Presentation on theme: "Chapter 9 Digital Forensics Analysis and Validation"— Presentation transcript:
1 Chapter 9 Digital Forensics Analysis and Validation
Guide to Computer Forensics and Investigations Fifth Edition Chapter
9 Digital Forensics Analysis and Validation
2 Determining What Data to Collect and Analyze
Examining and analyzing digital evidence depend on the nature of the investigation And the amount of data to process Scope
creep - when an investigation expands beyond the original description Because of unexpected evidence found Attorneys may ask investigators to examine other areas to recover more evidence Increases the time and resources needed to extract, analyze, and present evidence Guide to Computer Forensics and Investigations, Fifth Edition
3 Determining What Data to Collect and Analyze
Scope creep has become more common Criminal investigations require more detailed examination of evidence just before trial To help prosecutors fend off attacks from defense attorneys New evidence
often isn’t revealed to prosecution It’s become more important for prosecution teams to ensure they have analyzed the evidence exhaustively before trial Guide to Computer Forensics and Investigations, Fifth Edition
4 Approaching Digital Forensics
Cases
Begin a case by creating an investigation plan that defines the: Goal and scope of investigation Materials needed Tasks to perform The approach you take depends largely on the type of case you’re investigating Corporate, civil, or criminal Guide to Computer Forensics and Investigations, Fifth Edition
5 Approaching Digital Forensics Cases
Follow these basic steps for all digital forensics investigations: 1. For target drives, use recently wiped media that have been reformatted and inspected for viruses 2. Inventory the hardware on the suspect’s computer, and note
condition of seized computer 3. For static acquisitions, remove original drive and check the date and time values in system’s CMOS 4. Record how you acquired data from the suspect drive Guide to Computer Forensics and Investigations, Fifth Edition
6
Approaching Digital Forensics Cases
Follow these basic steps for all digital forensics investigations [cont’d]: 5. Process drive’s contents methodically and logically 6. List all folders and files on the image or drive 7. Examine contents of all data files in all folders 8. Recover file contents for all password-protected files 9. Identify function of every executable file that doesn’t match hash
values Guide to Computer Forensics and Investigations, Fifth Edition
7 Approaching Digital Forensics Cases
Follow these basic steps for all digital forensics investigations [cont’d]: 10. Maintain control of all evidence and findings
Refining and Modifying the Investigation Plan Even if initial plan is sound, at times you may need to deviate from it and follow evidence Knowing the types of data to look for helps you make the best use of your time The key is to start with a plan but remain flexible in the face of new evidence Guide to Computer Forensics and Investigations, Fifth Edition
8 Using OSForensics to Analyze Data
OSForensics can perform forensics analysis on the following file systems: Microsoft FAT12, FAT16, and FAT32 Microsoft NTFS Mac HFS+ and HFSX Linux Ext2fs, and Ext4fs OSForensics can analyze data from
several sources Including image files from other vendors Guide to Computer Forensics and Investigations, Fifth Edition
9 Using OSForensics to Analyze Data
Includes OSFMount utility which can access many formats, including: Raw, Expert
Witness, and Advanced Forensics Format [AFF] Can also mount and examine VMware images [.vmdk], SMART images [.s01], and VHD images [.vhd] Can use the NIST National Software Reference Library [NSRL] Enables you to mount the NSRL ISO image Guide to Computer Forensics and Investigations, Fifth Edition
10 Using OSForensics to Analyze Data
Using the Index Feature in OS Forensics OSForensics indexes text data so that you can perform searches immediately Follow steps starting on page 5 to learn how to index a case Guide to Computer Forensics and Investigations,
Fifth Edition
11 Using OSForensics to Analyze Data
Guide to Computer Forensics and Investigations, Fifth Edition
12 Using OSForensics to Analyze Data
Guide to Computer Forensics and Investigations, Fifth Edition
13
Using OSForensics to Analyze Data
Guide to Computer Forensics and Investigations, Fifth Edition
14 Validating Forensic Data
Ensuring the integrity of data collected is essential for presenting evidence in court Most forensic tools offer hashing of image
files Example - when ProDiscover loads an image file: It runs a hash and compares the value with the original hash calculated when the image was first acquired Using advanced hexadecimal editors ensures data integrity Guide to Computer Forensics and Investigations, Fifth Edition
15 Validating with Hexadecimal Editors
Advanced hex editors offer features not available in digital forensics tools, such as: Hashing specific files or sectors With the hash value in hand You can use a forensics tool to search for a suspicious file that might have had its name changed to look like an innocuous file WinHex provides MD5 and SHA-1 hashing algorithms Guide to
Computer Forensics and Investigations, Fifth Edition
16 Validating with Hexadecimal Editors
Guide to Computer Forensics and Investigations, Fifth Edition
17 Validating with Hexadecimal Editors
Guide to Computer Forensics and Investigations, Fifth Edition
18
Validating with Hexadecimal Editors
Guide to Computer Forensics and Investigations, Fifth Edition
19 Validating with Hexadecimal Editors
Advantage of recording hash values You can determine whether data has changed
Block-wise hashing A process that builds a data set of hashes of sectors from the original file Then examines sectors on the suspect’s drive to see whether any other sectors match If an identical hash value is found, you have confirmed that the file was stored on the suspect’s drive Guide to Computer Forensics and Investigations, Fifth Edition
20 Validating with Hexadecimal Editors
Using Hash Values to Discriminate Data AccessData has its own hashing database, Known File Filter [KFF] KFF filters known program files from view and contains has values of known illegal files It compares known file hash
values with files on your evidence drive to see if they contain suspicious data Other digital forensics tools can import the NSRL database and run hash comparisons Guide to Computer Forensics and Investigations, Fifth Edition
21 Validating with Digital
Forensics Tools
ProDiscover .eve files contain metadata that includes hash value Has a preference you can enable for using the Auto Verify Image Checksum feature when image files are loaded If the Auto Verify Image Checksum and the hashes in the .eve file’s metadata don’t match ProDiscover will notify that the acquisition is corrupt and can’t be considered reliable evidence Guide to Computer Forensics and
Investigations, Fifth Edition
22 Validating with Digital Forensics Tools
Raw format image files don’t contain metadata You must validate them manually to ensure integrity In AccessData FTK Imager, when selecting the Expert Witness [.e01]
or SMART [.s01] format: Additional options for validating the acquisition are available Validation report lists MD5 and SHA-1 hash values Follow steps starting on page 12 to see how ProDiscover’s built-in validation feature works Guide to Computer Forensics and Investigations, Fifth Edition
23 Validating with Digital Forensics Tools
Guide to Computer Forensics and Investigations, Fifth Edition
24 Validating with Digital Forensics Tools
Guide to Computer Forensics and Investigations, Fifth Edition
25 Addressing Data-Hiding Techniques
Data hiding - changing or manipulating a file to conceal information Techniques: Hiding entire partitions Changing file extensions Setting file attributes to hidden Bit-shifting Using encryption Setting up password protection Guide to Computer Forensics and Investigations, Fifth Edition
26 Hiding Files by Using the OS
One of the first techniques to hide data: Changing file extensions Advanced digital forensics tools check file headers Compare the file extension to verify that it’s correct If there’s a discrepancy, the tool flags the file as a
possible altered file Another hiding technique Selecting the Hidden attribute in a file’s Properties dialog box Guide to Computer Forensics and Investigations, Fifth Edition
27 Hiding
Partitions By using the Windows diskpart remove letter command
You can unassign the partition’s letter, which hides it from view in File Explorer To unhide, use the diskpart assign letter command Other disk management tools: Partition Magic, Partition Master, and Linux Grand Unified Bootloader [GRUB] Guide to Computer Forensics and Investigations, Fifth Edition
28 Hiding Partitions To detect whether a partition has been hidden
Account for all disk space when examining an evidence drive Analyze any disk areas containing space you can’t account for In ProDiscover, a hidden
partition appears as the highest available drive letter set in the BIOS Other forensics tools have their own methods of assigning drive letters to hidden partitions Guide to Computer Forensics and Investigations, Fifth Edition
29 Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition
30 Hiding Partitions Guide to Computer
Forensics and Investigations, Fifth Edition
31 Marking Bad Clusters A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters Involves using old utilities such as Norton DiskEdit Can mark good
clusters as bad clusters in the FAT table so the OS considers them unusable Only way they can be accessed from the OS is by changing them to good clusters with a disk editor DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media Guide to Computer Forensics and Investigations, Fifth Edition
32 Bit-Shifting Some users use a low-level encryption program that changes the order of binary data Makes altered data unreadable To secure a file, users run an
assembler program [also called a “macro”] to scramble bits Run another program to restore the scrambled bits to their original order Bit shifting changes data from readable code to data that looks like binary executable code WinHex includes a feature for shifting bits Guide to Computer Forensics and Investigations, Fifth Edition
33 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition
34 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition
35 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition
36 Understanding Steganalysis Methods
Steganography - comes from the Greek word for “hidden writing” Hiding messages in such a way that only the intended recipient knows the message is there Steganalysis - term for detecting and analyzing steganography files
Digital watermarking - developed as a way to protect file ownership Usually not visible when used for steganography Guide to Computer Forensics and Investigations, Fifth Edition
37 Understanding Steganalysis Methods
A way to hide data is to
use steganography tools Many are freeware or shareware Insert information into a variety of files If you encrypt a plaintext file with PGP and insert the encrypted text into a steganography file Cracking the encrypted message is extremely difficult Guide to Computer Forensics and Investigations, Fifth Edition
38 Understanding Steganalysis Methods
Stego-only attack Known cover attack Known message attack Chosen stego attack Chosen message attack Guide to Computer Forensics and Investigations, Fifth Edition
39 Examining Encrypted Files
To decode an encrypted file Users supply a password or passphrase Many encryption programs use a technology called “key escrow” Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system
failure Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with current technology Guide to Computer Forensics and Investigations, Fifth Edition
40 Recovering Passwords Password-cracking tools are available for handling password-protected data or systems Some are integrated into digital
forensics tools Stand-alone tools: Last Bit AccessData PRTK ophcrack John the Ripper Passware Guide to Computer Forensics and Investigations, Fifth Edition
41
Recovering Passwords Brute-force attacks Dictionary attack
Use every possible letter, number, and character found on a keyboard This method can require a lot of time and processing power Dictionary attack Uses common words found in the dictionary and tries them as passwords Most use a variety of languages Guide to Computer Forensics and Investigations, Fifth Edition
42 Recovering Passwords With many programs, you can build profiles of a suspect to help determine his or her password Many
password-protected OSs and application store passwords in the form of MD5 or SHA hash values A brute-force attack requires converting a dictionary password from plaintext to a hash value Requires additional CPU cycle time Guide to Computer Forensics and Investigations, Fifth Edition
43 Recovering Passwords Rainbow table Salting passwords
A file containing the hash values for every possible password that can be generated from a computer’s keyboard No conversion necessary, so it is faster than a brute-force or dictionary
attack Salting passwords Alters hash values and makes cracking passwords more difficult Guide to Computer Forensics and Investigations, Fifth Edition
44
Hashing Password hash["hello"] = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash["hbllo"] = c05c68dfac fad6a93f8146f337a69afe7dd238f hash["waltz"] = c0e f1777c232bc6bd9ec38f616560b120fda8e90f
45 Source //crackstation.net/hashing-security.htm
The rest of slides
come directly from the link above. Some text has been verbatim. Guide to Computer Forensics and Investigations, Fifth Edition
46 Hashing Password The user creates an account.
Their password is hashed and stored in the database. At no point
is the plain-text [unencrypted] password ever written to the hard drive. When the user attempts to login, the hash of the password they entered is checked against the hash of their real password [retrieved from the database]. If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials. Steps 3 and 4 repeat everytime someone tries to login to their account.
47 Hashing Password the hash functions used to protect passwords are not the same
as the hash functions you may have seen in a data structures course. The hash functions used to implement data structures such as hash tables are designed to be fast, not secure. Only cryptographic hash functions may be used to implement password hashing. Cryptographic hash functions like: SHA256, SHA512, RipeMD WHIRLPOOL
48 How to attack hashing passwords
Dictionary and Brute Force
49 How to attack hashing
passwords
Look up tables Pre-computed tables
50 How to attack hashing passwords
To see how fast pre-computed hashes try the following
51 How to attack hashing passwords
Reverse look up the attacker creates a lookup table that maps each password hash from the compromised user account database to a list of users who had that hash. The attacker then hashes each password guess and uses the lookup table to get a list
of users whose password was the attacker's guess. This attack is especially effective because it is common for many users to have the same password.
52 How to attack hashing passwords
Rainbow Tables Rainbow tables are a time-memory trade-off
technique. They are like lookup tables, except that they sacrifice hash cracking speed to make the lookup tables smaller. Because they are smaller, the solutions to more hashes can be stored in the same amount of space, making them more effective. Rainbow tables that can crack any md5 hash of a password up to 8 characters long
53 Adding Salt Lookup tables and rainbow tables only work because each password is hashed the exact same way. If two users have the same password,
they'll have the same password hashes. We can prevent these attacks by randomizing each hash, so that when the same password is hashed twice, the hashes are not the same. We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing.
54 Adding Salt The salt does not need to be secret.
Just by randomizing the hashes, lookup tables, reverse lookup tables, and rainbow tables become ineffective. An attacker won't know in advance what the salt will be, so they can't pre-compute a lookup table or rainbow
table. If each user's password is hashed with a different salt, the reverse lookup table attack won't work either.
55 Wrong way to use Salt Salt Reuse
A common mistake is to use the same salt in each hash. If the salt is hard-coded into a popular product, lookup
tables and rainbow tables can be built for that salt, to make it easier to crack hashes generated by the product. A new random salt must be generated each time a user creates an account or changes their password.
56 Wrong way to use Salt For the same reason, the username shouldn't be used as a salt. Usernames may be unique to a single service, but they are predictable and often reused for accounts on
other services. To make it impossible for an attacker to create a lookup table for every possible salt, the salt must be long. A good rule of thumb is to use a salt that is the same size as the output of the hash function. For example, the output of SHA256 is 256 bits [32 bytes], so the salt should be at least 32 random bytes.
57 Wrong way to use Salt Short Salt
If the salt is too short, an attacker can build a lookup table for every possible salt. For example, if the salt is only three ASCII characters, there are only 95x95x95 = 857,375 possible salts. That may seem like a lot, but if each lookup table contains only 1MB of the most common passwords, collectively they will be only 837GB, which is not a lot considering 1000GB hard
drives can be bought for under $100 today. For the same reason, the username shouldn't be used as a salt. Usernames may be unique to a single service, but they are predictable and often reused for accounts on other services.
58 Wrong way to use Salt Short
Salt
To make it impossible for an attacker to create a lookup table for every possible salt, the salt must be long. A good rule of thumb is to use a salt that is the same size as the output of the hash function. For example, the output of SHA256 is 256 bits [32 bytes], so the salt should be at least 32 random bytes.
59 Wrong way to use Salt Double Hashing & Wacky Hash Functions
md5[sha1[password]] md5[md5[salt] + md5[password]] sha1[sha1[password]] sha1[str_rot13[password + salt]]
md5[sha1[md5[md5[password] + sha1[password]] + md5[password]]]
60 Wrong way to use Salt Double Hashing & Wacky Hash Functions
An attacker cannot attack a hash when he doesn't know the algorithm but
note Kerckhoffs's principle, that the attacker will usually have access to the source code [especially if it's free or open source software], it is not difficult to reverse engineer the algorithm. It does take longer to compute wacky hash functions, but only by a small constant factor.
61 Right way To Store a Password To Validate a Password
Generate a long random salt using a CSPRNG. Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256. Save both the salt and the hash in the user's database record. To Validate a Password Retrieve the user's salt and hash from the database. Prepend the salt
to the given password and hash it using the same hash function. Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.
62 Salt How to implemented
see