Digital ForensicsOutlineAgenda for Lectures until October 8, 2007Review of Part 1Data RecoveryWhat is Data RecoveryRole of Backup in Data RecoveryData Recovery/Backup SolutionRecover Hidden DataEvidence Collection and Data SeizureWhat is Evidence CollectionTypes of EvidenceRules of EvidenceAdditional considerationsVolatile EvidenceMethods of CollectionSteps to CollectionControlling ContaminationConclusionLinksDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #8Computer Forensics Data Recovery and Evidence CollectionSeptember 12, 2007OutlineAgenda for next several lecturesReview of Part 1 Data RecoveryEvidence Collection and Data SeizureUseful Links and discussionsReference: Part II of Text Book: Chapters 5 and 6Agenda for Lectures until October 8, 2007September 17, 2007-Chapters 7 and 8; Example programming projectsSeptember 19, 2007-Chapters 9, 10, 11September 24, 2007-Guest Lecture: Richardson Police DepartmentSeptember 26, 2007-Chapter 12: Network ForensicsOctober 1, 2007-Guest Lecture: FBI North TexasOctober 3, 2007-Selected Paper DiscussionsOctober 8, 2007-Begin Part IV of bookReview of Part 1Lecture 1: IntroductionLecture 2: FundamentalsLecture 3: Forensics TechnologiesLecture 4: BotnetsLecture 5: Forensics SystemsLecture 6: Forensics ServicesLecture 7: Malicious Code DetectionData RecoveryWhat Data Recovery?Role of Backup in Data RecoveryData Recovery SolutionHiding and Recovering Hidden DataWhat is Data RecoveryUsually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recoveredIn digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysisRole of Backup in Data RecoveryDatabases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent stateChallenge to backup petabyte sized databases/filesObstacles for backing up-Backup window, network bandwidth, system throughoutCurrent trends-Storage cost decreasing, systems have to be online 24x7Next generation solutions-Multiple backup servers, optimizing storage spaceData Recovery/Backup SolutionDevelop a plan/policy for backup and recoveryDevelop/Hire/Outsource the appropriate expertiseDevelop a system design for backup/recovery-Three tier architectures, caches, backup serversExamine state of the art backup/recovery products and tools Implement the backup plan according to the policy and designRecover Hidden DataHidden data -Files may be deleted, but until they are overwritten, the data may remain-Data stored in diskettes and stored insider another diskNeed to get all the pieces and complete the puzzleAnalysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzleReference: -http://www.forensicfocus.com/hidden-data-analysis-ntfsEvidence Collection and Data SeizureWhat is Evidence CollectionTypes of EvidenceRules of EvidenceVolatile EvidenceMethods of Collection Steps to CollectionControlling ContaminationWhat is Evidence CollectionCollecting information from the data recovered for further analysisNeed to collect evidence so that the attacker can be found and future attacks can be prevented and/or limitedCollect evidence for analysis or monitor the intruderObstacles-Difficult to extract patterns or useful information from the recovered data-Difficult to tie the extracted information to a personTypes of EvidenceTestimonial Evidence-Evidence supplied by a witness; subject to the perceived reliability of the witness-Word processor documents written by a witness as long as the author states that he wrote itHearsay-Evidence presented by a person who is not a direct witness-Word processor documents written by someone without direct knowledge of the incidentRules of EvidenceAdmissible-Evidence must be able to be used in courtAuthentic-Tie the evidence positively to an incidentComplete-Evidence that can cover all perspectivesReliable-There should be no doubt that proper procedures were usedBelievable-Understandable and believable to a juryAdditional considerationsMinimize handling and corruption of original dataAccount for any changes and keep detailed logsComply with the 5 basic rulesDo not exceed your knowledge – need to understand what you are doingFollow the security policy establishedWork fast / however need to be accurate Proceed from volatile to persistent evidenceDo not shut down the machine before collecting evidenceDo not run programs on the affected machineVolatile EvidenceTypes-Cached data-Routing tables-Process table-Kernel statistics-Main memoryWhat to do next-Collect the volatile data and store in a permanent storage deviceMethods of CollectionFreezing the scene -Taking a snapshot of the system and its compromised state-Recover data, extract information, analyzeHoneypotting-Create a replica system and attract the attacker for further monitoringSteps to CollectionFind the evidence; where is it storedFind relevant data - recoveryCreate order of volatilityRemove eternal avenues of change; no tamperingCollect evidence – use tools Good documentation of all the actionsControlling ContaminationOnce the data is collected it should not be contaminated, must be stored in a secure place, encryption techniquesMaintain a chain of custody, who owns the data, data provenance techniquesAnalyze the evidence-Use analysis tools to determine what happenedAnalyze the log files and determine the timelineAnalyze backups using a dedicated hostReconstruct the attack from all the information collectedConclusionData must be backed up using appropriate policies, procedur4es and technologiesOnce a crime ahs occurred data ahs to be recovered from the various disks and commutersData that is recovered has to be analyzed to extract evidenceEvidence has to analyzed to determine what happenedUse log files and documentations to establish the timelineReconstruct the attackLinksData Recovery-http://www.datatexcorp.com/-http://www.forensicfocus.com/hidden-data-analysis-ntfsDigital
View Full Document