1 COMP2555 Autumn 2014

!  Principles of Computer Forensics

!  Instructor
!  Rinku Dewri
!  rdewri@cs.du.edu
!  http://cs.du.edu/~rdewri
Introduction !  Office Hours: Aspen North 102C :: TW 11 AM – 1:30 PM

!  GTA
COMP 2555: Principles of Computer Forensics
Autumn 2014 !  Thomas Hamill
http://www.cs.du.edu/2555
!  Office Hours: SEC center in Academic Commons :: MR 4 – 6
PM

L1: Introduction
2 You Are Expected To Know…
3 Website

!  Performing basic operations on a computer

!  Windows - Good!
!  + Linux - Better!

!  A programming language and fundamental programming http://www.cs.du.edu/2555

techniques
!  Refresh COMP1672 Java skills
L1: Introduction

L1: Introduction
4 You Will Learn In This Course…
5 Reading Bits and Bytes

!  Pre-Midterm 00100101 01010000 01000100 01000110

!  What is computer forensics? as ASCII: %PDF
!  What tools are used in it? 25 50 44 46 2D 31 2E 36 0D 25 E2 E3 CF D3 0D 0A 36
!  What Windows/Linux/OSX artifacts are useful in computer 30 38 33 20 30 20 6F 62 6Aas0D signed int: 626017350
3C 3C 2F 46 69 6C 74
forensics? 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69
as 72
float73(IEEE754):
74 20 311.8064256090552717e-16
30 34 30 2F 4C 65 6E 67 74 68 20 38
!  Post-Midterm 35 37 33 2F 4E 20 39 31 2F 54 79 70 65 2F 4F 62 6A 53
!  What artifacts are left behind by browsers? 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE EC DA
!  How to locate and recover files? 5D 8F 14 49 96 E6 F1 AF 12 97 BB 17 45 D8 CB 31 33
!  How to track the source and results of an intrusion? 77 09 A5 54 D4 4C 6B B6 8A 6E 50 C2 68 2F 10 42 54
or could be the beginning of a PDF file
!  How to trace e-mails? 55 36 9D 55 34 20 8A 92 86 6F 3F 76 DC EC C9 82 48
22 33 79 EB E9 DE FD 5F F0 E3 78 B8 BB B9 85 B9 3F

L1: Introduction

L1: Introduction
96 11 1E 9E D6 25 EF C2 2E AD 8B ED 62 4C 5E 94
5D 2A B9 7A D5 29 BE B8 2E 6D 97 DA 58 BB EC 72
2E DB 6B EB 2E B7 B8 F6 6A 0D 3B 8B A9 79 15 77 56
B2 AF 5D D3 CE D6 E6 7B AC 79 57 2C 9A 57 B6 EB

6 What is this?
7 What is this?

MFT record identifier Size of record (0x00000400)

L4: Windows System Artifacts

Length of header; attribute IDs start here
L2: Acquisition and Tools
8 What is this?
9 What’s Common Between These?

section from the memory dump of a Linux system

init_task begins here (obtained from System.map)

L10: Analysis and Validation

L6: Linux System Artifacts
10 Both Has This In There!!
11 What is this?
14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length
64, bad cksum 0 (->4fdb)!)
130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum 0x7d4a (correct), seq
949075525, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 553564903 ecr
0,sackOK,eol], length 0
0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@......z
0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}.....P8..E....
0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J..........
0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000 ................

14:49:54.713335 IP (tos 0x0, ttl 51, id 43889, offset 0, flags [none], proto TCP (6),
length 60)
74.125.127.19.80 > 130.253.190.122.56223: Flags [S.], cksum 0x363e (correct), seq
3167645671, ack 949075526, win 5672, options [mss 1380,sackOK,TS val 1190383227 ecr
553564903,nop,wscale 6], length 0
0x0000: 4500 003c ab71 0000 3306 d142 4a7d 7f13 E..<.q..3..BJ}..
0x0010: 82fd be7a 0050 db9f bcce 6fe7 3891 be46 ...z.P....o.8..F
0x0020: a012 1628 363e 0000 0204 0564 0402 080a ...(6>.....d....
0x0030: 46f3 ce7b 20fe bae7 0103 0306 F..{........

14:49:54.713699 IP (tos 0x0, ttl 64, id 32705, offset 0, flags [DF], proto TCP (6), length
52, bad cksum 0 (->affa)!)
130.253.190.122.56223 > 74.125.127.19.80: Flags [.], cksum 0x7ae1 (correct), seq
L10: Analysis and Validation

949075526, ack 3167645672, win 65535, options [nop,nop,TS val 553564903 ecr 1190383227],

L15: Network Forensics

length 0
0x0000: 4500 0034 7fc1 4000 4006 0000 82fd be7a E..4..@.@......z
0x0010: 4a7d 7f13 db9f 0050 3891 be46 bcce 6fe8 J}.....P8..F..o.
0x0020: 8010 ffff 7ae1 0000 0101 080a 20fe bae7 ....z...........
0x0030: 46f3 ce7b F..{
12 Understanding Computer Forensics
13 Other Related Disciplines

!  Computer forensics !  Computer forensics

!  Involves obtaining and analyzing digital information
!  As evidence in civil, criminal, or administrative cases
!  FBI Computer Analysis and Response Team (CART)
!  Formed in 1984 to handle the increasing number of cases
involving digital evidence
!  Fourth Amendment to the U.S. Constitution
!  Protects everyone’s rights to be secure in their person,
residence, and property
!  From search and seizure
!  Investigates data that can be retrieved from a computer’s hard
disk or other storage media
!  Network forensics
!  Yields information about how a perpetrator or an attacker
gained access to a network
!  Data recovery
!  Recovering information that was deleted by mistake
!  Or lost during a power surge or server crash
!  Typically you know what you’re looking for

L1: Introduction

L1: Introduction
!  Search warrants are needed

14 Other Related Disciplines (contd.)

15 Computer Forensics Resources

!  Computer forensics !  You must know more than one computing platform
!  Task of recovering data that users have hidden or deleted and !  Such as DOS, Windows 9x, Linux, Macintosh, and current
using it as evidence Windows platforms
!  Evidence can be inculpatory (“incriminating”) or exculpatory
!  Disaster recovery !  Computer Technology Investigators Network (CTIN)
!  Uses computer forensics techniques to retrieve information !  Meets monthly to discuss problems that law enforcement and
their clients have lost corporations face
!  Investigators often work as a team to make computers
and networks secure in an organization !  High Technology Crime Investigation Association
(HTCIA)
!  Exchanges information about techniques related to computer
investigations and security
L1: Introduction

L1: Introduction
16 Acquiring Certification and Training
17 Certification and Training (contd.)

!  International Association of Computer Investigative !  High-Tech Crime Network (HTCN)

Specialists (IACIS)
!  Created by police officers who wanted to formalize
credentials in computing investigations
!  Certified Electronic Evidence Collection Specialist (CEECS)
!  Certified Forensic Computer Examiners (CFCEs)
!  Certified Computer Crime Investigator, Basic and Advanced
Level
!  Certified Computer Forensic Technician, Basic and Advanced
Level
!  EnCase Certified Examiner (EnCE) Certification
!  AccessData Certified Examiner (ACE) Certification

L1: Introduction

L1: Introduction
18 Certification and Training (contd.)
19 References

!  Other training and certifications !  Ch 1,2,3,5: B. Nelson, A. Phillips and C. Steuart, Guide to
!  High Technology Crime Investigation Association (HTCIA) Computer Forensics and Investigations. ISBN:
!  SysAdmin, Audit, Network, Security (SANS) Institute 978-1-435-49883-9
!  Computer Technology Investigators Network (CTIN)
!  NewTechnologies, Inc. (NTI)
!  Southeast Cybercrime Institute at Kennesaw State University
!  Federal Law Enforcement Training Center (FLETC)
!  National White Collar Crime Center (NW3C)
L1: Introduction

L1: Introduction