it-forensic investigative measures - live_for
TRANSCRIPT
This project was funded by the European Union’s Justice Programme (2014-2020).
Antonio Rodriguez
LIVE_FOR
IT-forensic investigative measures
2
Outline
How Internet Works?Client/Server
Information ExchangeThe Cloud
Information StorageIs all information stored?Memory vs Hard Drives
Logs
What is a log?Log properties
Uses
3
Securing the evidenceCapture OrderEvidences in memoryEvidences in disk
Acquisition MethodsLive
Post-mortem
Secure transfer of evidencesHASHESMultiple copiesPhysical supports
4
How Internet Works?
1.Client / Server
2. Information Exchange
3.The Cloud
5
How Internet works?
How Does the Internet Work ?http://www.datacenterscanada.com - SIMPLEexplanation of how the internet really works.Understand networks, inter-networks, datapackets, peering and internet exchanges.
https://www.youtube.com/watch?v=i5oe63pOhLI
Watch until 2:40
Check the chat for the clickable link ;)
6
Client / ServerWhen using the Internet, there is always a computer called Client, which sends requests to another computer/machine called Server.
The main purpose of this communications is:- Get a web page- Access an application- Read an email- Etc.
There are different types of servers- Web Servers- File Servers- Print Servers- Etc.
7
Client / Server
8
Information Exchange
Information Exchange is a process usedto send or receive information in aNetwork through a mechanism.
In order to achieve this transfer, it mustbe a connection (with or without wire)and a mutual language (protocol)between devices.
The information exchange speed is calledbandwidth and is measured in bps,which stands for bits per second
9
Information ExchangeIP addresses
Unique ID number for every connected device
Two versions:
IPv4
4.294.967.296 possible addresses
Like this:127.0.0.1
IPv6
340.282.366.920.938.463.463.374.607.431.768.211.456 (340 sextillion) possibleaddresses
Like this:2001:0db8:85a3:08d3:1319:8a2e:0370:7334
10
Information ExchangeIP addresses
192.168.1.23
192.168.1.24192.168.1.32
192.168.1.25
11
Information Exchange
Every device identified by an uniqueaddress has to be able to communicatesimultaneously with variousapplications/services
This is achieved by using logical ports
Information exchange with each serviceis performed through one or more portsExample: Web servers use ports 80 and 443
There are 65536 ports
Ports
192.168.1.25
free port
80 free port
request response
12
Information Exchange
Conventions on how and what can be sent over the network. On the Internetthe most common ones are:
IP Yes, is the name of the protocol (Internet Protocol) Provides addressing by IP
TCP Stands for Transmission Control Protocol Provides ports and various control mechanisms to ensure the data is
received correctly and in order HTTP
Stands for HyperText Transfer Protocol Provides the web as we know it.
Protocols
13
The Cloud
14
The CloudTypes of cloud
Who owns this?To whom serves this?
Depending on the property of theinfrastructure and the nature of its users wecan distinguish various cloud types. The mostcommon are the following: Public cloud: Typically a private
infrastructure providing service to thegeneral public. Examples: Amazon (AWS), Google
Cloud, Microsoft (Azure) Private cloud: Typically a private
infrastructure providing service to theowner organization.
Hybrid cloud: As maintaining a privatecloud, despite its advantages, is expensivesome organizations use two clouds: A private one to provide the
services working with sensitivedata.
A public one for less critical services.
15
The CloudTypes of cloud services
Client
Application
Platform
Infrastructure
Application
Platform
Infrastructure
Application
Platform
Infrastructure
Managed by cloud provider
IaaS PaaS SaaS
16
Information Storage
1. Is all information stored?
2.Memory vs Hard Drives
3.Encryption
17
Is all information stored? Information always needs a physical support to exist
The wire when its transmitted The device memory when its processed The disk when its stored
All these supports have a cost Provisioning cost Operational cost
Companies want to maximize profit so:
NOT ALL INFORMATION IS STORED(1)
NOT ALL STORED INFORMATION IS DELETED(2)(1)
(1) Unless the law enforces it.(2) Deleting takes time and time is money.
18
Memory vs Hard Drives
Wire
Life time: milliseconds
Gets lost immediately
Memory
Life time:milliseconds-days
Gets lost when shutting down or rebooting
Disk drive
Life time:days-years
Permanent storage even without power
19
Encryption To avoid access by third parties, information can be encrypted
Is a good option from the privacy point of view From the forensics point of view it’s an impediment
Encryption can be applied both in wire and disk
In memory data is almost always in clear
20
Logs
1.What is a log?
2.Uses
3. Log properties
21
What is a Log? Is a register of events
Normally generated in plain text Any event can be logged There isn’t an standard on the format, every system/application uses its own
Although most of them are similar Allow to know what happened in an information system and are widely used for
Maintenance Auditing Forensics
22
Logs can be used from a forensic point of view for:
Evidence recollection An action performed in an information system can generate one or more logs These can be evidence of that action
Event correlation Some actions are correlated with others, these correlations can be established by
looking at logs For example a mail server will generate a log when sending an e-mail and the
server receiving that e-mail will generate also the corresponding log.
Timelines Ordering the logged events chronologically can help understand what happened in
an information system easily.
Log uses
23
Log properties
To be useful logs have to be generated with a certain granularity If the granularity is too big we will not be able to establish time relation
Stored logs take a huge amount of disk, so after some time (days, months or years) logs are used to be erased, as we don’t have infinite disk resources.
To avoid wasting of disk space only the logs regarding relevant events are stored. Most applications can generate information/debugging logs but these are
generally disabled.
A good log policy makes much easier to perform a forensic analysis
Volume
24
Log properties
Logs generally belong to the party storing them and can be generated/stored in any point of the information exchange
In the client premises In the network operator premises In the receiver premises
Each party will have its log policy and its applicable regulations regarding log storage and retention
There are hosting providers who offer what its called “bulletproof hosting” which, in fact, is a hosting service which doesn’t generate/store/provide any logs. Placed in countries with very loose regulations regarding logs Used by most criminal organizations for its activities
Ownership
25
Securing the evidence
1.Capture order
2.Evidences in memory
3.Evidences in disk
26
Capture OrderThis is based on different guidelines of recollection of electronic evidence, such as Volatility Order
What will disappear first Route Tables and ARP cache Machine RAM memory Filesystem temporal directories Physical Disk Etc.
Sometimes when capturing evidences some of this information has been already lost
27
Evidences in Memory
There is some information, that is only availableto acquire meanwhile the system is still on,because gets lost once the system it’s shutdown.
Active connections Processes information
For example a malware process Passwords Opened Files Network connections Run commands User connections
28
Evidences in Disks
In the case of the disk, once the machine is turned off what we are looking for are:
Reconstruct the filesystem Network shared folders Operative System and time zone User accounts User activity (logs)
29
Acquisition methods
1. Live
2. Post-mortem
30
Live
When acquiring the information meanwhilethe system is still on, we have to take inaccount some points:
The acquisition of this informationalters the original evidence due to weneed to run tools on the machine This modifies memory and
overwrites possible evidence
It’s important to specify correctly thisaction.
31
Post-mortem
When acquiring evidence of a shut downsystem, the only option is to take asnapshot of the disk and the backups if theyexist
If done correctly this process does notmodify the contents in any way
After capturing the evidence andgenerating the hash sometimes it ispossible to emulate the real system fromthe image. This procedure has to be well
documented
32
Secure transfer of evidences
1.HASHES
2.Multiple copies
3.Physical supports
33
HASHES
A Hash Function, gives a Hash Value after computing an input, when modifying this input also the Hash value its modified. We have to take some considerations about Hash functions and values.
Almost every different input produces a different output A minor change in the input produces a completely different output
A Hash value can be used to ensure a piece of information has not been modified
Some algorithms have been proved to produce collisions. MD5 and SHA-1 are less robust, and can generate the same Hash Value for two
different inputs For the moment SHA-256 has not been broken
Description
Input hash function hash value
34
HASHESExample
LIVE-FOR md5 b7be181a9e4a4453303d911f8be2e94f
9209119eb141102f4c0d7ca676e3041cmd5
Project Gutenberg’s Don Quijote
37861 lines 384260 words2198927 characters
http://www.gutenberg.org/cache/epub/2000/pg2000.txt
LIVE_FOR md5 5e1a1d19e1f3a5c251db1f77b77beafd
35
Multiple copies
It is always recommended to generate multiple copies when taking the evidence(verifying them by HASH). This has some advantages:
In case one of the copies gets lost there is a backup which can be copied again
Multiple analysis can be conducted in parallel over different copies
Working with copies avoids evidence corruption if modifications are made duringforensic analysis
36
Physical supports
The most common physical support for evidences are hard disk drives due its highcapacity and low cost
They have to have attached a custody chain document with information regarding theevidence: Description of the evidence
Include HASH Technical data of the support (serial number…) People who had access to it with timestamp Copies made with name and timestamp