CNS 320 Week1 Lecture
CNS 320 Week1 Lecture
CNS 320 Week1 Lecture
Week 1
Copyright 2013, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Course Description
Introduction to the topics of Computer Forensics and Incident Response on Windows Systems PREREQUISITES:
Familiarity with Windows and Linux computer usage Familiarity with Windows and Linux Administration & Internals Helpful
Content in Flux
Course originally developed with an eye toward process and legal issues (Ive stripped out almost all of that old content, but a few elements remain) Materials are still under revision Im trying to provide a significant amount of technical and practical content which you may be able to actually apply I will work with you as a class to make this course as interesting as possible without (I hope) leaving many of you in the dust Be aware that the most interesting & useful of the content will require its underpinnings to be force-fed at a rather rapid rate, which will increase the difficulty Students at the SANS Institute refer to this process as drinking from the fire hose
4
Apologies in Advance
Course Design Challenges
Selecting digestible information subsets Organizing the material In many disciplines, specifics follow logically from generalities based on consistent rules IMHO Forensics is much more empirical, more like an infinite progression of narrowly defined specialties, with lots of case-by-case variation Ive attempted to select material for the class which is both representative and useful
5
Why all the deep background? (assuming you dont expect to be designing your own forensic tools)
Forensic tools frequently do squirrely things You will need to recognize when this happens, and possibly figure out what the results should have been by hand You will likely need to explain to a nontechnical person (or a jury) exactly how/why a tool produced a given result You will want to know that certain information is available (and where) even when a tool youve had to use did not provide it
6
Good In that they can free up time for a Forensic Analyst and enable him to spend that effort on more problematic areas Bad In that they can be error-prone, and a lazy or clueless analyst relying on their output can make improperly-based assertions which can be refuted, or at the least cast doubt on other findings Always cross-check & verify results on which important assertions are based using different tools, and properly explain any significant anomalies You should always know, at least in a general way, from what artifact a result was obtained, and be able, with reasonable effort, to backtrack & manually step through the methodology used to create it Note that these statements represent my moderate viewpoint on a somewhat controversial topic
7
Syllabus
As you can see, weve got a lab as a classroom Well be making use of that each week I hope to cover practical application of each element immediately after introducing it in lecture 30-50% of each class period will be devoted to lab
Syllabus
Authentication and Chain of Custody Courtroom Usage Collection Examination Analysis Reporting
9
FORENSIC PROCESSES
Syllabus
Windows Disk Partitioning NTFS Registry Fundamentals Malware Detection & Analysis in Memory Link Files & Win7 Jumplists Application Metadata Log Analysis Timelines
Preparation Identification Containment Eradication Recovery Follow-Up & Lessons Learned
10
Syllabus
CNS-320 Week-By-Week
Week 1:
Lab: Physical & Logical Imaging Lab: NTFS Examination & Analysis
Week 2
Week 3
Week4
12
D2L
We will be using D2L, one of CDMs Course Management Systems. The system can be found at https://d2l.depaul.edu.
Class Participation
Please feel free to interrupt. There are no stupid questions, only stupid instructors. Be a loudmouth! Youll get more out of the class that way. So will everyone else. The only reason you have an instructor instead of just reading out of a book and taking tests is so you can ask about things that arent in the materials. The more questions you ask, the more youll learn, as will the rest of the class. If I say something that makes no sense, for gods sake stop me! I probably just 14 confused at least half of you!
Labs
Familiarize you with tools hands-on Ensure everyone can perform demonstrated tasks Let you ask questions when tools dont perform as expected Despite not being graded, this is the most important portion of the class
15
Email is preferred.
Please include CNS 320 in the subject line of all email communications
You may request a scheduled telephone/web conference. My email address is jmccash@cdm.depaul.edu Cell phone 847-660-3373 (Please call only between 5:00 PM and 9:00 PM) Office hours: Thursdays, 9:00-10:30 pm
16
Grading
17
Final Exam
Short Answer
18
Primary Textbook
Windows Forensic Analysis Toolkit 3rd Edition
By: Harlan Carvey Publisher: Syngress Pub. Date: January 15, 2012 Print ISBN-13: 978-1-59749-727-5 Web ISBN-13: 978-1-59749-728-2
19
Optional Reference
File System Forensic Analysis
By: Brian Carrier Publisher: Addison-Wesley Professional Pub. Date: March 17, 2005 Print ISBN-10: 0-321-26817-2 Print ISBN-13: 978-0-321-26817-4
Available as an ebook at http://proquestcombo.safaribooksonline.com.ezp roxy2.lib.depaul.edu/book/networking/forensicanalysis/0321268172
20
Other course materials will be available on the web, including the DePaul University Libraries' website at http://www.lib.depaul.edu/ Lecture slides & reading assignments will be posted on D2L each week the night before class
21
Didier Stevens - http://blog.didierstevens.com/ ForensicIT.EU - http://forensicit.eu/ SANS Computer Forensics, Investigation, and Response - http://computerforensics.sans.org/blog Matthieu Suiche - http://www.msuiche.net/ Volatility - http://volatility.tumblr.com/ Computer Forensics/E-Discovery Tips/Tricks and Information (Mark McKinnon) http://cfed-ttf.blogspot.com/ int for(ensic){blog;} (Andreas Schuster) - http://computer.forensikblog.de/en/ A Geek Raised by Wolves (Jesse Kornblum) - http://jessekornblum.livejournal.com/ (Lance Mueller) Computer Forensics, Malware Analysis & Digital Investigations http://www.forensickb.com/ Windows Incident Response (Harlan Carvey) - http://windowsir.blogspot.com/ forensic . seccure . net (Mariusz Burdach) - http://seccure.blogspot.com/ Forensic Computing (Mike Murr) - http://www.forensicblog.org/ Forensic Focus Blog (Jaimie Morris) - http://forensicfocus.blogspot.com/ Forensic Incident Response (Hogfly) - http://forensicir.blogspot.com/ Hacking Exposed Computer Forensics Blog http://hackingexposedcomputerforensicsblog.blogspot.com/ digfor (Andre Ross) - http://digfor.blogspot.com/ Computer Forensics and Incident Response - http://breach-inv.blogspot.com/ ForensicZone - http://forensiczone.blogspot.com/ The Digital Standard - http://thedigitalstandard.blogspot.com/
22
Forensic 4cast http://www.forensic4cast.com/ Cyberspeak http://cyberspeak.libsyn.com/ Inside the Core (Mac) http://insidethecore.com/
23
Academic Integrity
Plagiarism is a major form of academic dishonesty involving the presentation of the work of another as one's own. Plagiarism includes but is not limited to the following: The direct copying of any source, such as written and verbal material, computer files, audio disks, video programs or musical scores, whether published or unpublished, in whole or part, without proper acknowledgement that it is someone else's. Copying of any source in whole or part with only minor changes in wording or syntax, even with acknowledgement. Submitting as one's own work a report, examination paper, computer file, lab report or other assignment that has been prepared by someone else. This includes research papers purchased from any other person or agency. The paraphrasing of another's work or ideas without proper acknowledgement.
24
Definition of Plagiarism
Plagiarism involves using the work of another person and presenting it as your own.
Outright copying of someone else's writing is the most clear-cut form of plagiarism. But other forms exist. Mosaic Paraphrase Insufficient acknowledgement
25
North Carolina State University Georgetown University Stanford University Northwestern University
26
Terminology
by R. W. Shirey http://www.ietf.org/rfc/rfc4949.txt
http://www.microsoft.com/security/glossa ry.mspx
http://www.sans.org/resources/glossary. php
27
Terminology
Legal Terms
28
Digital Evidence
29
Everybody knows its on computer hard disks Where else can digital evidence be found?
30
Computer Hard Drives, Memory, BIOS Settings Printers, Copiers/Multifunction Devices, and other computer peripherals may actually be complete embedded computer systems Integrated components may also be embedded systems Flash Drives with significant storage capacity are now very small, and can easily be hidden Network Hardware; Switches, Routers, Firewalls, WAPs, Web Proxy Gateways SIEMS & other log aggregation systems Phones, other portable electronic devices, game consoles & peripherals, even some refrigerators The Cloud
31
32
33
Casey Anthony acquitted in 2011 Discrepency between results of parsing of a Firefox v2 history.dat file with NetAnalysis and Cacheback used to cast doubt on the forensic analysis
Firefix v2 history.dat file was recovered from unallocated space NetAnalysis reported 8878 records (there were actually 9075 possibly determined by hand) and one visit to chloroform.html Cacheback 2.8 RC2 reported 8571 records and 84 visits (incorrect!) to chloroform.html. After subsequent revision, Cacheback matched 9048 records in the file.
34
Any change made as a result of an event of interest Locards Exchange Principal Our job is to sift Digital Evidence for Forensic Artifacts
35
Forensic Processes
Goals
Collect evidence, ensuring its integrity over the entire forensic lifecycle Analyze & Report on Evidence Present findings, deriving facts about the issue of concern from the evidence, and ensuring that all such derived facts are properly qualified
36
National Institute of Standards and Technology (NIST) special publication 800-86, Guide to Integrating Forensic Techniques into Incident Response
37
38
Windows UNIX
Evidence Preservation
Documents every individual with access to item at any time from collection forward Minimizing number of entries is key
Chain of Custody
Goal: To ensure no alteration of the original evidence during collection, storage or analysis Requires documenting procedures used in the collection, storage and analysis of evidence
41
Chain of Custody
A piece of paper or electronically stored information, without any indication of its creator, source, or custodian may not be authenticated under Federal Rule of Evidence 901.
42
Prenumbered evidence tags & tamper evident bags w/labels for collector, date/time, location, signature.
Specific number ranges provided to designated evidence collectors to provide redundant collector identification
Paper log forms (may be a single form, but if two, no overlap other than reference number)
Inventory collection Chain of custody transfer information
43
Evidence items tagged, bagged, labeled by collector Bag & tag numbers and in-situ collection information for each item documented on paper inventory collection forms Collection process may be recorded using timestamped photos or audio/video recordings. These recordings may themselves be treated as evidence items, requiring tamper-evident handling. Evidence tag # is permanently assigned to evidence item Evidence bag # & label info provide chain of custody assurance from collection to log-in 44
Reasons
Triage (to determine whether an evidence item is to be physically collected or not, or to identify subsets of existing evidence, such as a very large RAID array, that must be collected) Volatile data which may otherwise not survive transport to evidence lockup (well discuss this in more detail next week)
45
Digital evidence collected onto pre-wiped virgin media, then tagged, bagged, time/date/location noted, & signed for, just like physical evidence Documentation
Written account of actions Potentially tool log files, which could be written to the same media as the collected evidence Collection process may be recorded using timestamped photos or audio/video recordings. These recordings may themselves be treated as evidence items, requiring tamper-evident handling.
46
Evidence Log-In
Data from paper inventory collection forms is transcribed into evidence lockup database Data from tamper evident evidence bags is also transcribed into database If no collector noted on forms, this is inferred from numbers, and that fact noted Copies of collection recordings may be attached Chain of custody form initially filled out & entered by receiving lockup representative, including lockup receipt date/time Items scheduled for examination 47
2.
3.
4.
5.
6.
Chain of custody form updated by technician Bag opened by evidence technician and evidence physically examined for descriptive info omitted at time of original collection Additional data documented by technician & recorded into database with notation as to source. Electronic info may also be added. All technician activities documented and possibly audio/video recorded Forensic imaging of original evidence may also be done at this point Original evidence then returned to lockup 48
Subsequently
Chain of custody form joins evidence item permanently Each time evidence is returned to lockup, chain of custody data is updated in database Multiple copies of all forensic data may be made for subsequent direct examination, but chain of custody on these need not be tracked
49
2.
3. 4.
Evidence tag number Original collection bag number Collector name Date & time collected Data for each custodian (multiple blanks for subsequent entries):
Name & Organizaton Date & time received Signature Notes (to identify bag opening & any irregularities)
51
Evidence number of item Evidence collection bag number Evidence # of collection recording Collector name Collection date/time Collection location (address, room, etc.) Unique evidence description (could include explicit fields for color, model, serial#, and possibly a space for attached photo)
52
Imaging
An image is a bit-for-bit copy of a piece of digital evidence (disk, flash, RAM, DVD etc.) Forensic images can be stored and accessed in a variety of standard formats such as Raw, E01, or AFF Images are typically validated as unchanged by use of one or more of a number of cryptographic hash algorithms (md5, sha1, sha256) On dead systems, disk imaging should be performed via a hardware write-blocker to ensure that original evidence is unchanged On live systems, it is almost certain that the image hash for a disk in use or system memory will not match Exact methodologies will vary from organization to organization
53
Physical Image Full image of complete physical disk device content Logical Image Image of a logical volume mounted on a live system.
Portion of a physical device RAID spread across several different physical devices Mounted encrypted volume Mounted network volume
54
Hashing
Cryptographic hashes are algorithms that can be applied to arbitrarily long sequences of data bytes with the aim of producing a much shorter result which is still unique Mathematically infeasible to reverse For some such algorithms, there are known collisions & mechanisms for producing them If this is a risk, the simplest method to avoid is to use two different hashes (MD5 & SHA1 for example) Most commonly used: MD5, SHA1, SHA256
55
6830723bbaade6e72dbbfb5c91466c9e
7d6ae63b1201e68e5e686c10eabbd7ee f76cf19e b21f00291949d848e4fe0f94ac76dcc40 d68c6ffad873f515a7304f54566ce6e
56
51 2 51 2 51 2 51 2 51 2 51 2 51 2 1 ,024 51 2
64 64 64 64 64 64 64 1 28 64
32 32 32 32 32 32 32 64 64
48 64 80 80 80 80 64 80 24
No No No No No No No No No
Fuzzy Hashing
Ssdeep is the most commonly used fuzzy hashing utility. Most effective on files containing large amounts of text, less so with purely binary data, but YMMV.
Fuzzy hashing is also referred to as context triggered piecewise hashing (CTPH) A complete explanation of CTPH can be found at http://dfrws.org/2006/proceedings/12Kornblum.pdf
58
Helix3 (not Helix3 Pro or Helix3 Enterprise) - https://www.efense.com/store/index.php?_a=viewProd &productId=11&ccUser=f6e155820240b2 7967246d7ec8f9fa2d AccessData FTK Imager
59
EnCase (Guidance Software) FTK Forensic Toolkit (AccessData) SANS Linux SIFT Kit (Free) Helix (Free, but discontinued)
60
The Sleuth Kit (File system Analysis Tools) log2timeline (Timeline Generation Tool) ssdeep & md5deep (Hashing Tools) Foremost/Scalpel (File Carving) WireShark (Network Forensics) Vinetto (thumbs.db examination) Pasco (IE Web History examination) Rifiuti (Recycle Bin examination) Volatility Framework (Memory Analysis) DFLabs PTK (GUI Front-End for Sleuthkit) Autopsy (GUI Front-End for Sleuthkit) PyFLAG (GUI Log/Disk Examination) Regripper (Registry Analysis) 100s more tools -> See Detailed Tool Listing
61
2. Digital Forensics: Detecting time stamp manipulation - http://computerforensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/ 3. NTFS $I30 Attributes: Evidence of Deleted and Overwritten Files http://forensicmethods.com/ntfs-index-attribute 4. Skim Chapters 5 (PC-based Partitions), 8 (File System Analysis), 11 (NTFS Concepts), 12 (NTFS Analysis), and 13 (NTFS Data Structures) of File System Forensic Analysis Try to actually read through the section on Index Attributes and Data Structures. I know its a little opaque, but its a really good reference, and I dont know of a more readable summary that goes into any significant detail.
By: Brian Carrier Publisher: Addison-Wesley Professional Pub. Date: March 17, 2005 Print ISBN-10: 0-321-26817-2 Print ISBN-13: 978-0-321-26817-4 Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensicanalysis/0321268172
62
Questions?
63