This project was funded by the European Union’s Justice Programme (2014-2020).

Antonio Rodriguez

LIVE_FOR

IT-forensic investigative measures

2

Outline

How Internet Works?Client/Server

Information ExchangeThe Cloud

Information StorageIs all information stored?Memory vs Hard Drives

Logs

What is a log?Log properties

Uses

3

Securing the evidenceCapture OrderEvidences in memoryEvidences in disk

Acquisition MethodsLive

Post-mortem

Secure transfer of evidencesHASHESMultiple copiesPhysical supports

4

How Internet Works?

1.Client / Server

2. Information Exchange

3.The Cloud

5

How Internet works?

How Does the Internet Work ?http://www.datacenterscanada.com - SIMPLEexplanation of how the internet really works.Understand networks, inter-networks, datapackets, peering and internet exchanges.

https://www.youtube.com/watch?v=i5oe63pOhLI

Watch until 2:40

Check the chat for the clickable link ;)

6

Client / ServerWhen using the Internet, there is always a computer called Client, which sends requests to another computer/machine called Server.

The main purpose of this communications is:- Get a web page- Access an application- Read an email- Etc.

There are different types of servers- Web Servers- File Servers- Print Servers- Etc.

7

Client / Server

8

Information Exchange

Information Exchange is a process usedto send or receive information in aNetwork through a mechanism.

In order to achieve this transfer, it mustbe a connection (with or without wire)and a mutual language (protocol)between devices.

The information exchange speed is calledbandwidth and is measured in bps,which stands for bits per second

9

Information ExchangeIP addresses

Unique ID number for every connected device

Two versions:

IPv4

4.294.967.296 possible addresses

Like this:127.0.0.1

IPv6

340.282.366.920.938.463.463.374.607.431.768.211.456 (340 sextillion) possibleaddresses

Like this:2001:0db8:85a3:08d3:1319:8a2e:0370:7334

10

Information ExchangeIP addresses

192.168.1.23

192.168.1.24192.168.1.32

192.168.1.25

11

Information Exchange

Every device identified by an uniqueaddress has to be able to communicatesimultaneously with variousapplications/services

This is achieved by using logical ports

Information exchange with each serviceis performed through one or more portsExample: Web servers use ports 80 and 443

There are 65536 ports

Ports

192.168.1.25

free port

80 free port

request response

12

Information Exchange

Conventions on how and what can be sent over the network. On the Internetthe most common ones are:

IP Yes, is the name of the protocol (Internet Protocol) Provides addressing by IP

TCP Stands for Transmission Control Protocol Provides ports and various control mechanisms to ensure the data is

received correctly and in order HTTP

Stands for HyperText Transfer Protocol Provides the web as we know it.

Protocols

13

The Cloud

14

The CloudTypes of cloud

Who owns this?To whom serves this?

Depending on the property of theinfrastructure and the nature of its users wecan distinguish various cloud types. The mostcommon are the following: Public cloud: Typically a private

infrastructure providing service to thegeneral public. Examples: Amazon (AWS), Google

Cloud, Microsoft (Azure) Private cloud: Typically a private

infrastructure providing service to theowner organization.

Hybrid cloud: As maintaining a privatecloud, despite its advantages, is expensivesome organizations use two clouds: A private one to provide the

services working with sensitivedata.

A public one for less critical services.

15

The CloudTypes of cloud services

Client

Application

Platform

Infrastructure

Application

Platform

Infrastructure

Application

Platform

Infrastructure

Managed by cloud provider

IaaS PaaS SaaS

16

Information Storage

1. Is all information stored?

2.Memory vs Hard Drives

3.Encryption

17

Is all information stored? Information always needs a physical support to exist

The wire when its transmitted The device memory when its processed The disk when its stored

All these supports have a cost Provisioning cost Operational cost

Companies want to maximize profit so:

NOT ALL INFORMATION IS STORED(1)

NOT ALL STORED INFORMATION IS DELETED(2)(1)

(1) Unless the law enforces it.(2) Deleting takes time and time is money.

18

Memory vs Hard Drives

Wire

Life time: milliseconds

Gets lost immediately

Memory

Life time:milliseconds-days

Gets lost when shutting down or rebooting

Disk drive

Life time:days-years

Permanent storage even without power

19

Encryption To avoid access by third parties, information can be encrypted

Is a good option from the privacy point of view From the forensics point of view it’s an impediment

Encryption can be applied both in wire and disk

In memory data is almost always in clear

20

Logs

1.What is a log?

2.Uses

3. Log properties

21

What is a Log? Is a register of events

Normally generated in plain text Any event can be logged There isn’t an standard on the format, every system/application uses its own

Although most of them are similar Allow to know what happened in an information system and are widely used for

Maintenance Auditing Forensics

22

Logs can be used from a forensic point of view for:

Evidence recollection An action performed in an information system can generate one or more logs These can be evidence of that action

Event correlation Some actions are correlated with others, these correlations can be established by

looking at logs For example a mail server will generate a log when sending an e-mail and the

server receiving that e-mail will generate also the corresponding log.

Timelines Ordering the logged events chronologically can help understand what happened in

an information system easily.

Log uses

23

Log properties

To be useful logs have to be generated with a certain granularity If the granularity is too big we will not be able to establish time relation

Stored logs take a huge amount of disk, so after some time (days, months or years) logs are used to be erased, as we don’t have infinite disk resources.

To avoid wasting of disk space only the logs regarding relevant events are stored. Most applications can generate information/debugging logs but these are

generally disabled.

A good log policy makes much easier to perform a forensic analysis

Volume

24

Log properties

Logs generally belong to the party storing them and can be generated/stored in any point of the information exchange

In the client premises In the network operator premises In the receiver premises

Each party will have its log policy and its applicable regulations regarding log storage and retention

There are hosting providers who offer what its called “bulletproof hosting” which, in fact, is a hosting service which doesn’t generate/store/provide any logs. Placed in countries with very loose regulations regarding logs Used by most criminal organizations for its activities

Ownership

25

Securing the evidence

1.Capture order

2.Evidences in memory

3.Evidences in disk

26

Capture OrderThis is based on different guidelines of recollection of electronic evidence, such as Volatility Order

What will disappear first Route Tables and ARP cache Machine RAM memory Filesystem temporal directories Physical Disk Etc.

Sometimes when capturing evidences some of this information has been already lost

27

Evidences in Memory

There is some information, that is only availableto acquire meanwhile the system is still on,because gets lost once the system it’s shutdown.

Active connections Processes information

For example a malware process Passwords Opened Files Network connections Run commands User connections

28

Evidences in Disks

In the case of the disk, once the machine is turned off what we are looking for are:

Reconstruct the filesystem Network shared folders Operative System and time zone User accounts User activity (logs)

29

Acquisition methods

1. Live

2. Post-mortem

30

Live

When acquiring the information meanwhilethe system is still on, we have to take inaccount some points:

The acquisition of this informationalters the original evidence due to weneed to run tools on the machine This modifies memory and

overwrites possible evidence

It’s important to specify correctly thisaction.

31

Post-mortem

When acquiring evidence of a shut downsystem, the only option is to take asnapshot of the disk and the backups if theyexist

If done correctly this process does notmodify the contents in any way

After capturing the evidence andgenerating the hash sometimes it ispossible to emulate the real system fromthe image. This procedure has to be well

documented

32

Secure transfer of evidences

1.HASHES

2.Multiple copies

3.Physical supports

33

HASHES

A Hash Function, gives a Hash Value after computing an input, when modifying this input also the Hash value its modified. We have to take some considerations about Hash functions and values.

Almost every different input produces a different output A minor change in the input produces a completely different output

A Hash value can be used to ensure a piece of information has not been modified

Some algorithms have been proved to produce collisions. MD5 and SHA-1 are less robust, and can generate the same Hash Value for two

different inputs For the moment SHA-256 has not been broken

Description

Input hash function hash value

34

HASHESExample

LIVE-FOR md5 b7be181a9e4a4453303d911f8be2e94f

9209119eb141102f4c0d7ca676e3041cmd5

Project Gutenberg’s Don Quijote

37861 lines 384260 words2198927 characters

http://www.gutenberg.org/cache/epub/2000/pg2000.txt

LIVE_FOR md5 5e1a1d19e1f3a5c251db1f77b77beafd

35

Multiple copies

It is always recommended to generate multiple copies when taking the evidence(verifying them by HASH). This has some advantages:

In case one of the copies gets lost there is a backup which can be copied again

Multiple analysis can be conducted in parallel over different copies

Working with copies avoids evidence corruption if modifications are made duringforensic analysis

36

Physical supports

The most common physical support for evidences are hard disk drives due its highcapacity and low cost

They have to have attached a custody chain document with information regarding theevidence: Description of the evidence

Include HASH Technical data of the support (serial number…) People who had access to it with timestamp Copies made with name and timestamp