侦破计算机犯罪：电子取证介绍

《侦破计算机犯罪：电子取证介绍》由会员分享，可在线阅读，更多相关《侦破计算机犯罪：电子取证介绍（30页珍藏版）》请在装配图网上搜索。

1、Solving Computer Crime: An Introduction to Digital Forensics,Golden G. Richard III, Ph.D. Dept. of Computer Science Gulf Coast Computer Forensics Laboratory (GCCFL) goldencs.uno.edu,Digital Forensics,Definition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitt

2、ed by digital devices.” Devices include computers, PDAs, cellular phones, videogame consoles,Examples of Digital Evidence,Computers increasingly involved in criminal and corporate investigations Digital evidence may play a supporting role or be the “smoking gun” Email Harassment or threats Blackmail

3、 Illegal transmission of internal corporate documents Meeting points/times for drug deals Suicide letters Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or attacks Use of a machine as a spam email generator Us

4、e of a machine to distribute illegally copied software,Major Issues,Identification of potential digital evidence Where might the evidence be? Which devices did the suspect use? Preservation of evidence On the crime scene First, stabilize evidenceprevent loss and contamination If possible, make ident

5、ical copies of evidence for examination Careful extraction and examination of evidence Presentation “The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0 xEF to 0 x08 to restore HITLIST.DOC” “The suspect attempted to hide the Microsoft Word document HITLI

6、ST.DOC but I was able to recover it without tampering with the file contents.” Legal: Investigatory needs meet privacy,Preservation of Evidence: Hardly trivial,Living room,Just pull the plug? Move the mouse for a quick peek? Tripwires,tickticktick,Volatile computing,Preservation: Imaging,When making

7、 copies of media to be investigated, must prevent accidental modification or destruction of evidence! Write blockers: Use them. Always. dd under Linux DOS boot floppies Proprietary imaging solutions,Drivelock write blocker,Extraction and Examination,Know where evidence can be found Understand techni

8、ques used to hide or “destroy” digital data Toolbox of techniques to discover hidden data and recover “destroyed” data Cope with HUGE quantities of digital data Ignore the irrelevant and target the relevant,Wheres the evidence?,Undeleted files, expect some names to be incorrect Deleted files Windows

9、 registry Print spool files Hibernation files Temp files (all those .TMP files!) Slack space Swap files Browser caches Alternate partitions On a variety of removable media (floppies, ZIP, Jazz, tapes, ),Fallacy vs. Fact in Digital Forensics,Many digital forensics tools and techniques are quite compl

10、ex Very difficult to cover in a short lecture To illustrate investigative procedures for digital forensics, a fact vs. fallacy approach Fallacy: User attempting to hide evidence believes one thing Fact: But in fact Look at a few fact vs. fallacy scenarios Then, one more advanced topic,Fallacy: File

11、was deleted, its gone!,Users often mistake normal deletion of files for “secure” deletion Deleted files recoverable using forensics tools Why? Filesystem makes a small change in its bookkeeping info to mark a file as deleted Data associated with file is NOT erased Example: FAT32 (Windows), first cha

12、racter of filename is changed to 0 xEF in directory entry to “delete” file Forensics software changes one character in directory entry, file reappears To prevent recovery, must perform secure overwrite of the file or physically destroy the media,Fallacy: I renamed the file, Im safe!,“childporn.jpg”

13、“winword.exe” Renaming files is an ineffective defense against digital forensics investigation Technique # 1: Most file types (e.g., JPEG image) have a structure that can be recognized directly, regardless of the filename a user chooses e.g., JPEG files contain 0 x4a464946 or 0 x45786966 in the firs

14、t block of the file Technique # 2: Cryptographic hashing provides a mechanism for “fingerprinting” files File contents is matched quickly, regardless of name Hashes equivalent, file contents equivalent Think: fingerprints dont care about hair color,Aside: Hashing,Typical algorithms: SHA-1, MD5 Examp

15、le: C: md5sum golden.jpg b28f08b004a7251a418e089ef3bb7409 *golden.jpg C: rename golden.jpg winword.exe C: md5sum winword.exe b28f08b004a7251a418e089ef3bb7409 *winword.exe Can automate checking of hashes Huge dictionaries exist with hashes for known files: http:/www.nsrl.nist.gov/index/prodname.index

16、.txt and known child pornography files Can quickly disregard known files and target the interesting stuff,Fallacy: I format-ed the drive, whew!,Formatting a drive does not prevent recovery of digital evidence In fact, format typically overwrites less than 1% of drive contents Why does it take so lon

17、g? Format is reading disk blocks to determine if bad blocks exist Format wipes out directories, so names of files are lost A lot of the data can still be recovered by sifting through data that remains after the format operation For example, file carving tools reconstruct files by examining the initi

18、al and terminal bytes of the file See digital forensics Technique # 1 under file renaming fallacy,Fallacy: Media mutilation = Miller time!,Example # 1: Cutting a floppy into pieces Example # 2: Opening a hard drive, removing the platters, throwing them into the trash Unless the damage is extreme, mu

19、tilation of magnetic media is insufficient to prevent recovery Media can be reassembled and partial recovery performed Even strong magnetic fields are insufficient Older “military grade” degausser for erasing hard drives was so strong that it bent the platters inside the drive Your bulk tape eraser

20、isnt going to do the job To destroy data: multiple overwrites (software) or complete destruction of hardware,Thats One Big Degausser!,Fallacy: I used Web-based email,Fallacy: Use of web-based email rather than storing email messages directly on a computer is safer (in terms of thwarting recovery att

21、empts) Its not. Even if you never download the email and immediately delete all messages on the server! Recently viewed web pages are stored in web browsers cache Cache is often in a hard-to-find place Internet Explorer Tools Internet Options Delete Files clears the cache in IE See slide on recovery

22、 of deleted files for futility quotient Files stored in browser cache are not securely deleted when the cache is cleared Browser cache mining tools bring recently viewed web pages, including web-based email messages, back to life in a flash,Recovery of web-based emails,Fallacy: Application uninstall

23、s are easy,Illegal application installed Fear ensues Application is uninstalled (Am I safe?) application files can still be undeleted, proving application was installed Further steps to obscure installation: Securely overwrite application files Now am I safe? Nope. Remnants of installation can likel

24、y still be found in the Windows registry Basically, if a user installs software and wants to permanently eradicate any traces, must securely erase the entire drive or destroy the hardware,Fallacy: I encrypted my files,On encrypted file systems, if file is ever printed and spool directory isnt encryp

25、ted, fragments may be left behind On some systems (e.g., Windows 2000), a “recovery agent” is able to read all encrypted files For Windows 2000, this is the administrator account, thus just need to break administrator password Problem: keys for truly secure encryption schemes are long Search for sli

26、ps of paper Search for unencrypted password lists Search PDAs, phones, and organizers for passwords and encryption keys Software or hardware keystroke loggers Van Eck radiation If the file cant be decrypted, the name of the file may still be useful in prosecution,Beowulf, Slayer of Poorly Chosen Pas

27、swords,How good are your passwords?,Steganography,“Techniques for hiding information within other information” Historical Tattoos Text on wood under wax layer on a wax tablet “Invisible” ink (e.g., writing with lemon juice) Modern Much more sophisticated Employ powerful encryption techniques Hide do

28、cuments w/in an image, video, or audio file Hidden documents can be harmless, or child pornography, bomb plans, ,Stego (2),Stego (3),Stego (4),Slipped inside the 2nd cactus picture by “jphide”,Embedding in this case is not obvious (visually)and image w/ embedded Golden is actually smaller (in bytes)

29、 than original,Statistical analysis by “stegdetect” guesses correctly that something is hidden. But jphide uses Blowfish to scramble the order of embedded data, so successful extraction is very unlikely unless the password is known.,Core,Igniter,Stego (5),This “bomb” diagram, however, is not detecte

30、d inside the cactus picture,Bluepipe: On the Spot Digital Forensics,Legal Issues,Investigative needs vs. the right to privacy Search warrant laws, e.g., Fourth Amendment to the U.S. Constitution Wiretap laws Chain of custody Admissibility of evidence in court: Daubert Essentially: Has theory or tech

31、nique in question been tested? Is error rate known? Widespread acceptance within a relevant scientific community? Patriot Act Greatly expands governmental powers in terms of searching, wiretap w/o prior notification,The Other Side: Privacy,Weve concentrated on the cool technology, but The existence

32、of sophisticated digital forensics techniques is a great enabler for fascism Actively fight laws that dont appropriately balance privacy with need for investigation Secure file deletion software Overwriting files with zeros is good enough unless a tunneling electron microscope is available Volatile

33、computing Physical destruction of media Grind the media into powder Vats of acid or molten steel,Resources,Books Digital Evidence and Computer Crime (E. Casey, Academic Press) Computer Forensics and Privacy (M. Caloyannides, Artech House) Websites http:/www.dfrws.org Lots of references related to di

34、gital forensics, including a link to an interesting e-journal http:/www.ijde.org/ (International Journal of Digital Evidence) http:/vip.poly.edu/kulesh/forensics/list.htm tons of stuff, including a bunch of online papers Huge collection of forensics-related software Commercial digital forensics software Encase FTK (Forensics Tool Kit) ILook (law enforcement only) WinHex,Presentation available:,http:/www.cs.uno.edu/golden/teach.html goldencs.uno.edu Office: Math 346,?,