Chapter 16

Introduction to Forensics

However, remember that the steps outlined in this chapter are general guidelines. You should definitely consult whatever forensics standards are used in your jurisdiction. If you are not a law enforcement officer, you will still want to familiarize yourself with the procedures used by local law enforcement and to follow the same steps. If for some reason you cannot acquire the procedures used by your local law enforcement agency, then you can find federal guidelines. Here are some sources:

United States Secret Service: https://www.secretservice.gov/investigation/

FBI Computer Forensics: https://archives.fbi.gov/archives/news/stories/2009/august/rcfls_081809

Also keep in mind that a few jurisdictions have passed laws requiring that in order to extract the evidence the investigator must be either a law enforcement officer or a licensed private investigator. This law is controversial, given that private investigator training and licensing normally does not include computer forensics training. You should check with specifics in your state. However, many of those states will allow you to forensically examine a computer if you have the permission of the owner. So, this would not prohibit you from forensically examining computers in your company. However, forensics has become an integral part of response to network intrusions, so much so that the field is often called Digital Forensics Incident Response (DFIR).

The Council of Europe’s Electronic Evidence Guide is a basic guide for police officers, prosecutors, and judges.

The EU also has five principles that establish a basis for all dealings with electronic evidence:

Principle 1: Data Integrity: You must ensure that the data is valid and has not been corrupted.

Principle 2: Audit Trail: Similar to the concept of chain of custody, you must be able to fully account for the evidence. That includes its location as well as what was done with it.

Principle 3: Specialist Support: As needed, utilize specialists. For example, if you are a skilled forensic examiner but have limited experience with a Macintosh computer, get a Mac specialist should you need to examine a Mac.

Principle 4: Appropriate Training: All forensic examiners and analysts should be fully trained and always expanding their knowledge base.

Principle 5: Legality: Make certain all evidence is collected and handled in a manner consistent with all applicable laws.

Even if you don’t work within the European Union, these guidelines can be quite useful. Yes, they are rather broad, but they do provide guidance as to how to properly conduct a forensic examination.

STEP 1.   Visual Inspection: The purpose of this inspection is just to verify the type of evidence, its condition, and relevant information to conduct the examination. This is often done in the initial evidence seizure. For example, if a computer is being seized, you would want to document whether the machine is running, what its condition is, and what the general environment is like.

STEP 2.   Forensic Duplication: This is the process of duplicating the media before examination. It is always preferred to work with a forensic copy and not the original.

STEP 3.   Media Examination: This is the actual forensic testing of the application. By media, we mean hard drive, RAM, SIM card—some item that can contain digital data.

STEP 4.   Evidence Return: Exhibit(s) are returned to the appropriate location—usually some locked or secured facility.

These particular steps provide an overview of how a cyber forensic examination should proceed. SWGDE has a number of useful documents on its website (www.swgde.org) that you should consult to delve deeper into the nuances of a proper cyber forensic examination.

The Secret Service also has released a guide for first responders to computer crime. It has listed its “golden rules” to begin the investigation:

Secure the scene and make it safe.

If you reasonably believe that the computer is involved in the crime you are investigating, take immediate steps to preserve the evidence.

Determine whether you have a legal basis to seize this computer (plain view, search warrant, consent, and so on).

Avoid accessing computer files. If the computer is off, leave it off.

If the computer is on, do not start searching through it. If the computer is on, go to the appropriate sections in this guide on how to properly shut down the computer and prepare it for transportation as evidence.

If you reasonably believe that the computer is destroying evidence, immediately shut down the computer by pulling the power cord from the back of the computer.

If a camera is available and the computer is on, take pictures of the computer screen. If the computer is off, take pictures of the computer, the location of the computer, and any electronic media attached.

Determine whether special legal considerations apply (doctor, attorney, clergy, psychiatrist, newspapers, publishers, and so on).

These are all important first steps to both preserving the chain of custody and ensuring the integrity of the investigation.

You need two bootable copies of Linux: one on the suspect machine and one on the target machine. You may use any Linux distribution you are comfortable with. Whichever version of Linux you use, the steps will be the same:

1. Completely wipe the target drive:

dd if=/dev/zero of=/dev/hdb1 bs=2048

2. Set up the target forensics server to receive the copy of the suspected drive you want to examine. The Netcat command helps with that. The specific syntax is as follows:

nc -l -p 8888 > evidence.dd

This tells the machine to listen on port 8888 and put whatever it receives into evidence.dd.

3. On the suspect machine, start sending the drive’s information to the forensics server:

dd if=/dev/hda1 | nc 192.168.0.2 8888 -w 3

Of course, this assumes that the suspect drive is hda1. If it’s not, then replace that part of the command with the partition you are using. This also assumes the server has an IP address of 192.168.0.2. If it’s not, replace it with whatever your forensics server’s IP address is.

4. You also want to create a hash of the suspect drive. Later you can hash the drive you have been working with and compare that to the hash of the original drive and confirm that nothing has been altered. You can make a hash using Linux shell commands:

md5sum /dev/hda1 | nc 192.168.0.2 8888 -w 3

After completing the steps, you have a copy of the drive. Making two copies is often a good idea: one you will work with, and another will simply be stored. Under no circumstances should you do your forensic analysis on the suspect drive.

When you first discover a computer crime, you must document exactly what events occurred. Who was present and what where they doing? What devices were attached to the computer, and what connections did it have over the network/Internet? What hardware and operating system were being used?

When you begin your actual forensic investigation, you must document every step. Start with documenting the process you use to make a forensic copy. Document every tool you use and every test you perform. You must be able to show in your documentation everything that was done.

The next step is to limit access to the machine. No one who does not absolutely need access to the evidence should have it. Hard drives should be locked in a safe or secure cabinet. Analysis should be done in a room with limited access.

You must also be able to document every person who had access to the evidence, how they interacted with it, and where the evidence was stored. There must be no period of time that you cannot account for the evidence. This is called chain of custody.

If an incident occurs, the FBI recommends that the first responder preserve the state of the computer at the time of the incident by making a backup copy of any logs, damaged or altered files, and, of course, any files left by the intruder. This last part is critical. Hackers frequently use various tools and might leave traces of their presence. Furthermore, the FBI warns that if the incident is in progress, activate any auditing or recording software you might have available. Collect as much data about the incident as you can. In other words, this might be a case where you do not take the machine offline, but rather analyze the attack in progress.

Another important step is to document the specific losses suffered due to the attack. Losses typically include the following:

Labor cost spent in response and recovery. (Multiply the number of participating staff by their hourly rates.)

If equipment was damaged, the cost of that equipment.

If data was lost or stolen, what was the value of that data? How much did it cost to obtain that data and how much will it cost to reconstruct it?

Any lost revenue, including losses due to downtime, having to give customers credit due to inconvenience, or any other way in which revenue was lost.

Documenting the exact damages due to the attack is just as important as documenting the attack itself.

The FBI computer forensic guidelines stress the importance of securing any evidence. The FBI also stresses that you should not limit your concept of computer evidence to PCs and laptops. Computer evidence can include the following:

Logs (system, router, chat room, IDS, firewall, and so on)

Portable storage devices (USB drives, external drives, and so on)

E-mails

Devices capable of storing data such as iPod, iPad, tablets

Cell phones

The FBI guidelines also stress making a forensic copy of the suspect drive/partition to work with and creating a hash of that drive.

Even if the person erases his browsing history, retrieving it is still possible. Windows stores a lot of information in a file called index.dat (information such as web addresses, search queries, and recently opened files). You can download a number of tools from the Internet that enable you to retrieve and review the index.dat file. Here are a few:

www.eusing.com/Window_Washer/Index_dat.htm

www.acesoft.net/index.dat%20viewer/index.dat_viewer.htm

http://download.cnet.com/Index-dat-Analyzer/3000-2144_4-10564321.html

However, most forensics software will extract browser data for you. So, you should not need third-party utilities if you are using, for example, AccessData’s FTK, Guidance Software’s EnCase, or PassMark Software’s OSForensics.

Windows servers have similar logs. However, with Windows systems you have an additional possible concern. The possibility exists that the attacker cleared the logs before leaving the system. Tools are available that will allow one to wipe out a log, such as auditpol.exe. Using auditpol \ipaddress /disable turns off logging. Then when the criminal exits he can use auditpol \ipaddress /enable to turn it back on. Tools such as WinZapper also allow one to selectively remove certain items from event logs in Windows. Simply turning off logging before an attack and turning it back on afterward is also possible.

/var/log/faillog: This log file contains failed user logins. This can be very important when tracking attempts to crack into the system.

/var/log/kern.log: This log file is used for messages from the operating system’s kernel. This is not likely to be pertinent to most computer crime investigations.

/var/log/lpr.log: This is the printer log and can give you a record of any items that have been printed from this machine. That can be useful in corporate espionage cases.

/var/log/mail.*: This is the mail server log and can be very useful in any computer crime investigation. E-mails can be a component in any computer crime, and even in some noncomputer crimes such as fraud.

/var/log/mysql.*: This log records activities related to the MySQL database server and will usually be of less interest to a computer crime investigation.

/var/log/apache2/*: If this machine is running the Apache web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server.

/var/log/lighttpd/*: If this machine is running the Lighttpd web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server.

/var/log/apport.log: This records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of a virus or spyware.

/var/log/user.log: These contain user activity logs and can be very important to a criminal investigation.

On its first screen, shown in Figure 16-1, you simply select the drive/partition you want to recover files from.

On the next screen you select the level of scan you want to do, as shown in Figure 16-2. Obviously the deeper the scan the longer it can take.

You then get a list of the files that were recovered, as shown in Figure 16-3.

You can see the file and the file header. You can also choose to recover the file if you want. The possibility exists that DiskDigger will only recover a file fragment, but that can be enough for forensics.

The registry key HKEY_LOCAL_MACHINESYSTEMControlSetEnumUSBSTOR lists USB devices that have been connected to the machine. It is often the case that a criminal will move evidence to an external device and take it with him. This could indicate that there are devices you need to find and examine.

The registry key SOFTWAREMicrosoftWindowsCurrentVersionExplorerMountPoints2 will indicate what user was logged onto the system when the USB device was connected. This allows the investigator to associate a specific user with a particular USB device.

The registry key HKLMSOFTWAREMicrosoftWindows NTCurrentVersionNetworkListProfiles gives you a list of all the Wi-Fi networks to which this network interface has connected. The SSID of the network is contained within the Description key. When the computer first connected to the network is recorded in the DateCreated field.

Photos

Videos

Text messages or SMS messages

Call times, dialed and received calls, and call durations

Contact names and phone numbers

Obviously photos, videos, and text messages could contain evidence of a crime. However, contact information can be valuable as well. You learned in the first few chapters of this book that criminals frequently work in concert. A contact list can help you track down other perpetrators.

Although dealing with the details of every model of cell phone is beyond the scope of this book, you should be aware of a few general forensics rules:

Always document the cell phone make, model, and any details regarding its condition.

Photograph the initial screen of the phone.

The SIM card will be the location of most of what you need to find.

Many software packages are available for getting information from a SIM card. There are several phone forensic tools available. The most widely used are:

Cellebrite: https://www.cellebrite.com/en/home/

MOBILedit Forensic Express: http://www.mobiledit.com/forensic-express

BlackBag Technologies: https://www.blackbagtech.com/

Magnet Forensics: https://www.magnetforensics.com

Oxygen Forensics: https://www.oxygen-forensic.com

When selecting a tool, keep in mind that there are two methods for acquiring data from a phone or other mobile device: logical and physical. It is important to understand how these methods work and the differences between them, then make sure the tool you select supports the type of extraction you wish to perform.

In many cases, the tool will execute a logical acquisition of the device, and with this information, it will export commonly viewed files into a graphical user interface (GUI) or report. The problem with some of these tools is that the examiner can see the reported data, but cannot view the source of that data. It is preferable if an acquisition tool not only reports the data that was found but also allows the investigator to view the raw files from which it was derived. The overall steps involved in a logical image of a phone, regardless of the software or tool being used, include the following:

1. Run the forensic software of your choice.

2. Connect the device.

3. Begin acquiring an image. This will pull all data from the device that was explicitly backed up using Apple’s synchronization protocol (if it is an iPhone). Similar files will be retrieved as from an acquisition of a backup, except that with this method, they are being pulled directly from the device.

4. Depending on the software being used, some or all of this information will be displayed within the software and can later be exported into a report.

The IEEE Joint Test Action Group (JTAG) method is a less extreme method but still requires some specialized equipment. Mobile devices that are implementing the BGA-style memory incorporate JTAG for test and debugging. That means the JTAG ports can be used to retrieve a physical image of the data without requiring the removal of the chip. Essentially you are taking advantage of communications directly with the chip that were designed for engineers testing the device. Cellebrite now supports JTAG and there are a variety of JTAG kits one can purchase.

Another feature about this toolkit is its distributed processing ability. Scanning an entire hard drive, searching the registry, and doing a complete forensic analysis of a computer can be a very time-intensive task. With FTK that processing and analysis can be distributed on up to three computers. This lets all three computers process the analysis in tandem, thus significantly speeding up the forensics process.

FTK is also available for the Macintosh. Many commercial products are only available for Windows, and the open source community usually focuses on Unix and Linux, so the Macintosh compatibility is very important. In addition to that, FTK has an Explicit Image Detection add-on that automatically detects pornographic images, useful in cases involving allegations of child pornography. More information on FTK is available at https://accessdata.com/products-services/forensic-toolkit-ftk.

There are options to search for a given file or to search for only deleted versions of a file. This particular utility is best used when you know the specific file you are searching for. It is not a good option for a general search. A number of utilities are available in The Sleuth Kit; however, many readers might find using command-line utilities to be cumbersome. Fortunately, a GUI has been created for The Sleuth Kit named Autopsy: http://www.sleuthkit.org/autopsy/.

In digital forensics each test establishes some fact. Let’s assume you are investigating a network virus outbreak. One test might show a virus was downloaded to a specific workstation at a specific time. That is a fact. But you cannot yet develop a theory. You cannot decide this was something intentional on the part of that employee, part of some nefarious plot by foreign hackers, or any other sort of attack. You just don’t have enough facts yet. You will need to conduct many more tests, and accumulate more data. When you have a sufficient body of data, now you can form a theory of the incident.

One legal principle that is key to doing forensics in a scientifically sound manner, and is all too often overlooked in forensic books, is the Daubert standard. The Legal Information Institute at Cornell University Law School defines the Daubert standard as follows:

What this means, in layman’s terms, is that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. For a computer forensic investigator, that means that any tools, techniques, or processes you utilize in your investigation should be ones that are widely accepted in the computer forensics community. You cannot simply make up new tests or procedures.

Computer Hacking Forensic Investigator (CHFI): This certification from the EC-Council tests general forensic knowledge; it is not specific to a particular tool. For more information about this certification, go to https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/.

Certified Forensic Computer Examiner (CFCE): This certification is from the International Association of Computer Investigative Specialists (IACIS). It is also a general knowledge test rather than a specific tool test. See https://www.iacis.com/2016/02/23/cfce/ for details.

SANS certifications: The SANS Institute has a number of forensics certifications, including GIAC Certified Forensic Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), and others. The SANS Institute certifications are very well-respected in the industry, but they are also the single most expensive classes and certifications in all of IT. Check out https://www.giac.org/certifications/digital-forensics for an overview of the various forensics certifications that are available.

Tool certifications: The preceding certifications are all general forensic knowledge. If you intend to use a specific tool, it is worthwhile to be certified in that tool. All the major tool products (OSForensics, FTK, EnCase, Cellebrite, etc.) have certifications in their tool.