Digital Evidence

Dean R. Beal CISA, CFE, ACE

Allegation

Anonymous Tip Ethics Line Risk Assessment Audit Continuous Auditing/Monitoring

AllegationFraud and/or Abuse:

Breaches of Confidentiality Running a Personal Business Pornography Sharing Copyrighted Material Travel and Business Expenses Unlicensed Software Use Time and Attendance Harassment Bribery Theft Discrimination

Assessing the Allegation

Management:• Receives• Reviews• Assigns

Guidelines:• Should exist for outlining the steps

taken for obtaining digital evidence to support an investigation

Assessing the Allegation

Support a Non IT Investigation

Complete an IT Investigation

Obtaining Digital EvidenceIdentification of:

• Person(s) Desktops/laptops Mobile devices External drives Network shares

• Location(s) Network Segment

• Ping• Doors accessed• Connectivity• Bandwidth

Obtaining Digital Evidence Keep it Confidential

• Only those with a “Need to Know” Physical Confiscation

• Unplug, remove batteries• External storage devices• Digital camera• Chain of custody forms• Check in and under everything• Evidence bags• Document everything

Unstructured Data

No Schemas No Organization Unpredictable Make Note of:

• Obvious• Not so obvious

Piece the puzzle from the outside-in Start in the Forest

• Don’t get lost in the trees… yet

Searching Unstructured Data

Internet eMail Instant Messenger Digital Forensics

• Servers• Desktops• Laptops• Mobile Devices

Searching the Internet

Open Connection• No affiliation

Use Alias:• eMail address• Profiles• User IDs

Searching the Internet

Web Reporting Google Hacking

• “intext:”• “filetype:”

Blogs Deep Web Public Records Social Media

Searching eMail & IM

Right to Privacy?• Warning banners

Real-time Journaling Back-ups

• .pst• .nsf

“Fly Over” Items of potential importance Key words

Searching eMail & IM

Can See It All• Interesting differences between

professional and personal personas Everything is Fair Game What’s Happening?

• Substantiated?• More information needed?• Take notes

Digital Forensics

Network

“Snapshot”

Physical

“Static”

ProDiscover Can connect to any computer on the

network• By IP address• By computer name

Installs remote agent executable Runs in the background as a Service Captures image of hard drive over the

network• Deleted files• Everything

ProDiscover

User does not know they are being imaged

Connected external drives can be accessed

Timing All or nothing

Unix dd image format Slower processing time

• Network location

FTK Imager

Physical drive dd Image E01 Image Format Segments Faster Processing

• Physical device

Physical Write Blockers

http://www.forensicpc.com/products.asp?cat=38

Physical Write Blockers

Suspect Hard Drive

Suspect Hard Drive

ReadsReads

Hardware Write Blocker

Hardware Write Blocker

Forensics PCForensics PCForensics

Hard DriveForensics

Hard Drive

WritesWrites

Hash Values

Original MD5 Hash Value:6f8e3290e1d4c2043b26552a40e5e038

Imaged MD5 Hash Value:6f8e3290e1d4c2043b26552a40e5e038:Verified

MD5 Hashes• Image Level• File Level

FTK Image Basics Data Carving File Types of Interest KFF Graphics Deleted Files Recycle Bin Personal eMail Videos Key Word Searches

DTSearch

Indexed• Faster searching

And – both required Or – either required Not w/# - within number of words ? – any character * - any number of characters ~ - stems (good for tenses) % - fuzzy (good for misspellings) & - synonyms

Regular Expressions

Not Indexed• Slower Searching

Social Security numbers Credit card numbers Phone numbers IP addresses Literal vs. operational

• x vs.\x• d vs.\d

\<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\>

FTK Image Advanced Password Protected Files Encrypted Drives Data Wiping Missing File Headers index.dat Metadata Prefetch Link Files (LNK) Other Registry Artifacts

Registry Viewer

NTUSER.dat• Passwords• MRU• Recent docs• Drives connected• USB devices• Counts• Typed URLs

Passwords/Encryption

Password Recovery Toolkit (PRTK)• Dictionary• Decryption• Brute force• Export NTUSER.dat

Distributed Network Attack (DNA) Full Disk Encryption

• Decryption key needed

Accountability

Filter on:

Username Relative Identifier (RID)

• Security Identifier (SID)• Security Accounts Manager (SAM)

Oxygen Forensic Suite

Tool Capabilities are Device Specific

Device Drivers Needed Chargers/Connectors Media Cards Passwords/PIN#s Remote Wiping

Oxygen Forensic Suite eMail Text Messages Phonebook/Contact List Calendar Call History Pictures/Videos Social Network Messages Internet Sites

Oxygen Forensic Suite

Logical Analysis

Physical Analysis

Logical/Physical Analysis• SQLite, Plist, IPD file viewers

Backup File Creation

Mobile Device Storage

Write Blockers

Unstructured Data as Digital Evidence

Actions Accountability Dates and Times Tie to Source Information

• eMail & IM to image• Internet to image• Mobile device to image

Structured Data Schemas Organized

• But rarely clean Predictable Silos Complexity Data Dictionary Knowledge Base Training Resources

Obtaining Structured DataIs it: Complete? Verifiable? Source data?

• Transactional?• Aggregated?• Report?

Does it have integrity?• Has anyone else touched it?

Will it need cleansed, reformatted?

Obtaining Structured DataIs it:

• Hierarchal?• Relational?• Fixed length?• Variable length?• Delimited?• Mainframe?• HL7?• EDI?

Obtaining Structured Data

Learn Application and System Process and Data Flows

Obtain Access to the Application Obtain Direct Access to the Source Data Learn the Query Language Admit You’re in Over Your Head Make Friends with IT

• Ask for help• Without loss of confidentiality

Involve IT• Legacy• Require confidentiality

Obtaining Structured Data

Source Systems:• DB2• Oracle• SQL Server• Mainframe

Querying Tools:• TOAD• QMF• Proprietary reporting tools

No direct access available

Obtaining Structured Data

Structured Query Language (SQL)• Fairly standard across most platforms

Some variations• PLSQL• TSQL

Databases• Schemas

Tables Normalization

Fields/columns Primary keys Foreign keys

Obtaining Structured Data

Individual tables won’t always give you meaningful information

Relating those tables by primary and foreign keys, provides

meaningful information

Obtaining Structured Data

Tweak and Utilize Existing SQL Write Your Own

• Can be time consuming Trial and Error Reconcile Back to Application Have Others Validate the Results

• Back to source documentation if available

Obtaining Structured Data

Some Enterprise Databases contain 30,000+ Tables• Data dictionaries should exist• Determine the individual tables

containing needed data• Determine the primary and foreign

key(s) to create the join(s) Write the SQL statement(s)

Obtaining Structured Data

Joins are the Drivers• Inner Join

All records in Table B that have a match in Table A

• Outer Join (Left or Right) All records in Table A with or without a

Match in Table B, and only those records in Table B that have a match in Table A

• Cartesian Join Something is wrong

When Querying Enterprise Databases:• Only what is necessary• Not all columns/records• No aggregating• Apply date parameters• Watch the processing time

Something may be wrong with the SQL• Edit and repeat• Tie to source information

Obtaining Structured Data

Information to Evidence

Microsoft Access & Excel ACL

• Reformatting• Appending• Computed fields• Aggregating• Querying• Reporting

Structured Data asDigital Evidence

Append the Output• Like data from differing sources rarely

matches Cleansing Re-formatting

Reconcile to Source Data• Control totals• Record counts

Create New Functionality• Computed fields• Get to the answer

Standardize the Output

Social Security Numbers Birthdates Addresses Names Phone Numbers Zip Codes

Standardize the Output

ACL creates its own “view” of the source data file with the .fil extension

.fil is “read only”

Source Data Remains Untouched

Standardize the Output

STRING() STRING(Invoice_Nbr)

VALUE()VALUE(Invoice_Pmt)

DATE()DATE(Birthdate)

Standardize the Output

Birthdate = ‘20050415’

SUBSTRING(Birthdate, 5, 2) = ‘04’

SUBSTRING(Birthdate, 7, 2) = ‘15’

SUBSTRING(Birthdate, 1, 4) = ‘2005’

Standardize the Output

If you aren’t going to add, subtract, multiply, divide, or

calculate the field, format it as Text

If you are going to add, subtract, multiply, divide, or calculate the

field, format it as Numeric or Date

Structured Data asDigital Evidence

Actions Accountability Dates and Times Tie to Source Information Control Weaknesses

• Segregation of duties• Approval limits• Lack of oversight

Presenting the Digital Evidence

Report Preparation• Unstructured information• Structured information

Support the Allegation(s) Refute the Allegation(s) Consult with Law Consult with Management Consult with Senior Executives

CAATs

Direct Access and the Right Tools Reactive

• Ad-hoc Proactive

• Automate• Take what’s been learned and apply

to the entire population• 100% Testing• Exception based

ACL Scripting

Series of commands stored as a unit in an ACL project

Executed repeatedly and automatically

Any ACL command can be stored as a script

302|Advanced ACL Concepts & Techniques, SCRIPTS (CANADA: ACL Services Ltd, 2006), 2.

ACL Scripting

Standardizing Data:OPEN HR_ActiveDEFINE FIELD SSN_A COMPUTED

REPLACE (SSN, “-”, “”)DEFINE FIELD SSN_B COMPUTED

ALLTRIM(SUBSTR(SSN_A, 1, 9))DEFINE COLUMN DEFAULT VIEW

SSN_B

ACL’s Audit Analytic Capability

ModelLEVEL 1 – BASIC

• Audit specific• Classifications• Summarizations• Duplicates• Ad hoc

The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 3.

ACL’s Audit Analytic Capability

Model

LEVEL 2 – APPLIED• Specific and repeatable tests• Start with “low hanging fruit”• Add additional and broader tests• Focus on data access• Efficient script design for

repeatability

The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 5.

ACL’s Audit Analytic Capability

ModelLEVEL 3 – MANAGED

• Centralized, secure, controlled, efficient data analysis

• Many people involved• Processes and technology in place• Server environment• Multiple locations

The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 7.

ACL’s Audit Analytic Capability

ModelLEVEL 4 – AUTOMATED

• Comprehensive suites of tests developed

• Tests scheduled regularly• Concurrent, ongoing auditing of

multiple areas• More efficient and effective audit

process

The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 10.

ACL’s Audit Analytic Capability

Model

LEVEL 5 – MONITORING• Progress from continuous auditing

to continuous monitoring• Expanded to other business areas• Process owners notified

immediately of exceptions

The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 12.

Forensics Lab Physical Security Logical Security

• SSNs• Credit card numbers

Software Licensing• Updates, upgrades

Hardware and Other Peripherals Storage

• Short term, long term• Enough?

Forensics Lab Forensic Workstation

• Processing workhorse SSD Memory JBOD

Forensic Desktop• Secondary processing• Image reviewing

Forensics Laptops Open Internet Laptop

• Don’t do this on the company network

Forensics Lab Retention Inventory Back-ups and Recovery

• On-site, off-site Chain of Custody

• Physical• Image

Data Wiping and Verification CIA COBIT

Challenges Time Consuming Satellite Locations Emerging Technologies System Processing/Data Flows

• Lack of documentation Cloud Computing Hard Drive Capacities Anti Forensics

Challenges External Storage Devices Personal vs. Corporate

• BYOD False Positives Data Silos Data Integrity Passwords Encryption

Summary Mixture of Art and Science

• Intuition• Common sense• Knowledge and use of tools• Persistence• Testing Theories• Research• Learning

Conclusion

No One Solution Expect the Unexpected Remain Fair and Objective Report Just the Facts

Questions?