Computer Forensics & Free Software

(1)

Il software libero, 26 Maggio 2011

Computer Forensics & Free Software

(2)

What is Computer Forensics?

•  In general, the goal of digital forensic analysis is to iden3fy digital evidence for an inves3ga3on. An inves3ga3on typically uses both physical and digital evidence with the scien3ﬁc method to draw conclusions. Examples of inves3ga3ons that use digital forensics include computer intrusion, unauthorized use of corporate computers, child pornography, and any physical crime whose suspect had a computer.

•  At the most basic level, digital forensics has three major phases:

•  Acquisi3on;

•  Analysis;

(3)

Acquisition phase

•  The Acquisi3on Phase saves the state of a digital system so that it can be later analyzed.

•  This is analogous to taking photographs, ﬁngerprints, blood samples, or 3re paGerns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values.

•  Tools are used in the acquisi3on phase to copy data from the suspect storage device to a trusted device. These tools must modify the suspect device as liGle as possible and copy all data.

•  Linux’s “dd” is the most eﬀec3vely and widespread open source soMware that you can use for acquisi3on.

(4)

Analysis phase

•  The Analysis Phase takes the acquired data and examines it to iden3fy pieces of evidence. There are three major categories of evidence we are looking for:

•  Inculpatory Evidence: That which supports a given theory

•  Exculpatory Evidence: That which contradicts a given theory

•  Evidence of tampering: That which can not be related to any theory but shows that the system was tampered with to avoid iden3ﬁca3on

•  The scien3ﬁc method is used in this phase to draw conclusions based on the evidence that was found.

•  Tools in this phase will analyze a file system to list directory contents and names of deleted files, perform deleted file recovery, and present data in a format that is most useful. This phase should use an exact copy of the original, which can be verified by calcula3ng an MD5 checksum.

(5)

Presentation phase

•  The Presenta3on Phase though is based en3rely on policy and law.

•  This phase presents the conclusions and corresponding evidence from the inves3ga3on. In a corporate inves3ga3on, the audience typically includes the general counsel, human resources, and execu3ves.

•  Privacy laws and corporate policies dictate what is presented. In a legal seQng, the audience is typically a judge and jury.

(6)

A more general view

•  Electronic devices are (and this trend will increase) a source of evidence in all areas.

•  The increasing spread of technology will make them players in many scenes of several crimes (terrorism, drug traﬃcking, murder, robbery, assault, etc.).

(7)

Computer Forensics categories

Il software libero, 26 Maggio 2011 •  Computer Forensics (computers);

•  Digital Forensics (digital tools);

•  Network Forensics (computer networks);

•  Mobile Forensics (mobile):

•  SIM Forensics (mobile phones SIM cards);

•  Smartphone Forensics;

•  PDA Forensics;

•  GPS Forensics (satellite naviga3on);

(8)

Tv lies

(9)

Reality is different

(10)

Who works in Computer Forensics?

Il software libero, 26 Maggio 2011 •  Computer engineers; •  Lawyers; •  District aGorneys; •  Law Enforcement; •  Inves3gators; •  Insurance; •  Companies;

(11)

Typical Computer Crimes

Il software libero, 26 Maggio 2011 •  Unauthorized access to computer systems;

•  Sale or possession of unauthorized access codes;

•  Sending programs intended to damage a computer system;

•  Intercep3on or Obstruc3on of computer communica3ons;

•  Cracking;

•  Spamming;

•  Computer fraud;

•  Informa3on Damage;

•  Child Pornography;

•  Insults, Threats, Defama3on;

•  Copyrights;

•  Phishing and Scams;

•  Money Laundering and Counterfei3ng;

(12)

Civil Law

Il software libero, 26 Maggio 2011 •  Contracts:

•  Electronic signature and electronic document;

•  Contracts and digital computer;

•  Business and labor;

•  Trademarks and domain names;

•  Workers and tools (remote control, privacy ...)

•  Personal rights:

•  Right to privacy;

•  Consumer protec3on;

(13)

Business

Usually computer forensics is used in business maGers between companies and employes. Ques3on such as:

•  Was the computer used to access illegally to a server? If yes, who sent them?

•  Was the computer used to send documents and / or conﬁden3al data to third par3es? If yes, who sent them?

•  Was the computer used to perform not allowed opera3ons?

(14)

What about the software?

In Computer Forensics, consultants use diﬀerent type of tools, such as:

•  Virtualiza3on Systems;

•  Password cracking tools;

•  Network packet analyzers;

•  Format conversion tools;

•  Audio and video players;

•  File viewers;

•  Exadecimal Editors;

•  Forensic Toolkits;

•  Data recovery soMware;

(15)

Open Source or Proprietary?

Consultants say:

•  “As in other IT industry the compromise is in the middle: use opensource as

long as you can, but also use proprietary tools if you don't want to ruin your life!”

(16)

Trust source code

Il software libero, 26 Maggio 2011 •  Big maGer if the commercial soMware is not well-‐known

•  Most vendors point out that the source code of their products is available, under appropriate NDAs and restric3ve court orders, for review.

•  Diﬀerent paradigms for OSS in Computer Forensics:

•  Usually source code is available and who wants can give a contribu3on.

•  In Computer Forensics the code is available for inspec3ons but the upload of new code is under control by moderators.

(17)

Trust source code

•  Ideally, in order to have the eligibility of a given instrument (or procedure), it should pass speciﬁc tests:

•  tes3ng: experimental veriﬁca3on of the procedure;

•  error rate: the percentage of error must be known;

•  publica3on: the publica3on process in journals / conferences peer-‐reviewed;

•  acceptance: the procedure is generally accepted by the relevant scien3ﬁc community.

(18)

Main issues of OSS in Computer Forensics

•  There are commercial solu3ons which are “standard de facto”.

•  OSS soMware is not considered reliable.

•  All the par3es must agree on using a speciﬁc soMware:

•  Usually is chosen the most well-‐known (and it is commercial!)

•  Complexity (oMen OSS soMware is not so “user friendly”)

(19)

Most Known Commercial Software

Il software libero, 26 Maggio 2011 •  Encase (GuidanceSoMware);

•  ForensicToolkit (Access Data);

•  X-‐WaysForensic (X-‐Ways);

•  P2 Commander (Paraben Corpora3on);

•  Pro Discover (TechnologyPathways);

(20)

What is a Live CD?

•  A live CD, live DVD, or live disc is a CD or DVD containing a bootable computer opera3ng system. Live CDs are unique in that they have the ability to run a complete, modern opera3ng system on a computer lacking mutable secondary storage, such as a hard disk drive. Live USB ﬂash drives are similar to live CDs, but oMen have the added func3onality of automa3cally and transparently wri3ng changes back to their bootable medium.

•  A Forensics Live CD is a typical Live CD which has installed several tools that can be used for Forensics Analisys.

(21)

Most Known Forensics Live CD

The main available distribu3ons are:

•  HelixKnoppix (E-‐fense, based on Knoppix);

•  Helix2008 (E-‐fense, based on Ubuntu);

•  DEFT 4.0 (Fratepietro, based on Ubuntu);

•  Caine0.5 (Gius3ni, based on Ubuntu);

•  Grml (based on Debian);

•  BackTrack (based on Ubuntu). "forensics mode” available.

(22)

The sleuth kit

•  The Sleuth Kit (TSK) is a library and collec3on of Unix-‐ and Windows-‐based tools and u3li3es to allow for the forensic analysis of computer systems.

•  It was wriGen and maintained by digital inves3gator Brian Carrier.

•  TSK can be used to perform inves3ga3ons and data extrac3on from images of Windows, Linux and Unix computers.

•  The Sleuth Kit is normally used in conjunc3on with its custom front-‐end applica3on, Autopsy, to provide a user friendly interface.

•  Several other tools also use TSK for ﬁle extrac3on.

•  The Sleuth Kit is a free, open source suite that provides a large number of specialized command-‐line based u3li3es.

(23)

Autopsy

•  The Autopsy Forensic Browser is a graphical interface to the command line digital inves3ga3on tools in The Sleuth Kit.

•  Two main modes:

•  A “post mortem” occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab.

•  A “live” analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being conﬁrmed. AMer it is conﬁrmed, the system can be acquired and a dead analysis performed.

(24)

Autopsy – Evidence Search

•  File Lis(ng: Analyze the files and directories, including the names of deleted files and files with Unicode-‐based names.

•  File Content: The contents of ﬁles can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sani3zes it to prevent damage to the local analysis system. Autopsy does not use any client-‐side scrip3ng languages.

•  Hash Databases: Lookup unknown ﬁles in a hash database to quickly iden3fy it as good or bad. Autopsy uses the NIST Na3onal SoMware Reference Library (NSRL) and user created databases of known good and known bad ﬁles.

•  File Type Sor(ng: Sort the files based on their internal signatures to iden3fy files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to iden3fy files that may have had their extension changed to hide them.

(25)

Autopsy – Screenshot

(26)

Autopsy – Evidence Search (II)

•  Timeline of File Ac(vity: In some cases, having a 3meline of file ac3vity can help iden3fy areas of a file system that may contain evidence. Autopsy can create 3melines that contain entries for the Modified, Access, and Change (MAC) 3mes of both allocated and unallocated files.

•  Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching.

•  Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to iden3fy the full path of the file that has allocated the structure.

(27)

Autopsy – Screenshot

(28)

Autopsy – Evidence Search (III)

•  Data Unit Analysis: Data Units are where the ﬁle content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The ﬁle type is also given and Autopsy will search the meta data structures to iden3fy which has allocated the data unit.

•  Image Details: File system details can be viewed, including on-‐disk layout and 3mes of ac3vity. This mode provides informa3on that is useful during data recovery.

(29)

Autopsy – Screenshot

(30)

Autopsy – Case Management

•  Case Management: Inves3ga3ons are organized by cases, which can contain one or more hosts. Each host is conﬁgured to have its own 3me zone seQng and clock skew so that the 3mes shown are the same as the original user would have seen. Each host can contain one or more ﬁle system images to analyze.

•  Event Sequencer: Time-‐based events can be added from ﬁle ac3vity or IDS and ﬁrewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined.

•  Notes: Notes can be saved on a per-‐host and per-‐inves3gator basis. These allow you to make quick notes about ﬁles and structures. The original loca3on can be easily recalled with the click of a buGon when the notes are later reviewed. All notes are stored in an ASCII ﬁle.

(31)

Autopsy – Screenshot

(32)

Autopsy – Case Management

•  Image Integrity: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any 3me.

•  Reports: Autopsy can create ASCII reports for ﬁles and other ﬁle system structures. This enables you to quickly make consistent data sheets during the inves3ga3on.

•  Logging: Audit logs are created on a case, host, and inves3gator level so that ac3ons can be easily recalled. The exact Sleuth Kit commands that are executed are also logged.

(33)

Autopsy – Case Management

•  Open Design: The code of Autopsy is open source and all files that it uses are in a raw format. All configura3on files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict you from using other tools that may solve the specific problem more appropriately.

•  Client Server Model: Autopsy is HTML-‐based and therefore you do not have to be on the same system as the ﬁle system images. This allows mul3ple inves3gators to use the same server and connect from their personal systems.

(34)

Data Hiding

•  Data hiding is the act of hiding informa3on to the direct view of the user in a digital environment.Data hiding can be faced in the two scenarios presented before.

•  Live system analysis: in this scenario we can dump the vola3le memory of the system and use these data to eventually decipher informa3ons.

•  Post mortem analysis: through file carving, steganalysis, metadata, filesystem and file content analysis we can discover data hidden in the storage memory.

(35)

Memory Dump

•  Dumping the vola3le memory of an ac3ve system can lead the inves3gator primarily to recover the passwords to decipher ﬁles or volumes hidden in the storage memory through encryp3on.

•  Moreover this mapping of the running memory shows if any and which programs were ac3ve at the moment of the capture, so it can help the inves3gator drawing a sketch of the state and the purpose of the system under esamina3on.

•  Unfortunately it is diﬀucult to ﬁnd a valid OSS to perform this type of opera3on.

(36)

Storage Analysis

These ac3vi3es take place in a post-‐mortem system analysis

•  Par33on table analysis;

•  File system analysis;

•  Metadata analysis;

•  File content analysis;

•  File carving;

(37)

Partition table and file system analysis

•  By using a simple hexadecimal text editor the inves3gator opens and read the content of the en3re disk to look for informa3on hidden in the free spaces in the ini3al sectors of the disk, in the unused space of the par33on table and iden3ﬁers and even for hidden par33ons.

•  Similarly and with the same tools, it is a good prac3ce to look for informa3on hidden in the ﬁle system structures and in the slack space.

(38)

Metadata and file content analysis

•  Just as good as looking in the lower level structures of the disk is to search for sensible informa3on in the metadata of a ﬁle system.

•  In this case, in addi3on to real data that could have been hidden in this special files, the inves3gator can recover informa3ons regarding the 3meline of the accesses and modifica3ons to the files stored in the memory.

•  Analyzing the content and loca3ng the ﬁles stored, the inves3gator can trace every malicious, illegal or relevant material, such as virus or malware developing kits, prohibited mul3media contents or chat logs.

•  Locate, ﬁnd, photorec and similar OSS are available in the most common forensics linux distribu3ons and widely used by the experts.

(39)

File carving

•  The process of ﬁle carving consists in the analysis of all the informa3on wriGen on the storage memory of a computer.

•  With this process the inves3gator can ﬁnd previously deleted and s3ll notrewriGen data, all the informa3ons s3ll present on the storage unreferenced by the ﬁlesystem.

•  There are a plenty of OSS like Foremost and Scalpel are widely used and trusted in the forensics ac3vi3es.

•  These tools present a ﬁnal report lis3ng all the informa3on found on the disk aMer a deep low level analysis.

(40)

Steganography

•  Steganography is the art and science of wri3ng hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message.

•  Steganography vs. Cryptography

•  The goal of Steganography is to keep the presence of a message secret, or hide the fact that communica3on is taking place.

•  Cryptography goal is to obscure a message or communica3on so that it cannot be understood.

•  Steganography and Cryptography make great partners. It is common prac3ce to use cryptography with steganography.

(41)

Steganalysis

•  Steganalysis is the art and science of detec3ng messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography.

•  The goal of steganalysis is to iden3fy suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload.

•  Unlike cryptanalysis, where it is obvious that intercepted data contains a message (though that message is encrypted), steganalysis generally starts with a pile of suspect data files, but liGle informa3on about which of the files, if any, contain a payload. The steganalyst is usually something of a forensic sta3s3cian, and must start by reducing this set of data files (which is oMen quite large; in many cases, it may be the en3re set of files on a computer) to the subset most likely to have been altered.

(42)

Image Steganography

•  The most common method of hiding informa3on on a computer is the use of a bitmap image.

•  Steganography strips less important informa3on from digital content and injects hidden data in its place. This bit replacement is typically performed across the en3re image.

•  Usually are used ﬁles with reduntant informa3on (bmp, wav. etc.)

•  The image on the right contains a 14Kb text ﬁle!

(43)

Do you want to try?

(44)

Bibliography

[1] M. Epifani, “Computer Forensics & Ethical Hacking”;

[2] C. Anglano, “InformaGca Forense ed InvesGgazioni Digitali”;

[3] E. Huebner, and S. Zanero “Open Source SoKware for Digital Forensics”, Springer;

[4] A. Ghirardini, G. Faggioli. “Computer Forensics” , Apogeo 2007.