• Computers and networks is troubling with evidence as it is hard to “sense” and hard to prove.. In fact it’s generally considered “hearsay” evidence... Forensics is a structured PROCE
Trang 1All-In-One Edition
Chapter 20 – Forensics
Brian E Brzezicki
Trang 3– Investigating computer systems for
compliance with company policies
– Investigating computers systems that have
been attacked (part of incident response)
Trang 4Forensics and Laws
• Forensics deals with legal concerns more than most other IT related duties.
• Evidence must be collected if you want to take legal action.
• Computers and networks is troubling with evidence as it is hard to “sense” and hard
to prove In fact it’s generally considered
“hearsay” evidence
Trang 5Random Thought
Unlike many other areas of security which can mix and match Forensics should always be done by a dedicated forensics person
Forensics is a structured PROCESS for data and evidence collection and should always be done by someone who specifically focuses on these processes and proceedures
Trang 6Standards for Evidence
For evidence to be considered credible it generally must be
– Sufficient – convincing on it’s own
– Competent – legally allowed and “reliable”
– Relevant – must be material to the case and have bearing on the matter in question
(more)
Trang 7• Real Evidence – tangible evidence that proves or disproves a fact (ex fingerprints)
(more)
Trang 93 rules of evidence
1 Best Evidence rule – courts prefer the original
evidence, rather than copies
2 Exclusionary rule – evidence illegally seized
cannot be used If evidence is collected in
violation of the Electronics Communication Privacy Act It will be excluded… that means a company MUST have a policy and employees understand that they are being monitored if a company wants
to use computer evidence against them
3 Hearsay – hearsay is second hand evidence, not
gathered from the personal knowledge of a
witness Computer generated evidence is hearsay evidence
Trang 10Evidence Collection
• Evidence should be collected in a way that
is reliable and doesn’t compromise the
evidence itself!
• Sometimes when you notice a break in
you have to weigh the costs of “stopping” the activity (turning off server) against
keeping it running? Why? Anybody?
(more)
Trang 11Evidence Collection
Steps in collecting evidence on a machine
1 Dump system memory
2 Power down system
3 Do a bit level image of the machine, using
an stand alone machine (not the machine in question)
4 Analyze the image
(more)
Trang 12• The 2 nd copy should be used for file authentication
• The 3 rd should be the drive you analyze
• You should never use the tools on the computer in
question, you should use a clean “forensics station” to analyze the hard drives (why?)
• You should always record the checksums of all the files
on the computer before analysis (do example) See
related next slide (tripwire)
(more)
Trang 13Tripwire screen shot
Trang 16Transporting evidence
• Log all times someone removes evidence
• Be careful when transporting
Trang 17Storing Evidence
• Store evidence in a locked away and monitored/guarded area.
Trang 18Chain of Custody
Once collected you must protect evidence from
tampering Chain of Custody shows who obtained evidence, where it was stored, and how had access
to it
• Record each item
• Record who collected it and where, when
• Description of evidence
• Tagged and sealed
• Obtain signature from anyone accepting evidence
• Provide signatures and seals whenever evidence is opened
• Provide controls against tampering while in storage
Trang 19Conducting the investigation
• Have a formal procedure before hand!
• Have a professional do the analysis
• Take pictures before hand
• Use a forensics station or a live CD for analysis
(what is a live CD?)
• Image the hard drives multiple times with a bit level method, work only on a copy
• Label hard drive and store in anti-static bag
• Before doing any analysis, do a checksum on all
files and store that info (why?)
• Keep a log of what you did and why, be able to
explain and justify any actions taken
Trang 20File Deletion Terms
When a user deletes a file, it’s not actually removed
(unless using a highly secure OS) Some important
terms relating to this are
• Free space – the space a file takes up that is still
available after deletion (before something else uses it)
• Slack space – When file space is allocated, it is done
in fixed sized blocks A file will not actually use all this space The unused area of a file even when in use is called the slack space Information may be hidden in this space (see visualization)
(more)
Trang 21Slack Space
Hackers can hide data in the slack space to avoid detection
Trang 22Chapter 20 – Review Questions
Q What is the concept of best evidence
Q When you want to do forensics on a
computer, you should make a copy of the
hard drive What type of copy should you
make?
Q What is the MINIMUM number of copies you should make of the original hard drive
Trang 23Chapter 20 – Review Questions
Q Put these step of analysis in the correct order
C Dump Memory
D Image the hard drive
Q Why do you run checksums/hashes on the original files