Computer Forensics

By Rob Ferrill
 Forensics in a Nutshell
 Evidence Seizure
 Investigation and Analysis

 Reporting Results

“Gathering and analyzing data in a manner as free from

distortion or bias as possible to reconstruct data or what
has happened in the past on a system”

Farmer and Venema

www.fish.com/security/forensics.html

Forensic and Investigative Essentia

ls - SANS ©2004
 Do You Have a Plan
 Planning and Policy
• Do you have an incident response policy
in place?
• External Incident
 Intrusions, viruses, denial of service, theft
of service
• Internal Incident
 Intellectual property theft, malicious intent,
policy abuse

Forensic and Investigative Essentia

ls - SANS ©2004
 Forensic Fortifying Your Network
 System time
• GMT or local
• Use Network Time Protocol
 Network logs
• Firewalls, IDS, e-mail, file servers
 Backups
• Critical servers and tertiary servers
 Hash databases
Forensic and Investigative Essentia
ls - SANS ©2004
 Forensic Definitions
 Evidence
 Best Evidence

 Chain of custody

 Images

 Dirty word list

 Incident response forensics

 Media analysis

Forensic and Investigative Essentia

ls - SANS ©2004
 Evidence
 Definition: Something that tends to
establish or disprove a fact
 What potentially can be the smallest

piece of evidence?
• 4 bytes
• An IP address in hex

Forensic and Investigative Essentia

ls - SANS ©2004
 Best Evidence Rule
 Definition: Original writing must be
offered as evidence unless it is
unavailable, in which case other
evidence, like copies, notes, or other
testimony can be used.
 Accurate representation of original

data on a system
 Extracted data may be introduced as

evidence

Forensic and Investigative Essentia

ls - SANS ©2004
 Chain of Custody
 Chain of custody
• Establishes each person who has had
custody of the evidence
• Establishes continuity of possession
• Proof of integrity of the handling of the
evidence collected

Forensic and Investigative Essentia

ls - SANS ©2004
 Chain of Custody Items (2)
 Chain of custody items
6. Full name and signature of person
receiving evidence
7. Case number and item (tag) number of
evidence
8. Hash values (if available, MD5sum is
fine) of evidence if able to obtain
9. Pertinent technical data (drive
geometry)

Forensic and Investigative Essentia

ls - SANS ©2004
 Chain of Custody Items
 Chain of custody items
1. Date and time item was seized
2. Location and who it was obtained from
3. Make, model, and serial number
4. Name of individual(s) who collected
evidence
5. Description of evidence

Forensic and Investigative Essentia

ls - SANS ©2004
 Image
 What is an “image”?
 Bit-for-bit copy of the original

evidence gathered from a system

 Could include:

• Hard drive (logical or physical)

• Memory
• Removable media

Forensic and Investigative Essentia

ls - SANS ©2004
 Dirty Word Lists
 Specific keywords to your case
 List that is used to search for hits on

your hard drive

 Modified during an investigation

while you perform your analysis

Forensic and Investigative Essentia

ls - SANS ©2004
 Evidence Integrity
 Ensure that the evidence has not
been altered
 Bit-image copies

 Locked and limited access cabinet

 Use cryptographic hashes to ensure

integrity of original evidence and

copies

Forensic and Investigative Essentia

ls - SANS ©2004
 Evidence Hashes
 Electronic evidence is used as input
 Non-reversible

 No two “different” files can create

the same hash

 Ideal way to ensure integrity

Forensic and Investigative Essentia

ls - SANS ©2004
 Forensic Incident Response
 Incident response
• Initially focuses on verification of incident
• Techniques highlight gathering evidence
 Minimize data and evidence loss
 Avoid adding data to the system through

actions
 Recovery and downtime major concerns

• Initial concern is to triage the incident to

prevent further potential damage to
evidence

Forensic and Investigative Essentia

ls - SANS ©2004
 Media Analysis
 Media analysis
• Focuses on processing copies of evidence
gathered at incident scene (i.e. an image)
• Is not considered evidence gathering but
evidence analysis
• Primarily used to find specific data pertaining
to the crime
• Uses forensic workstations and automated
tools to parse through gigabytes of data

Forensic and Investigative Essentia

ls - SANS ©2004
 Forensic Principles
 Four forensic principles = success
1. Minimize data loss
2. Record everything
3. Analyze all data collected
4. Report your findings

Forensic and Investigative Essentia

ls - SANS ©2004
 Recording Your Actions
 Four reasons to take good notes:
1. May have to duplicate setup
2. Explain how you took down the
computer
3. May be called upon to testify
4. Witness’ notes can be used as a
refresher

Forensic and Investigative Essentia

ls - SANS ©2004
 Think. Like. A. Hacker.
 Some incidents are just the tip of the
iceberg
• Usually one system compromised means you
will find others
• Always investigate due to this fact
 Wiretap?
• Contemplate watching the hacker enter back
into the system
• See what he is doing and what he is after

Forensic and Investigative Essentia

ls - SANS ©2004
 Avoiding Common Mistakes
 Adding your own data to the system
 Killing any processes on the system

 Accidentally touching timestamps

 Using un-trusted commands or tools

 Adjusting the system prior to

evidence seizure (power off,

patching, updates)

Forensic and Investigative Essentia

ls - SANS ©2004