Il software libero, 26 Maggio 2011
Computer Forensics & Free Software
What is Computer Forensics?
Il software libero, 26 Maggio 2011
• In general, the goal of digital forensic analysis is to iden3fy digital evidence for an inves3ga3on. An inves3ga3on typically uses both physical and digital evidence with the scien3fic method to draw conclusions. Examples of inves3ga3ons that use digital forensics include computer intrusion, unauthorized use of corporate computers, child pornography, and any physical crime whose suspect had a computer.
• At the most basic level, digital forensics has three major phases:
• Acquisi3on;
• Analysis;
Acquisition phase
Il software libero, 26 Maggio 2011
• The Acquisi3on Phase saves the state of a digital system so that it can be later analyzed.
• This is analogous to taking photographs, fingerprints, blood samples, or 3re paGerns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values.
• Tools are used in the acquisi3on phase to copy data from the suspect storage device to a trusted device. These tools must modify the suspect device as liGle as possible and copy all data.
• Linux’s “dd” is the most effec3vely and widespread open source soMware that you can use for acquisi3on.
Analysis phase
Il software libero, 26 Maggio 2011
• The Analysis Phase takes the acquired data and examines it to iden3fy pieces of evidence. There are three major categories of evidence we are looking for:
• Inculpatory Evidence: That which supports a given theory
• Exculpatory Evidence: That which contradicts a given theory
• Evidence of tampering: That which can not be related to any theory but shows that the system was tampered with to avoid iden3fica3on
• The scien3fic method is used in this phase to draw conclusions based on the evidence that was found.
• Tools in this phase will analyze a file system to list directory contents and names of deleted files, perform deleted file recovery, and present data in a format that is most useful. This phase should use an exact copy of the original, which can be verified by calcula3ng an MD5 checksum.
Presentation phase
Il software libero, 26 Maggio 2011
• The Presenta3on Phase though is based en3rely on policy and law.
• This phase presents the conclusions and corresponding evidence from the inves3ga3on. In a corporate inves3ga3on, the audience typically includes the general counsel, human resources, and execu3ves.
• Privacy laws and corporate policies dictate what is presented. In a legal seQng, the audience is typically a judge and jury.
A more general view
Il software libero, 26 Maggio 2011
• Electronic devices are (and this trend will increase) a source of evidence in all areas.
• The increasing spread of technology will make them players in many scenes of several crimes (terrorism, drug trafficking, murder, robbery, assault, etc.).
Computer Forensics categories
Il software libero, 26 Maggio 2011 • Computer Forensics (computers);
• Digital Forensics (digital tools);
• Network Forensics (computer networks);
• Mobile Forensics (mobile):
• SIM Forensics (mobile phones SIM cards);
• Smartphone Forensics;
• PDA Forensics;
• GPS Forensics (satellite naviga3on);
Tv lies
Reality is different
Who works in Computer Forensics?
Il software libero, 26 Maggio 2011 • Computer engineers; • Lawyers; • District aGorneys; • Law Enforcement; • Inves3gators; • Insurance; • Companies;
Typical Computer Crimes
Il software libero, 26 Maggio 2011 • Unauthorized access to computer systems;
• Sale or possession of unauthorized access codes;
• Sending programs intended to damage a computer system;
• Intercep3on or Obstruc3on of computer communica3ons;
• Cracking;
• Spamming;
• Computer fraud;
• Informa3on Damage;
• Child Pornography;
• Insults, Threats, Defama3on;
• Copyrights;
• Phishing and Scams;
• Money Laundering and Counterfei3ng;
Civil Law
Il software libero, 26 Maggio 2011 • Contracts:
• Electronic signature and electronic document;
• Contracts and digital computer;
• Business and labor;
• Trademarks and domain names;
• Workers and tools (remote control, privacy ...)
• Personal rights:
• Right to privacy;
• Consumer protec3on;
Business
Il software libero, 26 Maggio 2011
Usually computer forensics is used in business maGers between companies and employes. Ques3on such as:
• Was the computer used to access illegally to a server? If yes, who sent them?
• Was the computer used to send documents and / or confiden3al data to third par3es? If yes, who sent them?
• Was the computer used to perform not allowed opera3ons?
What about the software?
Il software libero, 26 Maggio 2011
In Computer Forensics, consultants use different type of tools, such as:
• Virtualiza3on Systems;
• Password cracking tools;
• Network packet analyzers;
• Format conversion tools;
• Audio and video players;
• File viewers;
• Exadecimal Editors;
• Forensic Toolkits;
• Data recovery soMware;
Open Source or Proprietary?
Il software libero, 26 Maggio 2011
Consultants say:
• “As in other IT industry the compromise is in the middle: use opensource as
long as you can, but also use proprietary tools if you don't want to ruin your life!”
Trust source code
Il software libero, 26 Maggio 2011 • Big maGer if the commercial soMware is not well-‐known
• Most vendors point out that the source code of their products is available, under appropriate NDAs and restric3ve court orders, for review.
• Different paradigms for OSS in Computer Forensics:
• Usually source code is available and who wants can give a contribu3on.
• In Computer Forensics the code is available for inspec3ons but the upload of new code is under control by moderators.
Trust source code
Il software libero, 26 Maggio 2011
• Ideally, in order to have the eligibility of a given instrument (or procedure), it should pass specific tests:
• tes3ng: experimental verifica3on of the procedure;
• error rate: the percentage of error must be known;
• publica3on: the publica3on process in journals / conferences peer-‐reviewed;
• acceptance: the procedure is generally accepted by the relevant scien3fic community.
Main issues of OSS in Computer Forensics
Il software libero, 26 Maggio 2011
• There are commercial solu3ons which are “standard de facto”.
• OSS soMware is not considered reliable.
• All the par3es must agree on using a specific soMware:
• Usually is chosen the most well-‐known (and it is commercial!)
• Complexity (oMen OSS soMware is not so “user friendly”)
Most Known Commercial Software
Il software libero, 26 Maggio 2011 • Encase (GuidanceSoMware);
• ForensicToolkit (Access Data);
• X-‐WaysForensic (X-‐Ways);
• P2 Commander (Paraben Corpora3on);
• Pro Discover (TechnologyPathways);
What is a Live CD?
Il software libero, 26 Maggio 2011
• A live CD, live DVD, or live disc is a CD or DVD containing a bootable computer opera3ng system. Live CDs are unique in that they have the ability to run a complete, modern opera3ng system on a computer lacking mutable secondary storage, such as a hard disk drive. Live USB flash drives are similar to live CDs, but oMen have the added func3onality of automa3cally and transparently wri3ng changes back to their bootable medium.
• A Forensics Live CD is a typical Live CD which has installed several tools that can be used for Forensics Analisys.
Most Known Forensics Live CD
Il software libero, 26 Maggio 2011
The main available distribu3ons are:
• HelixKnoppix (E-‐fense, based on Knoppix);
• Helix2008 (E-‐fense, based on Ubuntu);
• DEFT 4.0 (Fratepietro, based on Ubuntu);
• Caine0.5 (Gius3ni, based on Ubuntu);
• Grml (based on Debian);
• BackTrack (based on Ubuntu). "forensics mode” available.
The sleuth kit
Il software libero, 26 Maggio 2011
• The Sleuth Kit (TSK) is a library and collec3on of Unix-‐ and Windows-‐based tools and u3li3es to allow for the forensic analysis of computer systems.
• It was wriGen and maintained by digital inves3gator Brian Carrier.
• TSK can be used to perform inves3ga3ons and data extrac3on from images of Windows, Linux and Unix computers.
• The Sleuth Kit is normally used in conjunc3on with its custom front-‐end applica3on, Autopsy, to provide a user friendly interface.
• Several other tools also use TSK for file extrac3on.
• The Sleuth Kit is a free, open source suite that provides a large number of specialized command-‐line based u3li3es.
Autopsy
Il software libero, 26 Maggio 2011
• The Autopsy Forensic Browser is a graphical interface to the command line digital inves3ga3on tools in The Sleuth Kit.
• Two main modes:
• A “post mortem” occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab.
• A “live” analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. AMer it is confirmed, the system can be acquired and a dead analysis performed.
Autopsy – Evidence Search
Il software libero, 26 Maggio 2011
• File Lis(ng: Analyze the files and directories, including the names of deleted files and files with Unicode-‐based names.
• File Content: The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sani3zes it to prevent damage to the local analysis system. Autopsy does not use any client-‐side scrip3ng languages.
• Hash Databases: Lookup unknown files in a hash database to quickly iden3fy it as good or bad. Autopsy uses the NIST Na3onal SoMware Reference Library (NSRL) and user created databases of known good and known bad files.
• File Type Sor(ng: Sort the files based on their internal signatures to iden3fy files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to iden3fy files that may have had their extension changed to hide them.
Autopsy – Screenshot
Autopsy – Evidence Search (II)
Il software libero, 26 Maggio 2011
• Timeline of File Ac(vity: In some cases, having a 3meline of file ac3vity can help iden3fy areas of a file system that may contain evidence. Autopsy can create 3melines that contain entries for the Modified, Access, and Change (MAC) 3mes of both allocated and unallocated files.
• Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching.
• Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to iden3fy the full path of the file that has allocated the structure.
Autopsy – Screenshot
Autopsy – Evidence Search (III)
Il software libero, 26 Maggio 2011
• Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to iden3fy which has allocated the data unit.
• Image Details: File system details can be viewed, including on-‐disk layout and 3mes of ac3vity. This mode provides informa3on that is useful during data recovery.
Autopsy – Screenshot
Autopsy – Case Management
Il software libero, 26 Maggio 2011
• Case Management: Inves3ga3ons are organized by cases, which can contain one or more hosts. Each host is configured to have its own 3me zone seQng and clock skew so that the 3mes shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze.
• Event Sequencer: Time-‐based events can be added from file ac3vity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined.
• Notes: Notes can be saved on a per-‐host and per-‐inves3gator basis. These allow you to make quick notes about files and structures. The original loca3on can be easily recalled with the click of a buGon when the notes are later reviewed. All notes are stored in an ASCII file.
Autopsy – Screenshot
Autopsy – Case Management
Il software libero, 26 Maggio 2011
• Image Integrity: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any 3me.
• Reports: Autopsy can create ASCII reports for files and other file system structures. This enables you to quickly make consistent data sheets during the inves3ga3on.
• Logging: Audit logs are created on a case, host, and inves3gator level so that ac3ons can be easily recalled. The exact Sleuth Kit commands that are executed are also logged.
Autopsy – Case Management
Il software libero, 26 Maggio 2011
• Open Design: The code of Autopsy is open source and all files that it uses are in a raw format. All configura3on files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict you from using other tools that may solve the specific problem more appropriately.
• Client Server Model: Autopsy is HTML-‐based and therefore you do not have to be on the same system as the file system images. This allows mul3ple inves3gators to use the same server and connect from their personal systems.
Data Hiding
Il software libero, 26 Maggio 2011
• Data hiding is the act of hiding informa3on to the direct view of the user in a digital environment.Data hiding can be faced in the two scenarios presented before.
• Live system analysis: in this scenario we can dump the vola3le memory of the system and use these data to eventually decipher informa3ons.
• Post mortem analysis: through file carving, steganalysis, metadata, filesystem and file content analysis we can discover data hidden in the storage memory.
Memory Dump
Il software libero, 26 Maggio 2011
• Dumping the vola3le memory of an ac3ve system can lead the inves3gator primarily to recover the passwords to decipher files or volumes hidden in the storage memory through encryp3on.
• Moreover this mapping of the running memory shows if any and which programs were ac3ve at the moment of the capture, so it can help the inves3gator drawing a sketch of the state and the purpose of the system under esamina3on.
• Unfortunately it is diffucult to find a valid OSS to perform this type of opera3on.
Storage Analysis
Il software libero, 26 Maggio 2011
These ac3vi3es take place in a post-‐mortem system analysis
• Par33on table analysis;
• File system analysis;
• Metadata analysis;
• File content analysis;
• File carving;
Partition table and file system analysis
Il software libero, 26 Maggio 2011
• By using a simple hexadecimal text editor the inves3gator opens and read the content of the en3re disk to look for informa3on hidden in the free spaces in the ini3al sectors of the disk, in the unused space of the par33on table and iden3fiers and even for hidden par33ons.
• Similarly and with the same tools, it is a good prac3ce to look for informa3on hidden in the file system structures and in the slack space.
Metadata and file content analysis
Il software libero, 26 Maggio 2011
• Just as good as looking in the lower level structures of the disk is to search for sensible informa3on in the metadata of a file system.
• In this case, in addi3on to real data that could have been hidden in this special files, the inves3gator can recover informa3ons regarding the 3meline of the accesses and modifica3ons to the files stored in the memory.
• Analyzing the content and loca3ng the files stored, the inves3gator can trace every malicious, illegal or relevant material, such as virus or malware developing kits, prohibited mul3media contents or chat logs.
• Locate, find, photorec and similar OSS are available in the most common forensics linux distribu3ons and widely used by the experts.
File carving
Il software libero, 26 Maggio 2011
• The process of file carving consists in the analysis of all the informa3on wriGen on the storage memory of a computer.
• With this process the inves3gator can find previously deleted and s3ll notrewriGen data, all the informa3ons s3ll present on the storage unreferenced by the filesystem.
• There are a plenty of OSS like Foremost and Scalpel are widely used and trusted in the forensics ac3vi3es.
• These tools present a final report lis3ng all the informa3on found on the disk aMer a deep low level analysis.
Steganography
Il software libero, 26 Maggio 2011
• Steganography is the art and science of wri3ng hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message.
• Steganography vs. Cryptography
• The goal of Steganography is to keep the presence of a message secret, or hide the fact that communica3on is taking place.
• Cryptography goal is to obscure a message or communica3on so that it cannot be understood.
• Steganography and Cryptography make great partners. It is common prac3ce to use cryptography with steganography.
Steganalysis
Il software libero, 26 Maggio 2011
• Steganalysis is the art and science of detec3ng messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography.
• The goal of steganalysis is to iden3fy suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload.
• Unlike cryptanalysis, where it is obvious that intercepted data contains a message (though that message is encrypted), steganalysis generally starts with a pile of suspect data files, but liGle informa3on about which of the files, if any, contain a payload. The steganalyst is usually something of a forensic sta3s3cian, and must start by reducing this set of data files (which is oMen quite large; in many cases, it may be the en3re set of files on a computer) to the subset most likely to have been altered.
Image Steganography
Il software libero, 26 Maggio 2011
• The most common method of hiding informa3on on a computer is the use of a bitmap image.
• Steganography strips less important informa3on from digital content and injects hidden data in its place. This bit replacement is typically performed across the en3re image.
• Usually are used files with reduntant informa3on (bmp, wav. etc.)
• The image on the right contains a 14Kb text file!
Do you want to try?
Il software libero, 26 Maggio 2011
Bibliography
Il software libero, 26 Maggio 2011
[1] M. Epifani, “Computer Forensics & Ethical Hacking”;
[2] C. Anglano, “InformaGca Forense ed InvesGgazioni Digitali”;
[3] E. Huebner, and S. Zanero “Open Source SoKware for Digital Forensics”, Springer;
[4] A. Ghirardini, G. Faggioli. “Computer Forensics” , Apogeo 2007.