Introduction+to+Computer+Forensics

Brent Williams - drbrent@speakwisdom.org [|KSU ETC] [|SpeakWisdom]

What is computer forensics?
 * Identify and extract evidence
 * Preserve evidence
 * Process and interpret the evidence

Kinds of Forensics:
 * PC/Laptop Forensics
 * Device Forensics
 * Network Forensics

Live - Data collected real time Dead - Data collected from storage

5 Basic Steps
 * 1) Preparation
 * 2) Collection
 * 3) Examination
 * 4) Analysis
 * 5) Reporting

Do we need forensics? Anyone can access anything. Students, teachers, staff and parents are doing bad stuff. Technology is becoming more sophisticated. Schools have a perceived responsibility.

Concerns:
 * Pornography
 * Threatening or problematic e-mail
 * IM
 * Web site surfing
 * Spyware

Check the news for news related to teachers and porn etc to see how big the problem is.

Easy these days to bring things in with various USB keys, CD/DVDs, Social network sites, unintentional phishing through surfing.

Do you have a duty to report? Yes, if you suspect a crime has been committed. Yes, if you suspect "sexual exploitation" including conduct involving children

[|HTCIA] [|Atlanta HTCIA]

Take the training if you can.

__**Tools for Computer Forensics**__ [|Access Data FTK] [|X-Ways Forensics Winhex] [|ProDiscover] [|Encase] [|The Sleuth Kit (PTK)] [|Caine] [|Helix]

Certifications:
 * [|Certified Computer Examiner]
 * [|CISSP]
 * [|CISA]
 * Many degree programs

Lots of books or self study with books and searching for computer forensics.

Build a Response Team consisting of legal, technical, law enforcement and PR Develop a response plan. There needs to be a clear process to follow.

Tech person will need to know a lot about servers, workstations, PDSs, CD-ROM, CD/DVD, Webcams, Modems, Key Loggers, USB Devices, Wireless, Many versions of Windows, OS X, Linux, DOS, FAT, NTFS, EXT2/EXT3.

Keystroke loggers can be hardware as software. Hardware is best and harder to detect.

Windows has a built in auditing capability.

Evidence: Assume it will end up in court. Make sure that procedures are always followed, chain of custody is maintained. Make sure that there is ample, unaltered evidence. Evidence must be process properly always.

Go to www.cybercrime.gov to see examples of cyber crime and how evidence is done

Evidence can be anything anywhere.

Rules: There is more latitude in schools/businesses to check anything that belongs to the school district. Privately owned devices must have search warrants etc. in order to check things on them. AUP that includes the ability to seize personal devices suspected of doing things that require further checking. Less latitude in law enforcement as they are covered by more restrictive rules and require subpoenas and search warrants.

Forensics in the school is expensive as it doesn't generate revenue and it costs money for hardware, software and training. Many forensics tools can also be used for data recovery.

Consider a splash screen letting users know that whatever they do on the computer is covered by the AUP

Users need to be aware of district policies, laws, spyware, social engineering, awareness of illegal activities and the requirement to guard information.

When doing an investigation, make sure you get the basics such as computer, system model/SN, HD model and SN, System Date and TIme, Bios BOOT info. Make sure to take notes from start to finish so you can remember what you did and when.When gathering the computer or HD then pull the plug or battery from the laptop. This will maintain the computer exactly as you found it.

Have secured-erased drive ready to use. Get suspect drive image. Make sure to **write-block** the suspect drive. Take multiple images of the drive. Seal and lock away the original drive.

Most forensics software has built in secure erase for hard drives. Helix, WinHex Pro and ProDiscover all include it as part of their toolkit.

Secure erase on WinHex...open drive needed, choose edit, then fill disk sectors. You can single pass or DOD. Secure drive after completion for using later.

Helix can be used for imaging a PC. Easiest for laptops. Boot the PC with Helix. **Helix Info**

Helix can boot any PC. E-fense has info on how to boot a system using Helix on a USB flash drive.

Image File options - Get multiple copies of an image. You can get Drive to Drive or Drive to Image File (DD file) for investigation. Most forensics tools will be able to use that DD file to do what is needed.

Several companies that sell write blockers (Look at slides)

Hash numbers for original drive and image should be identical. One bit difference and it will be different and all evidence is not usable.

ProDiscover and other tools will do all the work for you. Unallocated space is space that is never used or space made available by deleted files. Slack space is space not used by file data in a cluster.

Tools will look for files with wrong extensions, encrypted files. Problems will be encountered going forward with new hard drives that encrypt data on the fly.

MS TweakUI (free from MS) is used by bad guys to delete drive letters.

Finding Images can be done with ExifPro. Very easy.

Software - Recover My Files is a great piece of software that will recover all deleted files. Very easy to use. Trial version will find things and paid version will allow you to recover them.

OE Reader (free)

Password Encryption - NTPassword (can be used to get the password on any Windows computer) (See slide for various tools)

Steganography - try Steganote (on CD) Keystroke Logging - try 007Starr (on CD)

ProDiscover (on CD) might be the only forensics program you will need. Case oriented and does almost everything. Signature Matching will find info that doesn't match such as a .jpg that has the extension changed.