Question? Leave a message!

Introduction to Computer Forensics

Introduction to Computer Forensics 33
OliverFinch Profile Pic
Published Date:15-07-2017
Website URL
Mag. iur. Dr. techn. Michael Sonntag Introduction to Computer Forensics Institute for Information Processing and Microprocessor Technology (FIM) Johannes Kepler University Linz, Austria E-Mail: © Michael Sonntag 2012What is "Computer Forensics"?  Computer Forensics (CF) is obtaining digital evidence » Analogue evidence is usually not considered here: Use "ordinary" forensics to gather/evaluate – Analogue computers are almost non-existing today  This may come from running systems or parts of them » Hard disks, flash drives, PDAs, mobile phones, telephones, copiers, “pads” etc.  Can be evidence for computer crimes (computer fraud, hacking, …) or any other crime (documents with plans for x) or for various other uses  One indispensable issue is "data integrity" Data is easily changeable: Evidence is then and only then usable in proceedings, if it is ensured, that it has not been changed Michael Sonntag Introduction to Computer Forensics 3What is "Computer Forensics"? Other definitions:  "Analytical techniques to identify, collect, preserve and examine evidence/information which is magnetically stored or encoded" » Problem: "magnetically"  Flash disks, running systems? » Better: "in computerized systems and their parts"  "We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communi- cations, and storage devices in a way that is admissible as evidence in a court of law." » Focus on legal proceedings; there are many other uses as well – Note that this almost the "highest" form: If evidence is sufficient for criminal proceedings, it can be used for everything else as well  "A technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a crime or other computer use that is being inspected." Michael Sonntag Introduction to Computer Forensics 4What is "Computer Forensics"? The main elements:  Has something happened at all? » Random effect, bugs, …  When did it happen? » How long had the attacker access to out files?  What has happened and what are the effects? » What are the results from the intrusion/…and what is their direct and indirect "cost"?  Who was responsible for it? » Can we identify an IP address or a person?  How did he do it? » So we can block this in the future  Why were we attacked? » Just “some computer” or deliberate attack; damage/gain; … Generally: Uncovering what really occurred Michael Sonntag Introduction to Computer Forensics 5“Evidence” Circumstantial evidence (“Indiz”):  A hint, which (alone or together with others) allows to conclude that a certain fact exists Evidence (“Beweis”):  A hypothetical situation is accepted as a fact by the judge (rarely: jurors) because he is convinced of it » The circumstantial evidence is presumed to be true  Types of evidence are often strictly regulated » Note: This is a legal distinction and has typically no influence on what can be used as evidence. They are just treated differently. – Example: A witness is treated differently than objects  Used to fulfil the burden of proof In English the difference is more vague Michael Sonntag Introduction to Computer Forensics 6"Burden of proof" Note: Not "Obligation to prove"  You are not required to prove anything … unless you want to "win" the proceedings  If something cannot be proven, this is disadvantageous for the party which bears the burden of proof » False  Obvious; Practically important: Unknown, no evidence/ witnesses, expert could not find anything conclusive… Typical basic rules:  You state that something is true  You have to prove this  Civil procedures: Everybody proves what would be advantageous for them (and: must claim it; legal problem)  Criminal procedures  State must prove everything  If the court is convinced (different levels in law), the burden of proof switches to the other party to prove the opposite Explicit deviations/special rules exist in many laws Michael Sonntag Introduction to Computer Forensics 7Digital evidence  Digital evidence is  Stored in computers: Disks, memory, … » Not: Printouts, fingerprints on CD-ROMs etc.  Being transmitted between computers: (W)LAN, E-Mails, … » Not: Voice telephone communication (but …) etc.  Analogue evidence:  Fingerprints, fibres, body fluids, physically damaged disk, …  Evidence requires interpretation.  What does it mean that this Bit is “0”?  An E-Mail header exists: Who added it? What does it mean?  Requires a lot of tools: Are they working correctly?  How many steps of interpretation are necessary?  How reliable is the interpretation?  We will talk only about digital evidence in this course Michael Sonntag Introduction to Computer Forensics 8 Legal considerations  Computer forensic evidence should be  Admissible: Don’t collect anything, which would not be allowed in court » It is useless, and probably illegal too  Authentic: The evidence should be tied to the incident » Don’t go on fishing expeditions  Complete: Not only the “damaging” parts, but all of it » Don’t suppress or ignore anything else – If in doubt, collect too much and ignore it later in evaluation  Reliable: Collection, handling, and evaluation should ensure veracity and authenticity » See "Chain of Custody"  Believable: Should be believable and understandable in court » And for laymen too (accused, jury, …)  “The truth, the whole truth, and nothing but the truth” Michael Sonntag Introduction to Computer Forensics 9 The basic principles of CF  No action to secure/collect evidence should affect its integrity  It becomes much less worth/completely worthless  Examiners should be trained  Only investigate as far as your knowledge goes  All activities should be logged  Seizure, examination, storage, and transfer » Complete chain of custody (including its security measures)  Documented, preserved, and available for review » Proof for the chain of custody  Investigations must be accurate and impartial  Computer forensic  prosecutor/attorney/judge » Describe what was actually found – And what should have been found, but was missing » Describe how reliable these facts are » Describe what conclusions can reasonably be drawn from it Michael Sonntag Introduction to Computer Forensics 10When to use CF?  To provide digital evidence of specific activity  In general, proving non-activity might also be the goal, but this is more difficult and only sometimes possible  For legal proceedings  Criminal cases: Child pornography, (computer) fraud, ...  Civil cases: Hacking, information theft, industry espionage, …  Recovering data  (Inadvertently) deleted information  Identifying weaknesses  After a break in, identify the method employed to prevent it in the future  Identifying the attack/attacker  Verify, whether an incident actually happened and who was responsible for it Michael Sonntag Introduction to Computer Forensics 11Problematic example of CF  "Prove, that we did not receive this E-Mail"  Can we really do that?  We can "easily" prove the receipt of the E-Mail, we just have to find it on the mail server (or traces of it)  But proving the negative?  If we don't find any trace on the mail server, this means » we did not search enough, » it was there, but later on accidentally deleted and overwritten, » it was there and then cleverly deleted, or » it was never on the server at all (deleted in transit, …)  But there is normally no way to prove which of these options describe what actually occurred  Potential options: Third parties (logs, replies, …), traces of destroying evidence (no proof, but bad in court) Michael Sonntag Introduction to Computer Forensics 12When to use CF? Concrete examples  Misuse of ICT by employees  Unauthorized disclosure of data  Internet (WWW, E-Mail, …) abuse  Deleted/damaged information  Exploiting ICT  Industrial espionage  Hacking of systems  Infiltration (zombie, trojans, viruses, …)  Damaging ICT  Web page defacements  Denial of Service attacks  Crashing computers Michael Sonntag Introduction to Computer Forensics 13When to use CF? More (prosaic) examples  Any normal crime  Plans on computer  Tracing communication or money  Computer crimes  Phishing, "money mules" etc.  Disputes between companies  We did deliver the product  The delivery was too late, defective, …  Is the price "appropriate"  Companies vs. consumers  Details: See above  Addition: Often "computer company" vs. "laymen" Michael Sonntag Introduction to Computer Forensics 14When NOT to use CF  Immediately acting when having any suspicion  Plan first: Evidence is destroyed very easily  Locate an expert for doing this type of computer forensics  At the last minute: Do it as soon as possible  Because I’m interested: Girl/Boyfriend, spouses etc.  Pot. typical area for CF, but should not be used “lightly”  “Special” groups are involved  Representatives, medical doctors, attorneys, clergy » These are often privileged regarding evidence  Because it is against the company policy/immoral/…  If the (suspected) behaviour is not illegal, it is much more difficult to do it legally  Use your own staff for important investigations  Use external independent experts (=third party) Michael Sonntag Introduction to Computer Forensics 15 Who should/may use CF?  Authorization required for accessing data  See privacy laws  Live monitoring, hacking, password cracking etc. tools are legally "dangerous"  Possession alone might be criminal » Good explanation and evidence for its necessity/legal use might be required  Personnel to "do" CF:  System administrators in their own area » With restrictions, additional permissions/consent/…  Experts for courts or private investigations » "Expert" is not a legal/protected name  Anyone can use it  Everyone on their own system » Note: A second person (e.g. husband/wife) uses the system  Consent by this person is necessary Michael Sonntag Introduction to Computer Forensics 16Where to find evidence  Disks: Hard disks, USB-Disks, floppy disks, tapes, …  The typical "storage medium"  Note: These can be very small and very easily hidden » They might also pose as "normal" objects – Example: USB-Stick in pocket knife  Devices: Mobile phones, PDAs, MP3 players, USB sticks, game consoles, …  Directly or in disks contained therein  Not a storage medium, but usually may contain arbitrary data » In addition to the "normal" data like music, contacts etc.  Recorders: Cameras, audio recorders, GPS trackers, TVs,…  Similar to devices: Own data + any other stored data  Digital copiers/printers  Might add a serial number to each copied/printed sheet  May contain old scanned pages Michael Sonntag Introduction to Computer Forensics 17 A few examples of hidden USB keys… Michael Sonntag Introduction to Computer Forensics 18Types of evidence  Who was it: Identifying information  Typical data: IP addresses, login names, passwords » Language of the words used may also be interesting  What did he do: Traces of actions  Typical data: Log files, shell history files, event log  Especially important: Various application-internal logs and non-standard configurations » The “standard” files are more likely to be cleaned by attackers  What did he add: Data itself  Typical data: Additional program code, user accounts, program configurations » Code: New/changed programs, modified source code  What did he remove: Remains of data  Typical data: Deleted files (destroyed data as well as his own “intermediate” files), encrypted files Michael Sonntag Introduction to Computer Forensics 19Technical problems of CF  Anything done to a system changes it  Especially problematic for running systems  Usually less of a problem for hard disks » Reading data might change the content microscopically …  You can never trust the system under investigation  It may be hacked, modified by the owner etc.  Proving you did not change anything is difficult  You must be "above suspicion" and take precautions  The past can never be known  We can only find hints what might have possibly been » The content could have been manufactured by someone » This can be pretty good evidence, but no absolute proof  Not everyone knows everything  Every forensic examination is limited by the examiner Michael Sonntag Introduction to Computer Forensics 20 Systematic problems of CF  Identifying the attacker: IP addresses are typ. the only traces of “hacking”; often they cannot be identified  No information available anymore  Used a proxy (=other hacked computer; commercial proxy service) without any logs on that one  Finding traces: If the attacker is good, once he has compromised the system he can hide his tracks very well  Note: It is very easy to forget something, but you can hide almost every trace » Exceptions: Already backed up, external systems (network sniffers/IDS on other system not yet hacked, …)  Note: Many investigations are successful  E.g. child pornography is difficult to hide and still "use"  The culprit may not even once forget to perform all security precautions (and when he does, he won't immediately notice that he forgot) Michael Sonntag Introduction to Computer Forensics 21