• No results found

Introduction. IMF Conference September 2008

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Introduction. IMF Conference September 2008"

Copied!
33
0
0

Loading.... (view fulltext now)

Download now ( 33 Page )

Full text

(1)

Live Forensic Acquisition

Live Forensic Acquisition

as Alternative to

as Alternative to

Traditional Forensic

Traditional Forensic

Processes

Processes

Marthie Lessing* Marthie Lessing*

Basie von Solms

(2)

Introduction

• The Internet and technology

developments introduced a sharp increase in computer related crime

• Cyber forensics aim to act against these electronic offenders

(3)

Introduction

• Live forensics remedies some of the problems introduced by traditional forensic acquisition

• Still in the starting phase…

– theoretically produce comprehensive forensically sound evidence

(4)

Cyber Forensics

• “… The discipline that combines

elements of law and computer science…

• “… To collect and analyse data from

computer systems, networks, wireless communications and storage devices…

• “… In a way that is admissible as

(5)

Cyber Forensics History

• FBI started with Cyber Forensics in 1984 • Considered as retrospective profiling

– case specific

(6)

Cyber Forensics Methodology

• Acquire evidence without altering or damaging original

• Authenticate that recovered evidence is the same as the originally seized data • Analyse data without modifying it

(7)

Forensic Acquisition

Approach computer Access and write block target system

Attach hard drive to forensic system, no

data modification

Make a complete copy of the hard drive Document chain of custody Transport and store evidence media Approach computer Approach computer Access and write block target system Access and write block target system

Attach hard drive to forensic system, no

data modification Attach hard drive to forensic system, no

data modification

Make a complete copy of the hard drive

Make a complete copy of the hard drive Document chain of custody Document chain of custody Transport and store evidence media Transport and store evidence media

(8)

Forensic Acquisition

• Isolate system

• Approach computer/access device

– Pull power plug

– Normal administrative shutdown – Keep system running

• Interviews

• Begin timeline establishment

(dead)

(dead) (live)

(9)

Forensic Acquisition

• Write block target system

– Allows system to read from external drive

– Blocks any write

commands to external drive – Prevents unauthorised

modification or formatting of drive under examination – Hardware or software

(10)

Forensic Acquisition

• Forensically sound copy

– Bit by bit copy

– Identify hidden data:

• HPA (Hardware Protected Areas)

• DCO (Device Configuration Overlays)

6.4 GB User Addressable Space 1 GB HPA 1 GB DCO Block 0 Block 12,515,071 Block 14,515,071 16,515,071Block 0 GB 6.4 GB 7.4 GB 8.4 GB

(11)

Forensic Acquisition

• Chain of custody

– Data and devices should be accounted for at all times

– “… The gathering and preservation of the

identity and the integrity of the evidential proof that is required to prosecute the suspect in

(12)

Forensic Acquisition

• Transport evidence

– From crime scene to forensic laboratory – Guidelines:

• minimise physical shocks • protect from magnetic fields • use anti-static bags

(13)

Forensic Acquisition

• Store evidence

– Minimise bit rot – Guidelines:

• temperature range of 18 - 20°C • humidity of 35 - 40%

• protect from dust, dirt, grease and chemical pollutants

(14)

Current Debate

Traditional (dead) digital

Traditional (dead) digital

forensics

forensics

OR

Live digital forensics

(15)

Dead Forensics

• “… Analysis done on a powered off

computer…”

• Pulling the plug to avoid any malicious process from running and potentially deleting evidence

• Creates snapshot of system information and swap files

(16)

Dead Forensics

Remove hard drive from target

system Turn off computer Approach computer No Yes

Attach hard drive to forensic system, no

data modification Make a complete copy of the hard

drive Is computer

powered on?

(17)

Advantages: Dead Forensics

• Slim chance of data modification

• Small window of opportunity for volatile data retrieval

(18)

Disadvantages: Dead Forensics

• Cryptography

• Volatile network data

• Gigabytes of data to analyse

• Lack of standardised procedures • Practical and legal constraints

(19)

Live Forensics

• Analysis is done on a live system

• Developed in response to shortcomings of dead forensic acquisition

(20)

Live Forensics

Proceed with dead forensic analysis Approach computer No Yes Make a complete copy of the hard drive Is computer powered on? Select analysis mode Write block target system Network analysis Local analysis

Attach hard drive to forensic system Select investigation mode Overt Covert

(21)

Real vs Virtual Environment

• Virtual machine requires further analysis

– copyright notes or vendor strings – VMWare specific hardware drivers – VMWare specific BIOS

– VMWare specific MAC addresses – installed VMWare tools

– hardware virtualisation – hardware fingerprinting

(22)

Advantages: Live Forensics

• Retrieve volatile information

(23)

Disadvantages: Live Forensics

• Every computer installation is unique • Data modification a reality

• Slurred images

• Authenticity and reliability more difficult to prove

• Anti-forensic toolkits

(24)

Forensic Soundness

• Evidence can make or break an investigation

• All evidence should be forensically sound to ensure admission in a court of law

(25)

Forensic Soundness

• “… Created by a method that does not, in

any way, alter any data on the drive being duplicated…”

• “… Must contain a copy of every bit, byte

and sector of the source drive, including unallocated empty space and slack space, precisely as such data appears on the

source drive…”

• “… The manner used to obtain the

(26)

Forensic Soundness

• Practical problems

– Live forensics requires the introduction of software into the suspect system’s memory, altering the original data evidence source

– Volatile nature of Cyber Forensics • Heisenberg uncertainty principle • Observer effect

(27)

Forensic Soundness

(28)

Forensic Soundness

(29)

Forensic Soundness

(30)

Forensic Soundness

• Key to forensic soundness is documentation

– Report on evidence origin

– Report of handling by investigators – Ensures validation by courts

(31)

Forensic Soundness

• To ensure admission in court

– “… derived by scientific method…”

(32)

Conclusion

• Intense research still needed

– Preliminary study shows that live forensics measures up to traditional digital forensics

• Correct technique allows forensic soundness

– Minor controlled modifications should be

(33)

[email protected]

References

Download now ( PDF - 33 Page - 2.82 MB )

Related documents

RESEARCHING OF RANKING HANDBALL REFEREES' JOB SATISFACTION LEVELS IN TERMS OF SOME PARAMETERS

In conclusion; it’s considered in the research that statistically there’s no difference between the job satisfaction levels of the handball ranking referees according

Surviving the GOP Primary

Texas Governor Rick Perry, who entered the race three weeks ago and has already managed to reshape it, made it a contest between himself and Mitt Romney.. Jon Huntsman is now

Mandatory Reporting of Child Abuse and Neglect (Last Updated November 2012)

(a) When a report is received that alleges neglect, physical abuse, sexual abuse, or maltreatment of a child while in the care of a licensed or unlicensed day care

Backup and Restore User manual For version

If you must backup to the same drive that contains EasyLog 5, make sure to copy those backups to a removable media drive, a second hard drive, or a networked hard drive often1.

Newton-based Optimization Methods for Noise-Contrastive Estimation

unnormalized models, noise-contrastive estimation, conjugate gradient, line search, trust region The main focus of this thesis is on the use of Newton-based optimization methods for

ConoSurf: Open-source 3D scanning system based on a conoscopic holography device for acquiring surgical surfaces

• TRE of point measurements: In order to decide the target registra- tion error (TRE) of the tracked ConoProbe measurements, N s = 15 GT points ( p ′ ) were acquired using the

Castlebar School Attendance Policy

The school values the support of parents in matters of attendance, and appropriate opportunities will be taken to state attendance policy. This will be on admission, at

Regulatory Requirements Governing Research Reports and Research Analysts

The member firm may permit a Research Analyst Account to purchase or sell any security issued by a Subject Company within 30 calendar days before the publication of a Research