Computer Forensics

劉 立 民 老師中原大學 應用數學系

Introduction

Sharon Guthrie Case Sharon Guthrie, 54, drowned in the bathtub of

her Wolsey, South Dakota home May 14. An autopsy revealed the contents of 10-20 capsules of Temazepan in her body, a sleeping pill that was prescribed for her husband.

Rev. Guthrie pleaded innocent. "A minister killing his wife in the bathtub? Impossible!" asserted the defense.

Judd Robbins, a computer forensics, found evidence that Guthrie had searched the Internet for painless and surefire killing methods.

Rev. Guthrie was sentenced to life imprisonment.

蠻牛千面人 民國 94 年 5 月，“蠻牛”與“保力達

B” 遭人下毒，放置氰化物 造成一無辜民眾物飲死亡 警方由監視錄影中找到線索，順利逮捕

一名嫌犯 在嫌犯電腦中找出 “毒蠻牛” 的字樣與

圖案以及為寄出的恐嚇信件

Computer Crime

Computer misuse has two categories: Computer is use to commit a crime

Child pornography Threatening letters Fraud Theft of intellectual property

Computer Crime (con’t)

Computer misuse has two categories: Computer itself is a target of a crime.

AKA incident response Started from mid-80s, attack was carried

out over phone line through modems. Internet More sophisticated attacks

What is Computer Forensics

Computer forensics includes Preservation, Identification, Extraction, Documentation, Interpretation of computer data.

What is Computer Forensics These evidence can be useful in many

investigations: Civil litigations such as divorce, harassment,

and discrimination cases Corporations seeking to embezzlement,

fraud, or intellectual property theft issues Individuals seeking evidence in age

discrimination, wrongful termination, or sexual harassment claims

Insurance company investigations where evidence is required relating to insurance fraud, wrongful death, workerman’s compensation, and other cases.

Types of IncidentsCategories of incident defined by Federal

Computer Incident Response Center (FedCIRC) Malicious code attacks Unauthorized access Unauthorized utilization of services Disruption of service Misuse Espionage Hoaxes

Malicious code attacks

Malicious code: Viruses Trojan horse programs Worms Scripts used by crackers/hackers

Difficult to detect Self replicating property

Unauthorized access

Improperly logging into a user’s account

Unauthorized access to files and directories

Plating an unauthorized sniffer program or device

Unauthorized utilization of services

Perpetrate an attack without access someone’s account

Using the NFS to mount the file system of a remove server machine

Interdomain access mechanisms in Windows NT files and directories

Disruption of service

Disrupt services in a variety of ways:

Erasing critical programs

Mail spamming

Altering system functionality by

installing Trojan horse programs.

Misuse, Espionage, Hoaxes

Someone uses a computing system for other than official purposes A legitimate user uses a government

computer to store personal tax records.

Espionage is stealing information to subvert the interests of a corporation

Hoaxes occur when false information about incidents or vulnerabilities is spread

Catching the criminal

US FBI delineates the following aspects of computer forensic science: Data objects Digital evidence Physical items Original digital evidence Duplicate digital evidence

Catching the criminal (con’t) Data objects

Objects or information of potential probative value that are associated with physical items.

Digital evidence Information of probative value that is stored or

transmitted in digital form.

Physical items Items on which data objects or information may be

stored and/or through which data objects are transferred.

Catching the criminal (con’t)

Original digital evidence Physical items and the data objects

associated with such items at the time of acquisition or seizure

Duplicate digital evidence An accurate digital reproduction of all data

objects contained on an original physical item.

FedCIRC incident activity summary for 2000

Detecting intrusion The common approach to detecting

intrusions is as follows: Observe your systems for unexpected

behavior or anything suspicious. Investigate anything you consider to be

unusual Initiate your intrusion response procedures

when you find you find something that isn’t explained by authorized activity.

Look for unusual or unauthorized user accounts or groups.

Monitoring your Windows system

Look for unusual or unauthorized user accounts or groups. Guest account should be disable

Check all groups for invalid user membership

Check log file for connections from unusual locations or for any unusual activity.

Computer management utility

Monitoring your Windows system

Search for invalid user right. Guest account should be disable

Check all groups for invalid user membership

Check log file for connections from unusual locations or for any unusual activity.

Check to see if unauthorized application are running.

Edit Registry

Monitoring your Windows system

Look for invalid services Monitor system startup folder Inspect network configurations for

unauthorized entries Check your system program files for

alterations Check for unusual ports listing for connections

from other hosts by using the netstat.

Common program startup locations

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run

SuperScan 3.0 by Foundstone

Incident Response Team

All organizations need an incident response team to develop a complete incident response response capability

The team should have written procedures for incident response What conditions warrant calling on local

and/or federial law enforcement authorities.

The incident reporting process Low-level incidents are least severe and

should be resolved within one working day. Low-level incidents include Loss of passwords Suspected unauthorized sharing of accounts Misuse of computer hardware Unintentional computer actions Unsuccessful scans or probes

The incident reporting process Mid-level incidents are more serious and should

be handled within 2-4 hours. Mid-level incidents include

Property destruction related to a computer incident Illegal download of copyrighted music/unauthorized

software Violation of special access Unauthorized user of a system for processing of storing

personal data An act resulting from unfriendly employee termination Illegal building access Personal theft

The incident reporting process High-level incidents are the most serious and

should be handled immediately. They include Property destruction related to a computer incident Child pornography Pornography Personal theft (higher value than a mid-level

incident) Suspected computer break-in Denial of service (DoS) attacks Illegal software download Malicious code Any violation of the law

Internal reporting procedure Every organization needs to develop

one that requires following: Preservation of evidence Assessment Containment and recovery actions Damage determination Report documentation Lessons learned Identification of corrective actions required

by the organization’s security programs

Forensic Toolkit Authenticity and Integrity A tool to report any open TCP/UDP port and map

them to the owning process or application A tool to capture and analyze logs to identify and

track who has gained access to a computer system A utility to make a bit-stream back-up of a hard drive A tool to examine files on a disk drive for

unauthorized activity A program used to document the CMOS system Time

and Date on a computer seized as evidence

Forensic Toolkit (con’t) A password-cracking utility A text-search utility that can scan Windows systems and

locate targeted keywords and/or strings of text in computer-related investigations and computer security reviews

A forensic binary data search tool that is used to identify targeted graphics file content and/or foreign language words and phrases stored in the form of computer data

A tool to discover hidden files, such as NTFS Alternate Data Streams

A data collection tool to capture file slack and unallocated (erased file) data

Considerations of the Law Enforcements

The Role of NIPC NIPC (National Infrastructure Protection

Center) was established at 1998 located in the headquarter of the FBI.

The NIPC’s functions: The NIPC is the national focal point for

gathering information on threats to critical infrastructure,

Coordinating the federal government’s response to an incident, mitigating attacks, investigating threats.

The NIPC provides law enforcement and intelligence information and reports to relevant federal, state, and local agencies.

Taiwan 行政院下設立「國家資通安全會報」

分為七個工作小組：綜合業務，技術服務、標準規範、稽核服務、網路犯罪、資訊蒐集、危機通報

國家資通安全會報設有「國家資通安全應變中心」 下轄行政機關、國防體系、事業機構、學術機構、民營

機構六個分組 台灣電腦網路危機處理中心（ TWCERT/CC ） 政府憑證管理中心 GCA 的成立（ 1998 年 2 月）

加拿大 於 2001 年 2 月，成立「關鍵基礎建設防護與緊急應變辦公室」

（ Office of Critical Infrastructure & Emergency Preparedness ， OCIPEP ）

OCIPEP 由國防部長主持，來防護加拿大關鍵基礎建設免受失效或被襲擾的風險

於 OCIPEP 成立「基礎建設防護協調中心」 加拿大政府定義的國家關鍵基礎建設，共有六大類：能源設施

（如電力、天然氣及石油傳輸系統），通信（如電信及廣播系統），服務（如金融、食品、醫療），運輸（如陸上、水上、空中及鐵路），安全（如核安、搜救、急難救助），政府（如重要設施、資訊網路、及資產）。

英國 於 1999 年 12 月，成立「國家基礎建設安全協調中心」

（ National Infrastructure Security Co-ordination Centre ， NISCC ）

負責開發一些專案來防止國家關鍵基礎建設遭到電子攻擊（ electronic attack ）。

重點放在：電信、金融、供水與下水道系統，能源、運輸、醫療服務、中央政府、急難救助 的資訊科技系統（ IT systems ）

在 NISCC 之下設有 「統一事件報告與警告小組」（ Unified Incident Reporting &

Alert Scheme ， UNIRAS ）以做為英國政府的電腦緊急應變小組 「電子攻擊應變小組」（ Electronic Attack Response

Group ， EARG ）

Related laws Disclosure law - “Title 18, Part I, Chapter 121,

Sec. 2702 of the Federal Criminal Code” Computer crimes will be considered breaking

federal laws when it involves: The theft or compromise of national defense, foreign

relations, atomic energy, or other restricted information

A computer owned by a U.S. government department or agency

A bank or most other types of financial institutions Interstate or foreign communications People or computer in other states or countries

Related laws (con’t)

The “Computer Fraud and Abuse Act” was signed by President Reagan at 1986

Computer Abuse Amendments Act of 1994

The USA Patriot Act of 2001

相關法律 著作權法 刑法 220 ， 315 ， 318 ， 359 ， 360 等條

文 刑法第二百二十條在紙上或物品上之文字、符號、

圖畫、照像，依習慣或特約，足以為表示其用意之證明者，關於本章及本章以外各罪，以文書論。錄音、錄影或電磁紀錄，藉機器或電腦之處理所顯示之聲音、影像或符號，足以為表示其用意之證明者，亦同。

刑法第三百五十九條　無故取得、刪除或變更他人電腦或其相關設備之電磁紀錄，致生損害於公眾或他人者，處五年以下有期徒刑、拘役或科或併科二十萬元以下罰金。

Forensic Preparation

Forensic Preparation Network Operating Systems Auditing and Logging Logs cab help organizations by

Altering system administrators of any suspicious activity

Determining the extent of any damage caused by an intruder’s activity

Helping to quickly recover systems Providing information or serving as evidence

required for legal proceedings

Enable auditing and logging on Windows

Log files on Windows

Centralized logging

The location of the log data is centralized

The integrity of log data remains protected

This approach is easier to back up, secure, and analyze.

Logging Tools Kiwi Syslog Deamon by Kiwi

Enterprise Freeware for Windows plateform www.kiwisyslog.com

GFI LANquard Security Event Log Monitor by GFI Software Is able to analyzing Windows NT/2000

event logs in real time. www.fgi.com

Time Synchronization Automating the synchronization of

system clocks save substantial time during an incident response.

IP based networks, Network Time Protocol (NTP) is the one most commonly used.

Tools on Windows: Automachron by Guy Coding NIST Internet Time Service (ITS) World Time by PawPrint.net

Memory dump on Windows

The contents of the system memory should be printed or copied while it still resides in memory.

Windows 2000 and XP (not NT) include a handy feature to generate a memory dump file. However, it must first be configured to do so.

Memory dump on UNIX

The sysdump command

Crash utility

Imaging hard drives Hard-drive imaging provides a mirror image or a

snapshot of the data contained on the hard-drive.

The imaging process can be performed off-lined (OS is turned off).

NIST’s disk-imaging spec. includes the following guidelines:

The tool shall not alter the original disk The tool shall be able to access both IDE and SCSI disks. The tool shall log input/output (I/O) errors. The tool’s documentation shall be correct. :

Business continuity and contingency planning The NIST IT contingency planning guide

Develop the contingency-planning policy statement

Conduct the business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercises Plan maintenance

Develop the contingency-planning policy statement The contingency plan must be based on a clearly

defined policy. The contingency planning policy statement

should define the agency’s overall contingency objectives and establish the org. framework and responsibilities.

The senior management (CIO, Chief Information Officer) must support a contingency program.

The contingency program should comply with federal guidance contained in the NIST SP 800-34

Key policy elements Roles and responsibilities Scope and applied to the type(s) of

plateform(s) and organization functions subject to contingency planning

Resource requirements Training requirements Exercise and testing schedules Plan maintenance schedule Frequency of backup and storage of

backup media

Conduct the Business Impact Analysis (BIA) The BIA is the key step in the

contingency-planning process. It enables the coordinator to fully

characterize the system requirements, processes, and interdependencies.

The purpose of the BIA is to correlate specific system components with the critical services that they provide.

The BIA characterize the consequences of a disruption to the system components.

Identity preventive controls Preventive methods are preferable to

actions that may be necessary to recover the system after a disruption.

Preventive controls should be documented in the contingency plan.

Some common measures are listed here: Appropriated size uninterruptible power

supplies (UPS) to provide short-term backup power to all system components (including environmental and safety controls)

Identity preventive controls

Gasoline-or diesel-powered generators to provide long-term failure power

Air-conditioning systems with adequate excess capacity to permit failure of certain components such as a compressors

Fire suppression systems Fire and smoke detectors Water sensors in the computer room ceiling

and floor. Plastic tarps that may be unrolled over IT

equipment to protect it from water damage

Identity preventive controls

Heat-resistant and waterproof containers for backup media and vital nonelectronic records

Emergency master system shutdown switch Offsite storage of backup media,

nonelectronic records, and system documentation

Technical security controls, such as cryptographic key management and least-privilege access controls

Frequent, scheduled backups

Develop recovery strategies Recovery strategies provide a means to restore IT

operations quickly and effectively following a service disruptions.

Strategies should address disruption impacts and allowable outage times identified in the BIA.

Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and integration with larger, organization-level contingency plans.

The strategy should include a combination of methods that complement one another to provide capability over the full spectrum of incidents.

Develop an IT contingency plan The plain contains detailed roles,

responsibilities, teams, and procedures associated with restoring an IT system.

The plan should document technical capabilities designed to support contingency operations.

The plan should comprise five main components: Supporting Information, Notification/Activation, Recovery, Reconstitution, and Plan Appendices.

Plan testing, training, and exercises Testing enables plan deficiencies to be

identified and addressed. The following areas should be

addressed in a contingency test: System recovery on an alternate platform

from backup media Coordination among recovery teams Internal and external connectivity Restoration of normal operations Notification procedures

Plan maintenance The contingency plan should be reviewed

and updated regularly, as part of the organization’s change management process.

The plan should be reviewed for accuracy and completeness at least annually or whenever significant changes occur to any element of the plan.

Certain elements, such as contact lists, will require more frequent reviews.

Windows Registry, Recycle Bin, and Data Storage

The Windows Registry

The registry is used to store Operating system configuration

Application configuration information

Hardware configuration information

User security information

Current user information

Registry structure

The Registry has a hierarchy structure similar to the directory structure.

Each main branch is called a hive. Located within those hives are keys. Each key may contain other keys called

subkeys along with their value. It is the values that contain the actual information that is stored within the Registry.

Windows Registry

HKEY_CLASSES_ROOT contains File-association types Object Linking and Embedding (OLE)

information Shortcut data

HKEY_CURRENT_USER points to the section of HKEY_USERS appropriate for the user currently logged into the PC.

Windows Registry

HKEY_LOCAL_MACHINE contains info about computer hardware, software,

and other preferences for the local PC. is used for all users who log onto this computer.

HKEY_USERS contains individual preferences for each user of the computer. Each user is represented by a security identifier

(SID) subkey.

Windows Registry

HKEY_CURRENT_CONFIG links to

HKEY_LOCAL_MACHINE\Config for

machine specific information.

HKEY_DYN_DATA contains info.

that must be kept in RAM.

Types of values

String or REG_SZ

Binary or REG_BINARY DWORD or REG_DWORD Multistring value or REG_MULTI_SZ Expandable string value or

REG_EXPAND_SZ

Viewing and Editing Registry

Registry backup and restore

The Windows Recycle Bin The purpose of the Recycle Bin was to

provide users with the ability to reclaim deleted files.

Before users “empty” the Recycle Bin, the deleted files remains on disks.

Even the Recycle Bin is empty, but the actually information remains on its original place on the hard drive (until the OS overwrites it).

The Windows Recycle Bin Property

Recovery Utilities PC Inspector File Recovery

Recovery Utilities EasyRecovery Professional

www.ontrack.com

UNIX/Linux ext2 File System In ext2, the complete inode for a deleted

file is preserved, Only the name is removed from the

directory and the time of the deletion in the inode is marked.

Using e2undel

Analyzing and Detecting Malicious Code and Intruders

Analyzing Abnormal System Processes

Monitors should look for the following signs: Unusual resource utilization or

process behavior Missing processes Added processes Processes that have unusual user

identification associated with them

Causes of abnormal system processes

Programs that log a user’s keystrokes or monitor and steal passwords.

Malicious code (virus, Internet worms, and Trojan horse applications)

Spyware (software that transmits information back to a third party without notifying the user)

Windows Event Viewer

Log files allows you to check for:

Unusual login entries

Failures of services

Abnormal processes

OS and Network Logs When reviewing OS or network logs,

look for the following: Process consuming excessive resources Processes starting or running at unexpected

times Unusual processes not the result of normal

authorized activities Previously inactive user accounts that

suddenly begin to spawn processes and consume computer or network resources

OS and Network Logs Processes that prematurely terminate Unexpected or previously disabled processes,

which may indicate that a hacker or intruder has installed his own version of a process or service

A workstation or terminal that starts exhibiting abnormal input/output behavior

Multiple processes with similar names (Explorer.exe vs. explorer.exe)

An unusually larger number of running processes

Windows Task Manager

The Select Columns box in Windows Task Manager

Default processes in Windows NT, 2000, and XP Csress.exe: is the Client/Server Run-time

Subsystem. Explorer.rxr: is the GUI for the taskbar and

desktop environment. Lsass.exe: handles security administration on the

local computer. Mstask.exe: is the task scheduler service. Services.exe: is the Windows Services Control

Manager, which is responsible for starting and stopping system services.

Smss.exe: is the Session Manager Subsystem, which is responsible for starting the user session.

Default processes in Windows NT, 2000, and XP Spoolsv.exe: is the Windows spooler service

and is responsible for the management of spooled print and fax jobs.

Svchost.exe: is a generic process, which acts as a host for other processes running from DLLs.

System: permits system kernel-mode threads to run as the System process.

System Idle Process: is a single thread running on each processor. Its sole task is accounting for processor time when the system isn’t processing other threads.

Gathering Process Information

UNIX/Linux

ps -ef Windows

PsToolscoded

www.sysinternals.com

PsTools suite

Unusual or Hidden Files

Start ->

Control Panel ->

View menu ->

Options

Viewing Hidden Files under Unix/Linux The find command is able to

display files with unusual names such as “.. ” (dot-dot-space) or ..^G (dot-dot-control-G)find / -name “.. ” –print –xdevfind / -name “.*” –print -xdev

Keep track of SUID programsfind / -type f –perm -4000 –print | mail

root

Rootkits and Backdoors “It takes a thief to catch a thief.” Windows rootkits are usually detected

by any reputable antivirus s/w. Rootkit is one of the most widely used

hackers tools and it contains a suite of hacker utilities (log clean-up

scripts and network packet sniffers) and specialized replacements of core Unix/Linux

utilities such as netstat, ifconfig, ps, and ls.

Rootkits and Backdoors Rootkit is used to accomplish the

following functions: Prevent logging of activity Establish backdoors for reentry Hide or remove evidence of initial entry Hide specific contents of files Hide files and directories Gather intelligence (ex: usernames and

passwords)

Detecting Rootkits on Unix/Linux Manual inspection

The strings command. It can produce readable data such as the names of files where intruder passwords are kept.

Rootkit detection programs Chkrootkit

www.chkrootkit.org Pedestal Software

www.pedestalsoftware.com

Functions of a Backdoor

Main functions of a backdoor Getting back into the system with the

least amount of visibility. Getting back into a machine even if the

administrator tries to secure it Permitting the hacker to regain entry

into the system in the least amount of time.

Detecting Backdoors

Most reputable antivirus products are able to detect backdoor Trojans

Freeware tools are available Fport.exe Superscan (right) Nmap. Listdlls.exe

Removing Rootkits and Trojans The steps for removing a Trojan:

Identify the Trojan horse file on your system hard disk.

Find out how it is being initiated (ex: via Registry, Startup Folder, and so on) and take action(s) necessary to prevent it from being restarted after a reboot.

Reboot your machine and delete the Trojan horse.

Removing Rootkits and Trojans The steps involved in recovering

from a rootkit are: Isolate the affected machine.

(Disconnect it from the network and/or Internet.)

Determine the severity of the compromise. (Are other networked computers also infected?)

Begin the cleanup by reinstalling the OS and applications from a trusted backup..

Detecting and Defending Against Network Sniffers Nearly every rootkit includes utilities for

sniffing network traffic. Network adapters running in promiscuous

mode receive not only the data directed to the machine hosting the software, but also all other data traffic on the physically connected local network.

The ifconfig command allows the privileged administrator to determine whether any interfaces are in promiscuous mode.

Removing Rootkits and Trojans

Unix/Linux User ifconfig –a and look for the

string PROMISC

Windows PromiscDetect

www.ntsecurity.nu/toolbox/promiscdetect/

Retrieving and Analyzing Clues

Performing Keyword Searches Purposes of keyword searches

To locate occurrences of words or strings of text in data stored in files or slack and unallocated file space.

Internal audits to identify violations of corporate policy

To find evidence in corporate, civil, and criminal investigations, which involve computer related evidence.

To find embedded text in formatted word-processing documents or fragments of such documents.

Industrial Strength Keyword-Searching Programs

AccessData Forensic Toolkit ($995)

Encase Forensic Pro Suite by

Guidance Software, Inc. ($895)

Maresware Suite by Mares and

Company, LLC ($375)

Freeware Keyword Search Tools

BinText by Foundstone, Inc. www.foundstone.com

Disk Investigator by Kevin Soloway www.theabsolute/sware/

SectorSpyXP by Nick McCamy home.carolina.rr.com/lexunfreeware

SectorSpyXP 2.1

Examining the Windows Swap File

The Windows swap file is space on a hard disk reserved for the OS to do paging.

The swap file is important when conducting a forensics investigation since a large volume of data can exist within the swap file.

Windows swap files can be dynamic or permanent.

Locating and Viewing the Windows Swap File

Enable viewing the hidden files Search the swap file (ex:

pagefile.sys) Tools for viewing swap files

Norton Commander Norton DiskEdit EnCase www.guidancesoftware.com Filter_1 www.forensics-intl.com

Tutorial on PC Inspector File Recovery

Download

http://www.pcinspector.de Install Delete files Recover deleted files

Tutorial on PsTools

Download

http://www.sysinternals.com Install Delete files Recover deleted files

References Incident Response-Computer Forensics

Toolkit, by Douglas Schweitzer Hacking Exposed Web Applications, by

Joel Scambrey and Mike Shema Computer Forensics, by 「護好國家關鍵基礎建設，才能安心去拼經濟」 - 國政基金會科經組顧問 陳友武

電腦鑑識科學的現在與未來 - 台灣電腦網路危機處理暨協調中心 (TWCERT/CC)