Digital Forensics

Survey of Information Assurance

AgendaWhat is Digital Forensics?Procedure

IdentificationAcquisitionAnalysisPresentation

Analysis TechniquesTechniquesExamples

Real Action: 0x80Present and Future

Forensics

Forensic science is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action.Ref: http://en.wikipedia.org/wiki/Forensic

Digital ForensicsComputer forensics ... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006Ref: http://en.wikipedia.org/wiki/Computer_forensics

Procedures

1. Identification2. Acquisition

3. Analysis4. Presentation

ProceduresThe basic procedure to follow for examination of digital data is as follows:Identification – Answers “WHAT” information is sought, where to obtain it.Acquisition – Obtain forensic copies of all digital data required; including snapshots and live datasets. Analysis – Aggregation, correlation, filtering, transformation and meta-data generation to obtain digital evidence.Presentation – Creating a final report to present the digital evidence.

Procedure Flow

Identification

Acquisition AnalysisPresentati

on

Procedure Step #1: IdentificationEvidence will often be based on scenario.Places to look:

For Intrusions Logs RootkitsHidden files

For Illegal graphic images Image filesWeb history

Intelligence DocumentsE-mails

Procedure Step #2: AcquisitionPreserve Evidence

Prevent computer state from changingCopy the hard disk bit wiseCopy memory before powered offSave state of all network connectionsDisconnect from network if connected

Copying Hard diskBoot hard disk in trusted media e.g. DOS

floppy, Linux Live CDRemove the hard disk and place in the

trusted system

Procedure Step #3: Analysis Heavily dependant of the skills of Analyst and

nature of evidence sought.Aggregation, Correlation, Filtering,

Transformation and Meta-Data Generation.Pre-analysis (~ Acquisition)

Aggregation + Transformation: Data Recovery and Unification.

Meta-Data Generation: Categorization, indexing, hashing…

Data to Evidence mapping, isolation & contextualizationDifference from data and evidence

Procedure Step #4: PresentationPrepare report of noteworthy evidence.Relate evidence to crime; i.e. explain the

role of evidence in given case.

Analysis Techniques

1. Text Analysis2. Image Analysis3. Video Analysis4. Executable

Analysis

5. Executable Analysis

6. File Clustering7. Password

Cracking8. Data Searching

Analysis: General TypesText analysis

Unicode normalizationLanguage IdentificationNamed entity extractionTransliteration

Image analysis Steganography detection Computer-generated vs. real image

Video analysisExecutable analysis

Analysis: General Types (2)File clustering / classificationPassword crackingData Searching

Keyword searchFile attributes (name, date or

creation/access, type etc.)Specific files

Examples

Unicode Normalization“In many cases, Unicode allows multiple

representations of what is, linguistically, the same string. For example:

Capital A with dieresis (umlaut) can be represented either as a single Unicode code point "Ä" (U+00C4) or the combination of Capital A and the combining Dieresis character ("A" + "¨", that is, U+0041 U+0308). ”Ref: http://msdn2.microsoft.com/en-us/library/ms776393(VS.85).aspx

Transliteration

Ref: http://acharya.iitm.ac.in/multi_sys/translit.php

Examples (2)Steganography

Ref: http://www.strangehorizons.com/2001/20011008/steganography.shtml

Real Action: An Example

• The case of Metadata in image

Real Action: 0x80The Hacker: “0x80”Time: Early 2006Event: “0x80” chooses to be interviewed in the

Washington Post about his alleged violation of federal law.

Claim: Having broken into 2000+ personal computers, these hacked computers or “bots” begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites.

Ref: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html

Real Action: 0x80 (2)Mistake: Allowed The Washington Post to publish

several photographs, including a doctored image of himself, face seen partially.

How he got Tracked: The images in said article had metadata, indicating towards his location “Roland, Oklahoma”

Details: Then it was noticed that retouched pictures showing the obfuscated hacker included meta tags -- information in plain text attached to many photos. This information revealed the name of the photographer, the type of camera used to take it, the time and date it was taken, as well as the fact that the picture was taken in Roland, Oklahoma. The pictures themselves seemed to reveal that the hacker has blond hair -- at least the hair on his arms appears blond in one photo.

Ref: http://antiworm.blogspot.com/2006/02/hacker-0x80-0wn3d-by-fbi-arrested.html

Eventually “0x80” was arrested by FBI.

Present and Future

Present and Future - Digital Forensics

Now Later…Unorganized ScienceTreated with

skepticism as evidence in cases other than cyber-crimes.

Struggling to keep up with staggering amount of data.

Lack of clarity on policy and policing.

Always a step behind

Likely to be formalizedMay gain acceptance

as evidence to crimes other than cyber-crimes

Newer and innovative approach needed.

Policy could be created in future.

Likely to remain so…

Referenceswww.basistech.com/knowledge-center/

forensics/crash-course-in-digital-forensics.pdf

www.opensourceforensics.org/ http://www.garykessler.net/library/

steganography.html https://www.spammimic.com/

explain.shtml http://www.strangehorizons.com/

2001/20011008/steganography.shtml