《侦破计算机犯罪电子取证介绍》由会员分享,可在线阅读,更多相关《侦破计算机犯罪电子取证介绍(30页珍藏版)》请在金锄头文库上搜索。
1、Solving Computer Crime: An Introduction to Digital ForensicsGolden G. Richard III, Ph.D.Dept. of Computer Science Gulf Coast Computer Forensics Laboratory (GCCFL)goldencs.uno.eduDigital ForensicsDefinition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by
2、 digital devices.” Devices include computers, PDAs, cellular phones, videogame consolesExamples of Digital EvidenceComputers increasingly involved in criminal and corporate investigationsDigital evidence may play a supporting role or be the “smoking gun”EmailHarassment or threatsBlackmailIllegal tra
3、nsmission of internal corporate documentsMeeting points/times for drug dealsSuicide lettersTechnical data for bomb makingImage or digital video files (esp., child pornography)Evidence of inappropriate use of computer resources or attacksUse of a machine as a spam email generatorUse of a machine to d
4、istribute illegally copied softwareMajor IssuesIdentification of potential digital evidenceWhere might the evidence be? Which devices did the suspect use?Preservation of evidenceOn the crime sceneFirst, stabilize evidenceprevent loss and contaminationIf possible, make identical copies of evidence fo
5、r examinationCareful extraction and examination of evidencePresentation “The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore HITLIST.DOC”“The suspect attempted to hide the Microsoft Word document HITLIST.DOC but I was able to recove
6、r it without tampering with the file contents.”Legal: Investigatory needs meet privacyPreservation of Evidence: Hardly trivialLiving roomBasement/closetwireless connection“Dear Susan, Its not your faultJust pull the plug? Move the mouse for a quick peek? TripwirestickticktickVolatilecomputingPreserv
7、ation: ImagingWhen making copies of media to be investigated, must prevent accidental modification or destruction of evidence!Write blockers: Use them. Always.dd under LinuxDOS boot floppiesProprietary imaging solutionsDrivelock write blockerExtraction and ExaminationKnow where evidence can be found
8、Understand techniques used to hide or “destroy” digital dataToolbox of techniques to discover hidden data and recover “destroyed” dataCope with HUGE quantities of digital dataIgnore the irrelevant and target the relevantWheres the evidence?Undeleted files, expect some names to be incorrectDeleted fi
9、lesWindows registryPrint spool filesHibernation filesTemp files (all those .TMP files!)Slack spaceSwap filesBrowser cachesAlternate partitionsOn a variety of removable media (floppies, ZIP, Jazz, tapes, )Fallacy vs. Fact in Digital ForensicsMany digital forensics tools and techniques are quite compl
10、exVery difficult to cover in a short lectureTo illustrate investigative procedures for digital forensics, a fact vs. fallacy approachFallacy: User attempting to hide evidence believes one thingFact: But in factLook at a few fact vs. fallacy scenariosThen, one more advanced topicFallacy: File was del
11、eted, its gone!Users often mistake normal deletion of files for “secure” deletionDeleted files recoverable using forensics toolsWhy?Filesystem makes a small change in its bookkeeping info to mark a file as deletedData associated with file is NOT erasedExample: FAT32 (Windows), first character of fil
12、ename is changed to 0xEF in directory entry to “delete” fileForensics software changes one character in directory entry, file reappearsTo prevent recovery, must perform secure overwrite of the file or physically destroy the mediaFallacy: I renamed the file, Im safe!“childporn.jpg” “winword.exe”Renam
13、ing files is an ineffective defense against digital forensics investigationTechnique # 1:Most file types (e.g., JPEG image) have a structure that can be recognized directly, regardless of the filename a user choosese.g., JPEG files contain 0x4a464946 or 0x45786966 in the first block of the fileTechn
14、ique # 2:Cryptographic hashing provides a mechanism for “fingerprinting” filesFile contents is matched quickly, regardless of nameHashes equivalent, file contents equivalentThink: fingerprints dont care about hair colorAside: HashingTypical algorithms: SHA-1, MD5Example:C: md5sum golden.jpgb28f08b00
15、4a7251a418e089ef3bb7409 *golden.jpgC: rename golden.jpg winword.exeC: md5sum winword.exeb28f08b004a7251a418e089ef3bb7409 *winword.exeCan automate checking of hashesHuge dictionaries exist with hashes for known files: http:/www.nsrl.nist.gov/index/prodname.index.txt and known child pornography filesC
16、an quickly disregard known files and target the interesting stuffFallacy: I format-ed the drive, whew!Formatting a drive does not prevent recovery of digital evidenceIn fact, format typically overwrites less than 1% of drive contentsWhy does it take so long? Format is reading disk blocks to determin
17、e if bad blocks existFormat wipes out directories, so names of files are lostA lot of the data can still be recovered by sifting through data that remains after the format operationFor example, file carving tools reconstruct files by examining the initial and terminal bytes of the fileSee digital fo
18、rensics Technique # 1 under file renaming fallacyFallacy: Media mutilation = Miller time!Example # 1: Cutting a floppy into piecesExample # 2: Opening a hard drive, removing the platters, throwing them into the trashUnless the damage is extreme, mutilation of magnetic media is insufficient to preven
19、t recoveryMedia can be reassembled and partial recovery performedEven strong magnetic fields are insufficientOlder “military grade” degausser for erasing hard drives was so strong that it bent the platters inside the driveYour bulk tape eraser isnt going to do the jobTo destroy data: multiple overwr
20、ites (software) or complete destruction of hardwareThats One Big Degausser!Fallacy: I used Web-based emailFallacy: Use of web-based email rather than storing email messages directly on a computer is safer (in terms of thwarting recovery attempts)Its not. Even if you never download the email and imme
21、diately delete all messages on the server!Recently viewed web pages are stored in web browsers cacheCache is often in a hard-to-find placeInternet Explorer Tools Internet Options Delete Files clears the cache in IESee slide on recovery of deleted files for futility quotientFiles stored in browser ca
22、che are not securely deleted when the cache is clearedBrowser cache mining tools bring recently viewed web pages, including web-based email messages, back to life in a flashRecovery of web-based emailsFallacy: Application uninstalls are easyIllegal application installedFear ensuesApplication is unin
23、stalled (Am I safe?)application files can still be undeleted, proving application was installedFurther steps to obscure installation: Securely overwrite application filesNow am I safe?Nope.Remnants of installation can likely still be found in the Windows registryBasically, if a user installs softwar
24、e and wants to permanently eradicate any traces, must securely erase the entire drive or destroy the hardwareFallacy: I encrypted my filesOn encrypted file systems, if file is ever printed and spool directory isnt encrypted, fragments may be left behindOn some systems (e.g., Windows 2000), a “recove
25、ry agent” is able to read all encrypted filesFor Windows 2000, this is the administrator account, thus just need to break administrator passwordProblem: keys for truly secure encryption schemes are longSearch for slips of paperSearch for unencrypted password listsSearch PDAs, phones, and organizers
26、for passwords and encryption keysSoftware or hardware keystroke loggersVan Eck radiationIf the file cant be decrypted, the name of the file may still be useful in prosecutionBeowulf, Slayer of Poorly Chosen PasswordsHow good are your passwords?Steganography“Techniques for hiding information within o
27、ther information”HistoricalTattoosText on wood under wax layer on a wax tablet“Invisible” ink (e.g., writing with lemon juice)ModernMuch more sophisticatedEmploy powerful encryption techniquesHide documents w/in an image, video, or audio fileHidden documents can be harmless, or child pornography, bo
28、mb plans, Stego (2)Stego (3)Stego (4)Slipped insidethe 2nd cactuspicture by “jphide”Embedding in this case is not obvious (visually)and image w/ embedded Golden is actually smaller (in bytes) than originalStatistical analysisby “stegdetect” guessescorrectly that somethingis hidden. But jphide uses B
29、lowfish to scramble the order of embedded data, sosuccessful extraction isvery unlikely unless thepassword is known.CoreIgniterStego (5)This “bomb” diagram, however,is not detected inside the cactus pictureBluepipe: On the Spot Digital ForensicsLegal IssuesInvestigative needs vs. the right to privac
30、ySearch warrant laws, e.g., Fourth Amendment to the U.S. ConstitutionWiretap lawsChain of custodyAdmissibility of evidence in court: DaubertEssentially:Has theory or technique in question been tested? Is error rate known? Widespread acceptance within a relevant scientific community? Patriot ActGreat
31、ly expands governmental powers in terms of searching, wiretap w/o prior notificationThe Other Side: PrivacyWeve concentrated on the cool technology, butThe existence of sophisticated digital forensics techniques is a great enabler for fascismActively fight laws that dont appropriately balance privac
32、y with need for investigationSecure file deletion softwareOverwriting files with zeros is good enough unless a tunneling electron microscope is availableVolatile computingPhysical destruction of mediaGrind the media into powderVats of acid or molten steelResourcesBooksDigital Evidence and Computer C
33、rime (E. Casey, Academic Press)Computer Forensics and Privacy (M. Caloyannides, Artech House)Websiteshttp:/www.dfrws.orgLots of references related to digital forensics, including a link to an interesting e-journalhttp:/www.ijde.org/ (International Journal of Digital Evidence)http:/vip.poly.edu/kules
34、h/forensics/list.htm tons of stuff, including a bunch of online papershttp:/ collection of forensics-related softwareCommercial digital forensics softwareEncaseFTK (Forensics Tool Kit)ILook (law enforcement only)WinHexPresentation available:http:/www.cs.uno.edu/golden/teach.htmlgoldencs.uno.eduOffice: Math 346?
