Digital Evidence Incident Response and Computer ForensicsWhat do you see?APIEPResponse - ProceduresInvestigationForensics as a QuestionTypes of EvidenceSlide 8Forensic DuplicationUndermining Evidence AnalysisAttacking CaptureAttacking AnalysisAttacking PresentationAnalysis of Forensic ImageWhy Linux?Commands for Browsing the FilesystemFile System Analysis LabSlide 18Verification of an ImageMounting the ImageBasic Analysis of an ImageStorage LayersFile SystemsFile System Tools – E2fsFile System ToolsAnalysis and Recovery ToolsSleuthkit by Brian CarrierBuilding Sleuthkit from SourceSleuthkit ToolsAutopsy Forensic BrowserCase - Unacceptable UseAutopsy InstallAutopsy 101Autopsy 102Autopsy 103Autopsy 104Autopsy 105Autopsy 106Autopsy 107Autopsy 108ForemostSlide 42Slide 43Digital EvidenceIncident Response and Computer Forensics"For Now We See Through A Glass Darkly" -PaulWhat do you see?APIEPAcquisition – Initial Response (doc)Preservation – Hash / DocumentationIdentification – Extract Relevant Data Evaluation – Develop / Test HypothesesPresentation – Write Summary ReportResponse - ProceduresDocument EverythingCapture Network Context DataGather Live State DataCapture File System ImageHash, Duplicate and Label EverythingInvestigation Never Work on Original Data Work on a Forensic DuplicateVerify Hashes at Every StepAfter Checking Out EvidenceBefore Checking In EvidenceForensics as a QuestionWas there an event?What was the nature of the event?Are there any initial conclusions?Is there a crime?Is there a suspect?What evidence supports / disproves this?Types of EvidenceReal A thing directly related to crime (PC HDD)DemonstrativeDemonstrates the crime through illustrations, maps, etc (Data visualization)DocumentaryDocuments the crime (logs)TestimonialWitnesses, etcTypes of EvidenceExculpatory Proves InnocenceInculpatoryProves Guilt TamperingProves Malfeasance or MishandlingForensic DuplicationForensic DuplicateExplicit bit stream duplicateBinary “image” of original disk or partitiondd and relativesdcflddQualified Forensic DuplicateNot a true imageVarious Proprietary PackagesEncaseUndermining Evidence AnalysisForensic Analysis Can Possibly Be Attacked at Each Layer or Step of APIEPUndermine CaptureUndermine AnalysisUndermine PresentationAttacking CaptureDestruction of HardwareWiping the DiskTrashing ControllerEradication of DataOverwriting of EvidenceAvoidance of SuspicionStealth or Quiet AttacksMemory Resident ProcessesDifficult to capture and analyzeAttacking AnalysisEvasion of DetectionAvoid Writing to DiskMake Data look InnocentEvidence Hiding Encrypted DataFiles Within Files, ADS, Slack Space, Bad BlocksInsertionInsert Erroneous or Misleading DataRandomize File System MAC TimesAttacking PresentationTrojan Defense Malware Did it!Invisible Trojan DefenseMalware Did it and then Disappeared!It’s possible, but is it plausible?Confuse Laity With Doubt / Technology Reasonable Person - If you find one, let me knowUndermine Witness Testimony“I am an expert… with 8 hours of Training”Analysis of Forensic ImageWe’ve captured a forensic duplicateHow can we analyze the contents of a forensic image?By Using Linux!Why Linux?mount –o loop,ro /root/indecent_images.dd /mnt/evidenceMount file system images on loopback device-o loopMount image read only to prevent errors-o roUnderstands most common file systemsGreat text processing capabilitiesCommands for Browsing the Filesystemcat – concatenate to outputless – Pager like more, but does More!vi – the visual editorgrep – search for text patternsRegular Expressions gqview or other app to view imagesFile System Analysis Lab A violation of the company acceptable use policy was reported by a managerLogs indicted that the suspect was logged inProxy logs show activity on suspect PCFirst responders took an image of the systemFile System Analysis Lab UK Company policy prohibits viewing images of US football at workYour Job: Determine if the suspect was downloading illicit imagesDocument any images referencing American Football Determine if any other Violations OccurredVerification of an ImageThe File is /root/indecent_images.ddVerify the Md5sum of the Imagemd5sum /root/indecent_images.dd5a0bba797f8950ee338200ee19366cc3Mounting the ImageCreate an evidence directorymkdir /mnt/evidenceMount the image read only using the loop back device to /mnt/evidence: mount –o loop,ro /root/indecent_images.dd /mnt/evidenceBasic Analysis of an Imagestartx –Starts X-Windows (the GUI)Refer to manuals for documentationman commandls – lists filesfind – finds filescat / more / less / vi – View filesgqview / mozilla – View ImagesStorage LayersHardware / BIOSIDE V SCSI Operating SystemLinux, Windows, Solaris, Mac-OS, etcFile System MetadataExt2/3, FAT/NTFS, UFS/ZFS, MFS/HFSMAC times, ACLs, etcApplication MetadataWord, et al.File SystemsMay Take Years to Masterhttp://www.forensics.nl/filesystems FATNTFSext2ext3File System Tools – E2fsE2fs tools by Theodore T’sodumpe2fsPrints Superblock DatafsckConsistency Check debuge2fsInteractive file system debuggerFile System ToolsFat ToolsDosfstoolsLinux tools for creating and examining the FSFatbackInteractive file system examination toolDosfsckPrints our the boot blockFile system Check for FATAnalysis and Recovery ToolsSleuthkitSet of Tools for FS AnalysisAutopsyGUI for SleuthkitForemostFile Recovery ToolSleuthkit by Brian CarrierBased on The Coroner’s Toolkit Dan Farmer and Wietse VenemaProvides tools to analyzeFile System LayerContent LayerMetadata LayerHuman Interface LayerBuilding Sleuthkit from SourceGet the Source Codewget http://164.106.251.250/docs/netsec/sleuthkit-2.03.tar.gzExtract the Source Code Archivetar zxvf sleuthkit*Change Into the Sleuthkit Source Code Directorycd sleuth*Run make makeCopy Binaries to /usr/local/bincp –r bin /usr/local/bin/sleuthkit/Sleuthkit ToolsFile System Layer (partition boot sector)fsstatContent Layer (raw allocation units)dcat, dls , dcalcMetadata Layer