18 hashing 1
TRANSCRIPT
-
7/29/2019 18 Hashing 1
1/35
Introduction to ComputerForensics and Hashing
1
-
7/29/2019 18 Hashing 1
2/35
22
What is Forensics?
Forensics is the art and study of
argumentation and formal debate. It uses
the application of a broad spectrum ofsciences to answer questions of interest
to the legal system.
Forensic Science is the science andtechnology that is used to investigate and
establish facts in criminal or civil courts
of law.
-
7/29/2019 18 Hashing 1
3/35
3
Criminal Justice Fundamentals
How a case usually plays out:
Law Enforcement notified of crime
Evidence is gatheredmay require searchwarrants
Suspects are developed
Interviews or interrogations are conducted
Suspect is charged
Case w/evidence is turned over to
prosecutor
-
7/29/2019 18 Hashing 1
4/35
4
What is Computer Forensics?
Computer forensics is forensics applied to
information stored or transported on
computers
It involves the preservation, identification,
extraction, documentation, and interpretation
of computer media for evidentiary and/or root
cause analysis Procedures are followed, but flexibility is
expected and encouraged, because the unusual
will be encountered.
-
7/29/2019 18 Hashing 1
5/35
5
What is Computer Crime?
Three situations where you might find evidence on adigital device: Device used to conduct the crime
Child Pornography/Exploitation
Threatening letters
Fraud
Embezzlement
Theft of intellectual property
Device is the target of the crime
Incident Response
Security Breach
Device is used to support the crime
-
7/29/2019 18 Hashing 1
6/35
6
What is evidence in terms of
Computer Forensics?
Can be anything!
As small as a few bytes
Could be, and hopefully will be complete files
Could be Deleted
Could be Encrypted
Likely will be fragments of files
A few Words
A couple of sentences
Hopefully some paragraphs
Registry entries, or log entries!
-
7/29/2019 18 Hashing 1
7/35
7
Where do we find it?
Storage Media
RAM
Log Files Registry
-
7/29/2019 18 Hashing 1
8/35
How might the information be
stored?
Might be plain data with no hidden
agenda The data could be encrypted
Data could be hidden
Could be hostile code
8
-
7/29/2019 18 Hashing 1
9/35
Data Encryption
Encrypting data could guard the data in two
ways.
Protect data Use of Ciphers
Files might need to be decrypted
Decryption program generally stored fairly close to the file
to be decrypted.
Probably password protected.
Prove integrity
9
-
7/29/2019 18 Hashing 1
10/35
10
Data Hiding
Data could be obfuscated
encryption is some method of modifying data so that it is meaningless and
unreadable in its encrypted form. It also must be reasonably secure, that is it must
not be easily decrypted without the proper key. Anything less than that is
obfuscation. This is data that is rendered unusable by some means, but is not
considered as a serious form of encryption.
Data could be compressed
Data could be hidden in plain sightinnocent looking data has alternate
meaning
Data could be hidden within File system
-
7/29/2019 18 Hashing 1
11/35
11
Data Hiding (contd.)
Data could be hidden in a file
Steganography - science of writing hidden messages in such a waythat no-one apart from the sender and intended recipient even realizes there isa hidden message
Invisible names
Misleading names
Obscurity
No names
Hidden data might not be in file
Slack, swap, free space
Removable Media
-
7/29/2019 18 Hashing 1
12/35
12
Hostile Code
Presume that any unknown code is hostile.
Guilty until proven innocent.
Any code used by an unauthorized person to gainadvantage or power over someone else should beconsidered hostile.
Remote access
Data gathering Sabotage
Denial-of-service
Eluding detection
Resource theft
Circumvention ofaccess controlmechanisms
Social status
-
7/29/2019 18 Hashing 1
13/35
13
How do we go about the business
of Computer Forensics?
Three As of Computer Forensics
Acquire the evidence without altering or
damaging the original. Authenticate that your recovered
evidence is the same as the originally
seized data. Analyze the data without modifying it.
-
7/29/2019 18 Hashing 1
14/35
14
Acquire the evidence
How do we seize the computer?
How do we handle computer evidence?
What is chain of custody? Evidence collection
Evidence Identification
Transportation
Storage
Documenting the Investigation
-
7/29/2019 18 Hashing 1
15/35
15
Authenticate the Evidence
Prove that the evidence is indeed what
the criminal left behind.
Contrary to what the defense attorney mightwant the jury to believe, readable text or
pictures dont magically appear at random.
Calculate a hash value for the data
MD5
SHA-1,SHA-256,SHA -512
-
7/29/2019 18 Hashing 1
16/35
16
Analysis
Always work from an image of the
evidence and never from the original.
Prevent damage to the evidence Make two backups of the evidence in most
cases.
Analyze everything, you may need cluesfrom something seemingly unrelated.
-
7/29/2019 18 Hashing 1
17/35
17
Tools
Password crackers
Hard Drive Tools
Fdisk on Linux Viewers
QVP
Diskview
Thumbsplus
Unerase tools
CD-R Utilities
Text search tools
Drive Imaging Safeback
Linux dd
Disk Wiping
Forensic Toolkits
Forensic Computers
-
7/29/2019 18 Hashing 1
18/35
18
Forensic Software
Forensic Toolkit
The Coroners Toolkit
Sleuth Kit
Encase
ILook
-
7/29/2019 18 Hashing 1
19/35
19
Digital Crime Scene
Investigation Process
No one right way to do it!
Evidence Searching
Phase
System Preservation
Phase
Event Reconstruction
Phase
Carrier, B., Page. 5, Figure 1.1
-
7/29/2019 18 Hashing 1
20/35
20
System Preservation Stage
Crime Scene Preservation
Depending on the situation, this will vary.
Take pictures of everything.Room setup
Connections
Open windows on computers
Label all wires and connections.
Bag and Tag all evidence.
-
7/29/2019 18 Hashing 1
21/35
21
System Preservation (cont.)
Evidence Preservation
Seize all hardware that is necessary to
reconstruct evidence Jam or disable all wireless connections if
possible
Make 2 (3) copies of all media
Authenticate all copies of media with MD-5
and SHA-1 hash algorithms
-
7/29/2019 18 Hashing 1
22/35
Evidence Preservation
The data has to be protected physically and
logically. Physically, make sure when
transporting hard drives that it is stabilized and
is not damaged by excessive vibrations.
Another thing to look out for is static
electricity.
Logically preserving evidence means that thatthe information contained on the drive down to
the last bit never changes during seizing,
analysis and storage.
22
-
7/29/2019 18 Hashing 1
23/35
Evidence Preservation Write
Blockers
Write blockers are devices that allow
acquisition of information on a drive without
creating the possibility of accidentally
damaging the drive contents. They do this by
allowing read commands to pass but by
blocking write commands. These can be in the
form or hardware or software blockers. It isvery important that some type of write blocker
is tested and used when working with data.
23
-
7/29/2019 18 Hashing 1
24/35
Evidence Preservation Write
Blockers (contd.)
On our systems, we would use software write
blockers to preserve the integrity of the data.
We have included a tool that would do that
(disable_usb_write.reg). BEFORE attaching
the usb drive, the write-blocker needs to be
invoked. Now, the usb drive can be attached,
and this would ensure that nothing would bewritten on the usb drive.
In a real scenario, a hardware write blocker
would provide much stronger protection.
24
-
7/29/2019 18 Hashing 1
25/35
Evidence Preservation Making
Copies
With the write blocker in place, you can now
make several copies of the image. It is
important that an image is made of the hard
drive and not a copy or a backup. The reason
for this is that an image will make sure to
preserve important information such as slack
space, time stamps, unallocated space and filesystem structures, which would not necessarily
be there in a copy or a backup.
25
-
7/29/2019 18 Hashing 1
26/35
Evidence Preservation Making
Copies (contd.)
It is a good idea to make at least 2
working imagesone to be used as a
backup and one to work on. In our toolsfolder, there is a Image command that
actually uses the dd command to create
an image of a hard drive.
Most texts also suggest making a third
image for discovery.
26
-
7/29/2019 18 Hashing 1
27/35
Evidence Preservation
Authenticating and Hash Functions
It is now necessary to prove that all of these
images are exactly the same, down to the very
last bit!
A hashfunction is any well-defined procedureor mathematical function for turning some kind
of data into a relatively small integer. The
values returned by a hash function are calledhash values, hash codes, hash sums, or simply
hashes.
27
-
7/29/2019 18 Hashing 1
28/35
Evidence Preservation Hashing
(contd.)
In authentication, hashing is used to create a set
of numbers that represent a drive or set of files.
This is similar to fingerprinting someone. With
hashing, a finger print is created from the
evidence. No details about the evidence can be
determined from the hash value, but if the
evidence is alteredin any way, the hash value
will also change.
28
-
7/29/2019 18 Hashing 1
29/35
Evidence Preservation Hashing
(contd.)
Two examples of hash functions are MD5 and
SHA-1. MD5 was developed by Professor
Ronald L. Rivest of MIT. The MD5 algorithm
takes as input a message of arbitrary length and
produces as output a 128-bit fingerprint of the
input.
29
-
7/29/2019 18 Hashing 1
30/35
Evidence Preservation Hashing
(contd.)
SHA stands for Secure Hash Algorithm. The
SHA hash functions are a set of cryptographic
hash functions designed by the National
Security Agency (NSA). The five algorithms
are denoted SHA-1, SHA-224, SHA-256, SHA-
384, and SHA-512. SHA-1 produces a message
digest that is 160 bits long; the number in theother four algorithms' names denote the bit
length of the digest they produce.
30
-
7/29/2019 18 Hashing 1
31/35
Evidence Preservation Hashing
(contd.)
Hashing tools can be found in the tools
directory. The md5sum tool produces an md5
message digest (hash value). The hashcalc
application can also create hash values using
different hashing methods.
The hashing is done on the data itself, and not
on the names of files. There are existingdatabases of hash values for images, that can
be used to find child pornography.
31
-
7/29/2019 18 Hashing 1
32/35
32
Evidence Searching Stage
Once everything is preserved, analysis
must begin.
Forensics is a science, so there should bea hypothesis from which to work.
Direct searching activities to support this
hypothesis.
-
7/29/2019 18 Hashing 1
33/35
33
Evidence Searching (cont.)
If you are looking for a specific file, i.e.,
child porn, compare hash values.
If you are looking for keywords, mostsoftware gives you a search capability.
Be specific to what you are looking for:
If you are looking for web activity, look inweb files; history, cache, cookies, etc.
-
7/29/2019 18 Hashing 1
34/35
34
Event Reconstruction Stage
Last phase of investigation.
Trying to answer the question of what
happened and how. Evidence discovered during searching
phase is reconciled with non-digital
evidence to create a sequence of eventsto support the hypothesis.
-
7/29/2019 18 Hashing 1
35/35
35
General Guidelines
Use a write-blocking device to preventaccidentally writing to the suspect media.
Always work from a copy, not from the
original. Authenticate the copy so that you can prove
that evidence discovered was on the originalmedia.
Minimize file creation on working media toprevent over-writing of free space.
Be especially careful of opening files,especially without a write-blocker, becauseCMA times will change.