On-Scene Triage of Electronic Evidence - PowerPoint Presentation

345 views
Uploaded On 2019-03-16

On-Scene Triage of Electronic Evidence - PPT Presentation

OnScene Triage Identification of electronic evidence Identifying wireless networks Capturing volatile data pt 1 RAM dumps Encryption Onscene imaging of electronic data Capturing volatile data pt 2 Router interrogation ID: 757181

drive data encrypted encryption data drive encryption encrypted truecrypt evidence router ftk scene devices files ram imager don

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/757181" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "On-Scene Triage of Electronic Evidence" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

On-Scene Triage of Electronic EvidenceSlide2

On-Scene Triage

Identification of electronic evidence

Identifying wireless networks

Capturing volatile data pt. 1 – RAM dumps

Encryption

On-scene imaging of electronic data

Capturing volatile data pt. 2 – Router interrogation

Seizure/transportation/storageSlide3

Identification of Electronic EvidenceSlide4

What is “electronic evidence”?

Items of interest in a criminal investigation which contain evidence in the form of electronic data

Computers

External storage media

Mobile devices

Gaming devices

Networking devices

Navigation devices

Etc.Slide5

Computers

Desktop

LaptopSlide6

Desktop computersSlide7

iMac all-in-oneSlide8

All-in-one PCsSlide9

Mac MiniSlide10

Laptop PCSlide11

MacBook laptopSlide12

NetbooksSlide13

Internal hard drivesSlide14

IDE vs. SATASlide15

Internal drive dockSlide16

External DrivesSlide17

Multi-drive externalsSlide18

Other externalsSlide19

Network Attached Storage (NAS)Slide20

USB flash mediaSlide21

Some “different” onesSlide22

Would you seize this?Slide23

These, however, are not storage devicesSlide24

Media

Floppy Disk/Zip/Jaz/SuperDisk

CD/DVD

Flash media cardsSlide25

Floppy DisksSlide26

Zip disksSlide27

Jaz drivesSlide28

SuperDiskSlide29

CD/DVDSlide30

How

About

this?

Do we need to seize these?Slide31

Flash media cardsSlide32

Let’s say I’m serving a search warrant for files such as documents, spreadsheets, etc.

Is this something I should be interested in?Slide33

Mobile devices

Cell phones

Tablets

PDAsSlide34

Cell PhonesSlide35

SmartphonesSlide36

And what do a lot of phones have in them?Slide37

TabletsSlide38

PDAsSlide39

Gaming devicesSlide40

Media playersSlide41

Networking devicesSlide42

GPSSlide43
Slide44
Slide45
Slide46

Printers/CopiersSlide47

Accessories/Supplemental Devices

Chargers

Manuals

SoftwareSlide48

Do I need to take everything?

Short answer: yes

Longer answer: maybe notSlide49

Why should I take everything?

You may need to recreate the suspect’s system, for court or analysis

Forfeiture

To make it more difficult for him to continue/renew criminal activity

Some devices may be specialized and/or rare/obsolete; your examiner may be unable to complete exam without themSlide50

Why should I not take everything?

Much of it will not be useful in your investigation

You may just end up returning it later

It will fill up your evidence room and really annoy your evidence custodianSlide51

A word of caution:

We cannot seize computers, etc., from a business or an individual that needs that equipment for employment or business activity, and not provide the business or individual access to the (non-contraband) data he needs. Slide52

Additionally:

We cannot seize data that is “work product” from journalists, authors, artists, etc., and not give them access to the (non-contraband) data.Slide53

So we’ve got a warrant, and we know what electronic evidence looks like. Now what?

First, some general guidelines/principles to be aware of…Slide54

At the scene

officer safety

is the number one priority. Make sure you have enough manpower to secure the scene. If your bad guy isn’t home, don’t cut everyone loose while you search the house. Remember, some of the crimes we are talking about will result in these people going to jail for a long, long time; they may act foolishly.Slide55

Also with regard to officer safety, be aware of what brought you there. A lot of computer evidence relates to crimes such as child porn. Do not touch the keyboard without gloves. Don’t take home something you don’t want.Slide56

Do not let the suspect, witness or anyone else access the devices (for example, to enter a password for you, or show you where a file is located)

This includes you; don’t sit down at the keyboard and “look around”Slide57

Be aware that it is not always possible for items to be seized and removed from the scene for examination. Slide58

If things look really complicated, or something about the situation makes you nervous,

call for help.

Electronic evidence that is seized incorrectly can be lost forever. There is no shame in asking for help from a specialist. Trust your instincts.Slide59

Get a good interview with the bad guy while you are at the scene. He may be willing to tell you things that will help you.

Encryption keys

Locations of files

ConfessionSlide60

Can I just shut it down?

NOT YET!!

We need to document what is going

We need to determine if data is encrypted

We need to determine if any volatile data needs capturedSlide61

Once the scene is secured, before we start fiddling around with the evidence, take photographs to document everything.Slide62

Documentation

Why do we care what the computer is doing when we arrive?

Chatting

Downloading

Opened files which may not be saved

System date and timeSlide63
Slide64
Slide65
Slide66

What happens to this unsaved document if I just yank the plug? Is there any way to preserve this evidence?Slide67

We can testify to the jury about what was going on when we arrived, and what we subsequently discovered during the examination, but a picture has a

lot

more impact with them.

Document, document, documentSlide68

Before we get started…

One of the tools we are going to use in a lot of the following procedures is FTK Imager Lite

Let’s get it set upSlide69

First, let’s prepare our media

Most thumb drives will be formatted with a FAT file system by default. THIS WILL NOT WORK ON NEWER SYSTEMS!

4GB file size limit

How do we change that?Slide70

So let’s re-format it with an NTFS file system, which will handle files larger than 4GB.Slide71

FTK Imager Lite

Free download

We want the “Lite” versionSlide72

FTK Imager Lite

The download is a .zip file

Unzip it to your thumb drive/external drive

Create a folder on the drive to direct your output toSlide73

We’ll talk about the other tools as we go alongSlide74

Identifying Wireless NetworksSlide75

Identifying wireless networks

Why do we need to?

Do we need a specialized device?Slide76

Note: prior to using the following techniques, you need to “sterilize” your equipment by forgetting all the stored networks, so that the device will not automatically connect to the router if it recognizes its SSID.Slide77

Using your laptop’s wifi utility, locate the suspect network – it will give the name, and indicate whether or not it is securedSlide78

You can also use the wifi utility in your phone or tablet, if so equippedSlide79

There are also mobile apps which will give us info about the wireless network to which the device is connectedSlide80

Things change quickly in the world of computer technology

We must be willing to adjust our methods accordinglySlide81

EncryptionSlide82

Encryption

Encryption vs. password

Can we access the encrypted data?Slide83

Encryption

Quality encryption is readily available to non-geeks

BitLocker

EFS

TrueCrypt

Free*

User friendlySlide84

What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?Slide85

What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?

- NOTHINGSlide86

Some common types of encryption

Full disk encryption – entire physical or logical disk

Can be software or hardware based

Files or systems in use are not protected

Files at rest are protected

Protects against situations like laptop theft, etc.

PGP, BitLocker,

FileVault

, some hard drivesSlide87

Some common types of encryption

Filesystem

-level encryption – Individual files or folders are encrypted

Can add further security to a fully encrypted disk

Metadata, such as file names, sizes, timestamps, and directory structure are not encrypted

EFS is a

filesystem

-level encryptionSlide88

BitLocker

BitLocker is included in the Ultimate and Enterprise versions of Vista, 7 and 8

BitLocker is full disk encryptionSlide89

BitLockerSlide90

Here’s how a BitLocker encrypted drive appears in Windows ExplorerSlide91

Some versions of Windows also allow us to encrypt files or folders using EFS (encrypting file system)

Drive must be formatted NTFS (most thumb drives are not)Slide92
Slide93

Now the encrypted files and folders will be green in Windows ExplorerSlide94

TrueCrypt

WAS a free on-the-fly encryption utility which could be used to encrypt an entire physical or logical disk, or to create an encrypted container

As of May 28, 2014,

TrueCrypt

is no longer supported or maintained, and advised its users find other solutionsSlide95

Does this mean we will no longer encounter TrueCrypt

?Slide96

TrueCrypt

Using TrueCrypt, we can either encrypt the whole drive, or we can create an “encrypted container”

We select how large we want the container to be, and what the encryption key will beSlide97

Here is an attempt to open a previously created encrypted TrueCrypt container; note that the OS doesn’t know what to do with it.Slide98

Now, we assign a vacant drive letter to the soon-to-be decrypted container, direct

TrueCrypt

to the container we had previously created, and tell it to mount the container…Slide99

TrueCrypt prompts us to enter the encryption key.Slide100

And TrueCrypt decrypts and mounts the container, making it available to us.Slide101

And we can now access the decrypted contents.Slide102

So, if we encounter

computer and are aware that

TrueCrypt

is running…

…it behooves us to secure that encrypted data prior to shutdown (we’ll discuss how shortly). Slide103

So, now that we’re sufficiently convinced that our bad guy has convenient choices for encrypting his stuff, what do we do?Slide104

Encryption detection

Tools are available which will assist us in detecting if encryption is present

FTK Imager Lite

osTriage

CryptHunter

None are perfect (but, on the positive side, all are free!)Slide105

Before we start…

In order to run these tools, we have to insert a thumb drive into a running suspect system

Are we changing data?

Is this a problem? Slide106

We add our evidence item

And then check for encryptionSlide107

Here is FTK Imager looking at the thumb drive containing the EFS encrypted filesSlide108

If we drill down to the files on the drive, we see the key icon next to them, indicating that they are EFS encryptedSlide109

Great; problem solved, Right?

…not so fast.Slide110

Here are our other two thumb drives, one encrypted with BitLocker and one encrypted with TrueCryptSlide111

FTK Imager only detects EFS encryption

Is that good enough?Slide112

Let’s try it with osTriageSlide113

2 out of 3Slide114

“osTriage currently detects TrueCrypt, BestCrypt, PGP, and Bitlocker”

osTriage ManualSlide115

Those same three drives as seen by CryptHunterSlide116

What’s the moral of the story?

None of the tools are perfect

You may need to use more than one

You need to evaluate your suspect and your scene, and don’t rely solely on the toolsSlide117

Capturing Volatile

Data pt.1

RAM DumpsSlide118

Volatile Data

What exactly are we talking about?

Memory that will lose its contents if power is removed

RAM

Router memorySlide119

RAM – Random Access Memory

Data can be written and read in the same amount of time regardless of what order the data is stored in

By contrast, with direct access memory (hard drives, CDs, etc.) data read and write speeds depend on physical location of the data on the mediumSlide120

RAM is memory available to the operating system and programs for processing and functioning, not storageSlide121

What is a pagefile

In most systems, a portion of the computer’s hard drive space is set aside as “virtual RAM” to extend the RAM capacity of the system

Results in additional (although slower) RAM; data is swapped back and forth from this

pagefile

(also called a swap file sometimes) to the RAMSlide122

RAM – Random Access Memory

Data is stored as electrical impulses which disappear when power is removed

Everything present must, therefore, have been created since the computer was turned on Slide123

Remember, this is memory that will lose its contents if power is removed

We can’t seize these items and take them back to our office and examine it there –

it must be done on-scene, or it’s gone foreverSlide124

Things to remember

You can’t put 8GB of RAM on a 4GB thumb drive (or an 8GB thumb drive, for that matter)

This is called a memory “dump” for a reason

You

are

making changes to the systemSlide125

FTK Imager LiteSlide126
Slide127

Select the Browse buttonSlide128

Direct it to a prepared folder on your thumb driveSlide129

Rename it

And don’t forget to capture the

pagefile

, tooSlide130

Capture MemorySlide131

…and waitSlide132

Until you see:Slide133

Hit the close button:Slide134

In your “Acquired Data” folderSlide135

Now?

We examine the dump using a forensic tool, such as

EnCase

or FTK

Let’s take a look at some things we found in a sample RAM dump…Slide136

First, let’s look at what I did before I dumped the RAM…Slide137

I mounted a TrueCrypt

volume…Slide138

I did a search for tips on poisoning my wife…Slide139

And I typed a note to a friend…Slide140

Can we find any sign of these activities in our RAM dump?Slide141

Loaded into EnCase

…Slide142

How about our TrueCrypt

key?

In plain text!

(and it actually appears four times in the dump)Slide143

Our threatening note (that was never saved)Slide144

Our Google SearchSlide145

Lots of good data

may

be available to us in the RAM dump

We can’t seize it and examine it laterSlide146

On-Scene ImagingSlide147

On-scene Forensic Imaging

First, what is a forensic image?

What tools do we use to create them?

And in what situations would we need to create them on-scene?Slide148

FTK Imager Lite

There are several tools which can create images of different format

FTK Imager Lite is the one we recommend

Industry standard from industry leader Access Data

Fast, reliable

FREE!Slide149

FTK Imager Lite

Some considerations…

How big is the source drive?

How big is the target drive?

How much time do you have?Slide150

Here is the icon for creating an image…Slide151

FTK Imager Lite

In most situations, we are going to be creating images of physical drivesSlide152

FTK Imager Lite

Now, we select the drive we are going to create an image of

What’s that second listed drive?Slide153

What do these mean?Slide154

Very ImportantSlide155

And then turn it loose…

…and waitSlide156

FTK Imager Lite

What are we going to do with the resulting image?

Examining the image is a more advanced, complex, and time-consuming procedure

But we have preserved the evidence, and made sure that it is available

to our examinerSlide157

Capturing Volatile Data pt. 2

Router InterrogationSlide158

Router Interrogation

This is a brief overview of the process of router interrogation, not a detailed tutorial

Before trying this at a scene, seek further training, and practice, practice, practiceSlide159

How do we connect to the router?

First, disconnect the router from the internet (i.e., “the outside world”)Slide160

How do we access a router?

First, we need to attach our laptop to the router via one of the LAN ports

Then, we need to know the IP address and username/password for the router

This is

not

the internet username and passwordSlide161

Why don’t we connect wirelessly?

So we can say for sure we connected to the correct device – what if there are several wifi networks in range?

We need a password to connect to a secured network via wifi, but not via direct physical connectionSlide162

Now, we type the IP address into a web browser, and enter the username/password.Slide163

Router LogSlide164

DHCP Client ListSlide165

Did we make any changes to the data contained in this router?

Entry in DHCP client list for our machine

Entry in log for administrative access

Did we just screw up our case?Slide166

There is a lot of other interesting information contained in the router – security settings, date/time, filtering data, etc. – that may be valuable to your investigation

If this is something that interests you,

get more training

, and

practiceSlide167

Seizing Electronic EvidenceSlide168

Operating system

The method we will use to shut down the computer will be determined by the operating system

Windows (server?)

Linux

Mac OSSlide169

If the computer is turned off, leave it off

If the computer is on, but the screen is blank, move the mouse to wake it upSlide170

How can you tell what the OS is?

Most of us are familiar with the general look of a Windows machineSlide171

What does Linux look like?Slide172

How about Mac OS?Slide173

Windows

If it is a Windows machine, and is not Windows Server, pull the plug from the back of the machine.

Why not the wall?

How about a laptop?Slide174

Windows Server

If it is Windows Server, turn the computer off using the appropriate commands.Slide175

Linux

Turn the computer off using appropriate commands.Slide176

Mac OS

Turn the computer off using appropriate commands.Slide177

Once it’s off, label the cords as you remove them from the back of the machine, and label the ports to which those cords are attached.Slide178

Mobile devices – isolate?

Why would we want to isolate a mobile device from the network?

Prevent changes to the data

Protect evidence

Ensure we are in compliance with our warrantSlide179

Why would we not want to isolate a mobile device from the network?

Prevent device from locking us out

Prevent rapid battery drainSlide180

Low-tech options

Remove the battery?

Pros: easy, cheap and takes no skill

Cons: Some batteries can’t be removed (iPhone) and it may also activate the PIN.

Airplane mode?

Pros: cheap, and effective

Cons: You are changing data. Can you successfully turn on airplane mode without accidentally screwing something up? Does airplane mode disable wifi access?Slide181

Other options

Faraday bags

Foil

Signal jammers?Slide182

I am not going to tell you how you should do it. The bottom line is that you should develop an SOP and stick to it…

…and don’t be afraid to break it (as long as you can explain why you did).Slide183

Now it’s off; what do we do with it?

Transport it in the car like a person; put a seatbelt on it

Keep it in the position in which it was foundSlide184

Keep it away from:

Heat

Cold