and Wietse VenemaProvides tools to analyzeFile System LayerContent LayerMetadata LayerHuman Interface LayerBuilding Sleuthkit from SourceGet the Source Codewget http://164.106.251.250/docs/netsec/sleuthkit-2.03.tar.gzExtract the Source Code Archivetar zxvf sleuthkit*Change Into the Sleuthkit Source Code Directorycd sleuth*Run make makeCopy Binaries to /usr/local/bincp –r bin /usr/local/bin/sleuthkit/Sleuthkit ToolsFile System Layer (partition boot sector)fsstatContent Layer (raw allocation units)dcat, dls , dcalcMetadata Layer
View Full Document