OnScene Triage Identification of electronic evidence Identifying wireless networks Capturing volatile data pt 1 RAM dumps Encryption Onscene imaging of electronic data Capturing volatile data pt 2 Router interrogation ID: 757181
Download Presentation The PPT/PDF document "On-Scene Triage of Electronic Evidence" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
On-Scene Triage of Electronic EvidenceSlide2
On-Scene Triage
Identification of electronic evidence
Identifying wireless networks
Capturing volatile data pt. 1 – RAM dumps
Encryption
On-scene imaging of electronic data
Capturing volatile data pt. 2 – Router interrogation
Seizure/transportation/storageSlide3
Identification of Electronic EvidenceSlide4
What is “electronic evidence”?
Items of interest in a criminal investigation which contain evidence in the form of electronic data
Computers
External storage media
Mobile devices
Gaming devices
Networking devices
Navigation devices
Etc.Slide5
Computers
Desktop
LaptopSlide6
Desktop computersSlide7
iMac all-in-oneSlide8
All-in-one PCsSlide9
Mac MiniSlide10
Laptop PCSlide11
MacBook laptopSlide12
NetbooksSlide13
Internal hard drivesSlide14
IDE vs. SATASlide15
Internal drive dockSlide16
External DrivesSlide17
Multi-drive externalsSlide18
Other externalsSlide19
Network Attached Storage (NAS)Slide20
USB flash mediaSlide21
Some “different” onesSlide22
Would you seize this?Slide23
These, however, are not storage devicesSlide24
Media
Floppy Disk/Zip/Jaz/SuperDisk
CD/DVD
Flash media cardsSlide25
Floppy DisksSlide26
Zip disksSlide27
Jaz drivesSlide28
SuperDiskSlide29
CD/DVDSlide30
How
About
this?
Do we need to seize these?Slide31
Flash media cardsSlide32
Let’s say I’m serving a search warrant for files such as documents, spreadsheets, etc.
Is this something I should be interested in?Slide33
Mobile devices
Cell phones
Tablets
PDAsSlide34
Cell PhonesSlide35
SmartphonesSlide36
And what do a lot of phones have in them?Slide37
TabletsSlide38
PDAsSlide39
Gaming devicesSlide40
Media playersSlide41
Networking devicesSlide42
GPSSlide43Slide44Slide45Slide46
Printers/CopiersSlide47
Accessories/Supplemental Devices
Chargers
Manuals
SoftwareSlide48
Do I need to take everything?
Short answer: yes
Longer answer: maybe notSlide49
Why should I take everything?
You may need to recreate the suspect’s system, for court or analysis
Forfeiture
To make it more difficult for him to continue/renew criminal activity
Some devices may be specialized and/or rare/obsolete; your examiner may be unable to complete exam without themSlide50
Why should I not take everything?
Much of it will not be useful in your investigation
You may just end up returning it later
It will fill up your evidence room and really annoy your evidence custodianSlide51
A word of caution:
We cannot seize computers, etc., from a business or an individual that needs that equipment for employment or business activity, and not provide the business or individual access to the (non-contraband) data he needs. Slide52
Additionally:
We cannot seize data that is “work product” from journalists, authors, artists, etc., and not give them access to the (non-contraband) data.Slide53
So we’ve got a warrant, and we know what electronic evidence looks like. Now what?
First, some general guidelines/principles to be aware of…Slide54
At the scene
officer safety
is the number one priority. Make sure you have enough manpower to secure the scene. If your bad guy isn’t home, don’t cut everyone loose while you search the house. Remember, some of the crimes we are talking about will result in these people going to jail for a long, long time; they may act foolishly.Slide55
Also with regard to officer safety, be aware of what brought you there. A lot of computer evidence relates to crimes such as child porn. Do not touch the keyboard without gloves. Don’t take home something you don’t want.Slide56
Do not let the suspect, witness or anyone else access the devices (for example, to enter a password for you, or show you where a file is located)
This includes you; don’t sit down at the keyboard and “look around”Slide57
Be aware that it is not always possible for items to be seized and removed from the scene for examination. Slide58
If things look really complicated, or something about the situation makes you nervous,
call for help.
Electronic evidence that is seized incorrectly can be lost forever. There is no shame in asking for help from a specialist. Trust your instincts.Slide59
Get a good interview with the bad guy while you are at the scene. He may be willing to tell you things that will help you.
Encryption keys
Locations of files
ConfessionSlide60
Can I just shut it down?
NOT YET!!
We need to document what is going
on
We need to determine if data is encrypted
We need to determine if any volatile data needs capturedSlide61
Once the scene is secured, before we start fiddling around with the evidence, take photographs to document everything.Slide62
Documentation
Why do we care what the computer is doing when we arrive?
Chatting
Downloading
Opened files which may not be saved
System date and timeSlide63Slide64Slide65Slide66
What happens to this unsaved document if I just yank the plug? Is there any way to preserve this evidence?Slide67
We can testify to the jury about what was going on when we arrived, and what we subsequently discovered during the examination, but a picture has a
lot
more impact with them.
Document, document, documentSlide68
Before we get started…
One of the tools we are going to use in a lot of the following procedures is FTK Imager Lite
Let’s get it set upSlide69
First, let’s prepare our media
Most thumb drives will be formatted with a FAT file system by default. THIS WILL NOT WORK ON NEWER SYSTEMS!
4GB file size limit
How do we change that?Slide70
So let’s re-format it with an NTFS file system, which will handle files larger than 4GB.Slide71
FTK Imager Lite
Free download
We want the “Lite” versionSlide72
FTK Imager Lite
The download is a .zip file
Unzip it to your thumb drive/external drive
Create a folder on the drive to direct your output toSlide73
We’ll talk about the other tools as we go alongSlide74
Identifying Wireless NetworksSlide75
Identifying wireless networks
Why do we need to?
Do we need a specialized device?Slide76
Note: prior to using the following techniques, you need to “sterilize” your equipment by forgetting all the stored networks, so that the device will not automatically connect to the router if it recognizes its SSID.Slide77
Using your laptop’s wifi utility, locate the suspect network – it will give the name, and indicate whether or not it is securedSlide78
You can also use the wifi utility in your phone or tablet, if so equippedSlide79
There are also mobile apps which will give us info about the wireless network to which the device is connectedSlide80
Things change quickly in the world of computer technology
We must be willing to adjust our methods accordinglySlide81
EncryptionSlide82
Encryption
Encryption vs. password
Can we access the encrypted data?Slide83
Encryption
Quality encryption is readily available to non-geeks
BitLocker
EFS
TrueCrypt
Free*
User friendlySlide84
What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?Slide85
What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?
- NOTHINGSlide86
Some common types of encryption
Full disk encryption – entire physical or logical disk
Can be software or hardware based
Files or systems in use are not protected
Files at rest are protected
Protects against situations like laptop theft, etc.
PGP, BitLocker,
FileVault
, some hard drivesSlide87
Some common types of encryption
Filesystem
-level encryption – Individual files or folders are encrypted
Can add further security to a fully encrypted disk
Metadata, such as file names, sizes, timestamps, and directory structure are not encrypted
EFS is a
filesystem
-level encryptionSlide88
BitLocker
BitLocker is included in the Ultimate and Enterprise versions of Vista, 7 and 8
BitLocker is full disk encryptionSlide89
BitLockerSlide90
Here’s how a BitLocker encrypted drive appears in Windows ExplorerSlide91
Some versions of Windows also allow us to encrypt files or folders using EFS (encrypting file system)
Drive must be formatted NTFS (most thumb drives are not)Slide92Slide93
Now the encrypted files and folders will be green in Windows ExplorerSlide94
TrueCrypt
TrueCrypt
WAS a free on-the-fly encryption utility which could be used to encrypt an entire physical or logical disk, or to create an encrypted container
As of May 28, 2014,
TrueCrypt
is no longer supported or maintained, and advised its users find other solutionsSlide95
Does this mean we will no longer encounter TrueCrypt
?Slide96
TrueCrypt
Using TrueCrypt, we can either encrypt the whole drive, or we can create an “encrypted container”
We select how large we want the container to be, and what the encryption key will beSlide97
Here is an attempt to open a previously created encrypted TrueCrypt container; note that the OS doesn’t know what to do with it.Slide98
Now, we assign a vacant drive letter to the soon-to-be decrypted container, direct
TrueCrypt
to the container we had previously created, and tell it to mount the container…Slide99
TrueCrypt prompts us to enter the encryption key.Slide100
And TrueCrypt decrypts and mounts the container, making it available to us.Slide101
And we can now access the decrypted contents.Slide102
So, if we encounter
a
computer and are aware that
TrueCrypt
is running…
…it behooves us to secure that encrypted data prior to shutdown (we’ll discuss how shortly). Slide103
So, now that we’re sufficiently convinced that our bad guy has convenient choices for encrypting his stuff, what do we do?Slide104
Encryption detection
Tools are available which will assist us in detecting if encryption is present
FTK Imager Lite
osTriage
CryptHunter
None are perfect (but, on the positive side, all are free!)Slide105
Before we start…
In order to run these tools, we have to insert a thumb drive into a running suspect system
Are we changing data?
Is this a problem? Slide106
We add our evidence item
And then check for encryptionSlide107
Here is FTK Imager looking at the thumb drive containing the EFS encrypted filesSlide108
If we drill down to the files on the drive, we see the key icon next to them, indicating that they are EFS encryptedSlide109
Great; problem solved, Right?
…not so fast.Slide110
Here are our other two thumb drives, one encrypted with BitLocker and one encrypted with TrueCryptSlide111
FTK Imager only detects EFS encryption
Is that good enough?Slide112
Let’s try it with osTriageSlide113
2 out of 3Slide114
“osTriage currently detects TrueCrypt, BestCrypt, PGP, and Bitlocker”
osTriage ManualSlide115
Those same three drives as seen by CryptHunterSlide116
What’s the moral of the story?
None of the tools are perfect
You may need to use more than one
You need to evaluate your suspect and your scene, and don’t rely solely on the toolsSlide117
Capturing Volatile
Data pt.1
RAM DumpsSlide118
Volatile Data
What exactly are we talking about?
Memory that will lose its contents if power is removed
RAM
Router memorySlide119
RAM – Random Access Memory
Data can be written and read in the same amount of time regardless of what order the data is stored in
By contrast, with direct access memory (hard drives, CDs, etc.) data read and write speeds depend on physical location of the data on the mediumSlide120
RAM is memory available to the operating system and programs for processing and functioning, not storageSlide121
What is a pagefile
?
In most systems, a portion of the computer’s hard drive space is set aside as “virtual RAM” to extend the RAM capacity of the system
Results in additional (although slower) RAM; data is swapped back and forth from this
pagefile
(also called a swap file sometimes) to the RAMSlide122
RAM – Random Access Memory
Data is stored as electrical impulses which disappear when power is removed
Everything present must, therefore, have been created since the computer was turned on Slide123
Remember, this is memory that will lose its contents if power is removed
We can’t seize these items and take them back to our office and examine it there –
it must be done on-scene, or it’s gone foreverSlide124
Things to remember
You can’t put 8GB of RAM on a 4GB thumb drive (or an 8GB thumb drive, for that matter)
This is called a memory “dump” for a reason
You
are
making changes to the systemSlide125
FTK Imager LiteSlide126Slide127
Select the Browse buttonSlide128
Direct it to a prepared folder on your thumb driveSlide129
Rename it
And don’t forget to capture the
pagefile
, tooSlide130
Capture MemorySlide131
…and waitSlide132
Until you see:Slide133
Hit the close button:Slide134
In your “Acquired Data” folderSlide135
Now?
We examine the dump using a forensic tool, such as
EnCase
or FTK
Let’s take a look at some things we found in a sample RAM dump…Slide136
First, let’s look at what I did before I dumped the RAM…Slide137
I mounted a TrueCrypt
volume…Slide138
I did a search for tips on poisoning my wife…Slide139
And I typed a note to a friend…Slide140
Can we find any sign of these activities in our RAM dump?Slide141
Loaded into EnCase
…Slide142
How about our TrueCrypt
key?
In plain text!
(and it actually appears four times in the dump)Slide143
Our threatening note (that was never saved)Slide144
Our Google SearchSlide145
Lots of good data
may
be available to us in the RAM dump
We can’t seize it and examine it laterSlide146
On-Scene ImagingSlide147
On-scene Forensic Imaging
First, what is a forensic image?
What tools do we use to create them?
And in what situations would we need to create them on-scene?Slide148
FTK Imager Lite
There are several tools which can create images of different format
FTK Imager Lite is the one we recommend
Industry standard from industry leader Access Data
Fast, reliable
FREE!Slide149
FTK Imager Lite
Some considerations…
How big is the source drive?
How big is the target drive?
How much time do you have?Slide150
Here is the icon for creating an image…Slide151
FTK Imager Lite
In most situations, we are going to be creating images of physical drivesSlide152
FTK Imager Lite
Now, we select the drive we are going to create an image of
What’s that second listed drive?Slide153
What do these mean?Slide154
Very ImportantSlide155
And then turn it loose…
…and waitSlide156
FTK Imager Lite
What are we going to do with the resulting image?
Examining the image is a more advanced, complex, and time-consuming procedure
But we have preserved the evidence, and made sure that it is available
to our examinerSlide157
Capturing Volatile Data pt. 2
Router InterrogationSlide158
Router Interrogation
This is a brief overview of the process of router interrogation, not a detailed tutorial
Before trying this at a scene, seek further training, and practice, practice, practiceSlide159
How do we connect to the router?
First, disconnect the router from the internet (i.e., “the outside world”)Slide160
How do we access a router?
First, we need to attach our laptop to the router via one of the LAN ports
Then, we need to know the IP address and username/password for the router
This is
not
the internet username and passwordSlide161
Why don’t we connect wirelessly?
So we can say for sure we connected to the correct device – what if there are several wifi networks in range?
We need a password to connect to a secured network via wifi, but not via direct physical connectionSlide162
Now, we type the IP address into a web browser, and enter the username/password.Slide163
Router LogSlide164
DHCP Client ListSlide165
Did we make any changes to the data contained in this router?
Entry in DHCP client list for our machine
Entry in log for administrative access
Did we just screw up our case?Slide166
There is a lot of other interesting information contained in the router – security settings, date/time, filtering data, etc. – that may be valuable to your investigation
If this is something that interests you,
get more training
, and
practiceSlide167
Seizing Electronic EvidenceSlide168
Operating system
The method we will use to shut down the computer will be determined by the operating system
Windows (server?)
Linux
Mac OSSlide169
If the computer is turned off, leave it off
If the computer is on, but the screen is blank, move the mouse to wake it upSlide170
How can you tell what the OS is?
Most of us are familiar with the general look of a Windows machineSlide171
What does Linux look like?Slide172
How about Mac OS?Slide173
Windows
If it is a Windows machine, and is not Windows Server, pull the plug from the back of the machine.
Why not the wall?
How about a laptop?Slide174
Windows Server
If it is Windows Server, turn the computer off using the appropriate commands.Slide175
Linux
Turn the computer off using appropriate commands.Slide176
Mac OS
Turn the computer off using appropriate commands.Slide177
Once it’s off, label the cords as you remove them from the back of the machine, and label the ports to which those cords are attached.Slide178
Mobile devices – isolate?
Why would we want to isolate a mobile device from the network?
Prevent changes to the data
Protect evidence
Ensure we are in compliance with our warrantSlide179
Why would we not want to isolate a mobile device from the network?
Prevent device from locking us out
Prevent rapid battery drainSlide180
Low-tech options
Remove the battery?
Pros: easy, cheap and takes no skill
Cons: Some batteries can’t be removed (iPhone) and it may also activate the PIN.
Airplane mode?
Pros: cheap, and effective
Cons: You are changing data. Can you successfully turn on airplane mode without accidentally screwing something up? Does airplane mode disable wifi access?Slide181
Other options
Faraday bags
Foil
Signal jammers?Slide182
I am not going to tell you how you should do it. The bottom line is that you should develop an SOP and stick to it…
…and don’t be afraid to break it (as long as you can explain why you did).Slide183
Now it’s off; what do we do with it?
Transport it in the car like a person; put a seatbelt on it
Keep it in the position in which it was foundSlide184
Keep it away from:
Heat
Cold
Water
Magnetic fieldsSlide185
Once it’s back at your station:
Package it in two containers:
Items that will be examined
Computers
Mobile devices
Media
External devices
Items that will not be examined
Monitors
Keyboards
Mice
SpeakersSlide186
Accurately label the items
Make, model, serial number
Do cell phones have serial numbers?
MEID/ESN
IMEI
Do Dell computers have serial numbers?
Service tagSlide187
Some final thoughts…
Evidence that is not seized cannot be examined
Don’t be afraid to make (justifiable) changes to the data
Don’t be afraid to ask for help or advice
Most importantly, be careful