docAnalysis and Validation
download 
Report Transcription
Analysis and Validation
1 ! Determining What Data to Analyze Examining and analyzing digital evidence depends on: ! ! ! ! Nature of the case Amount of data to process Search warrants and court orders Company policies Analysis and Validation ! Scope creep ! COMP 2555: Principles of Computer Forensics Investigation expands beyond the original description L11: Analysis and Validation Autumn 2014 http://www.cs.du.edu/2555 ! Process the data methodically and logically Basic steps for all computer forensics investigations ! ! ! ! Starting at the root directory of the volume partition ! For all password-protected files that might be related to the investigation ! ! ! List all folders and files on the image or drive If possible, examine the contents of all data files in all folders ! ! ! Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs FTK can analyze data from several sources, including image files from other vendors FTK produces a case log file Searching for keywords ! ! Make your best effort to recover file contents Identify the function of every executable (binary or .exe) file that doesn’t match known hash values Maintain control of all evidence and findings, and document everything as you progress through your examination Using AccessData Forensic Toolkit ! ! ! Indexed search Live search Supports options and advanced searching techniques, such as stemming, phonics, synonyms and fuzzy search Analyzes compressed files You can generate reports ! Using bookmarks L11: Analysis and Validation ! 3 Approaching Computer Forensics Cases L11: Analysis and Validation 2 ! 5 Validating with Hexadecimal Editors Advanced hexadecimal editors offer many features not available in computer forensics tools ! ! Such as hashing specific files or sectors ! Validating with Forensics Programs Commercial computer forensics programs have built-in validation features Using hash values to discriminate data ! Hex Workshop provides several hashing algorithms ! ! Such as MD5 and SHA-1 ! Hex Workshop also generates the hash value of selected data sets in a file or sector ! Filters known program files from view, such as MSWord.exe, and identifies known illegal files KFF compares known file hash values to files on your evidence drive or image files Periodically, AccessData updates these known file hash values and posts an updated KFF L11: Analysis and Validation ! AccessData has a separate database, the Known File Filter (KFF) ! File manipulation ! ! ! ! ! File Manipulation Easiest method to hide data on a live file system ! Filenames and extensions Hidden property Segmentation ! ! ! Hidden partitions Bad clusters ! Rootkits ! ! ! Many malwares run as svchost.exe, which is a very common process name in Windows Change the extension and place in a folder with similar files ! Bit shifting Steganography Change the name or extension of the file in question Change the name to a very common one Encryption ! ! ! Disk manipulation ! ! 7 Data Hiding Techniques L11: Analysis and Validation 6 L11: Analysis and Validation ! Name your file as MSODBC32.dll and place in WinNT/ System32 This folder is full of .dll files Even the very experienced system administrators do not know the names of all dll files File signature analysis ! Identifying a file by looking inside it L11: Analysis and Validation 4 Using the hidden property of files ! ! ! ! ! Almost every file system allows a file to be specified as hidden Windows: check box in file properties to specify as hidden Unix: any file name starting with a dot is hidden File Manipulation (contd.) File segmentation ! ! ! Back in the old DOS days, a large file must be split to be able to carry in floppy diskettes Split a file into multiple segments of arbitrary size Store each segment in a separate location Not difficult to detect ! ! Either change system settings to display all files ls -a ! ! In the disk drive As an alternate data stream In the registry … L11: Analysis and Validation ! ! 10 Delete references to a partition using a disk editor ! ! Hiding Partitions (contd.) Re-create links for accessing it Use disk-partitioning utilities ! ! ! ! ! 11 Hiding Partitions GDisk PartitionMagic System Commander LILO Account for all disk space when analyzing a disk L11: Analysis and Validation ! L11: Analysis and Validation ! 9 File Manipulation (contd.) L11: Analysis and Validation 8 12 ! ! ! Common with FAT systems Place sensitive information on free space Use a disk editor to mark space as a bad cluster To mark a good cluster as bad using Norton Disk Edit ! ! ! ! ! Type B in the FAT entry corresponding to that cluster Old technique Shift bit patterns to alter byte values of data Make files look like binary executable code Tool ! ! Hex Workshop WinHex 14 ! Greek for “hidden writing” Steganography tools were created to protect copyrighted material ! ! ! What’s Common Between These? By inserting digital watermarks into a file Suspect can hide information on image or text document files ! ! 15 Using Steganography to Hide Data Most steganography programs can insert only small amounts of data into a file Very hard to spot without prior knowledge Tools: S-Tools, DPEnvelope, jpgx, and tte L11: Analysis and Validation ! L11: Analysis and Validation In Linux, associate good blocks with the bad blocks inode L11: Analysis and Validation ! Bit-shifting L11: Analysis and Validation ! 13 Marking Bad Clusters 17 ! A collection of tools and utilities that masks the presence of malicious activity in a system ! ! ! Hook APIs ! Rootkits operating at the kernel level are very dangerous L11: Analysis and Validation ! ! ! ! ! ! ! Different tools generate the lists using different techniques Rootkit processes may show up on one ! Analyze installed services (both running and halted) Analyze registry for errant services Analyze system from a remote system ! ! Prevention is better than cure! Recovering Passwords Dictionary attack Brute-force attack Password guessing based on suspect’s profile Many systems do not directly store passwords, but their hashes ! Knowing the hash can make recovery attempts faster Tools ! Some hooked APIs can be bypassed this way Use tools to monitor system files added/deleted The core functionality of the operating system is questionable Techniques ! Look for known rootkit files Use different tools to obtain running process lists ! ! ! ! L11: Analysis and Validation ! ! Example: filter the output of common programs 19 Rootkits (contd.) Detection involves obtaining multiple perspectives of the problem and look for inconsistencies ! Example: listing processes will not show processes created by the attacker ! ! ! An attacker may devote a whole lot of time in compromising a system Would want to keep the obtained privileges as long as possible Replace system binaries to report that everything is normal ! 18 Rootkits L11: Analysis and Validation Both Has This In There!! ! AccessData PRTK Advanced Password Recovery Software Toolkit John the Ripper L11: Analysis and Validation 16 20 Remote acquisitions are handy when you need to image the drive of a computer far away from your location ! Or when you don’t want a suspect to be aware of an ongoing investigation References Ch 9: B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. ISBN: 978-1-435-49883-9 Remote acquisition software follow a client-server model to exchange information ! ! Server component runs on suspect machine providing a portal into it Client component talks to the server and pulls the information to the target machine L11: Analysis and Validation ! ! L11: Analysis and Validation ! 21 Performing Remote Acquisitions
