Warren's Blog

InfoSec World Conference & Expo 2012
April 2-4, 2012 • Orlando, FL
Disney’s Contemporary Resort
http://www.misti.com/default.asp?page=65&Return=70&ProductID=5539
C1 Computer Forensics and Internal Investigations
Warren G. Kruse II, CISSP, CFCE, EnCE, DFCP
VP, Altep Ediscovery, www.altep.com
Date: Monday, 2 April 2012
Time: 10:30am – 12pm
Track: Security 101

• How computer forensics can assist in investigations
• Ensuring you have the right policies, data retention and skillset in place
• Types of investigations that benefit from computer forensics
• What computer forensics can and can’t do
• Appropriately collecting and handling digital evidence
• Tips and tricks to speed up your analysis
• Common forensic tools for data acquisition and analysis
• Correlating digital evidence from multiple sources
• Top ten mistakes seen in the field

Share on Facebook

Tweet This Post

Computer Forensics Simplified – A Layman’s Guide

The computer has undergone many changes since the time of its inception – in just a few short decades, it has morphed from an object that once took up an entire room to something we can easily carry in our pockets. And with this change, storage devices too have become smaller and more powerful, and because of this, we tend to hoard data and information whether we need it or not; unlimited email options allow you to never have to delete a message, and also retrieve information in a fraction of a second; and online data storage facilities provide you with large amounts of space on the cloud where you can keep your data safe and secure.

But on the downside to all the advances in technology is that the data we store, explicitly or implicitly, exists forever. So if you’ve got something to hide or if your data could implicate you in a criminal case or civil suit, then you’re out of luck. You may even erase all the data on your hard disk and other peripheral storage devices and locations. However, a skilled computer forensics expert can easily retrieve not just your data, but also information about the data that was stored on your computer.

This “metadata” provides more clues to your data, as to where and when it was created or stored, who created it, and much more information than you possibly realize. So if you’re cheating on your spouse or involved in other criminal activities and have proof on your computer, the data could be used as evidence against you when it is reliably obtained and its integrity proven.

Digital data (read evidence) includes all word processing documents, audio and video files, photographs, emails, instant message histories, spreadsheets, browser histories, database contents, all the contents of your hard disk and other storage locations, computer printouts, ATM transaction logs, logs from electronic door locks, GPS tracks and so on. A computer forensic analyst or a digital evidence analyst could easily gather all this information using an arsenal of tools and skills available at their disposal.

Television programs have introduced us to computer forensics and made us aware of the importance of this profession in not just catching criminals, but also in prosecuting them with evidence that has been obtained legally and which is admissible in court. Computer forensic analysts have to therefore work within a certain set of rules and recover information within the limits set by the law. And as criminals get more tech savvy, they must stay one step ahead of them if they are to catch them and bring them to book.

By-line:

This guest post is contributed by Cathy Thomas, she writes on the topic of Online Computer Technician Schools: http://www.computertechnician.net/
She welcomes your comments at her email id: cathy83.thomas<@>gmail<.>com.

Share on Facebook

Tweet This Post

People want to get into cyber forensics so they take a class ( see previous blog on training that is available) but then what? If you don’t have an unlimited budget to buy the commercial tools how do you become proficient? US court rules state to testify as a expert you have to be trained and proficient in the tool(s) you use. It’s best to practice with test data before you work on a real case. This doesn’t only help you learn the tools but also let’s you identify and recognize what you are looking at. For instance, you find a key deleted file during your analysis but was it intentionally deleted or was it a result of the computers normal use? While it is simple to retrieve a deleted file, being able to answer questions such as those will set you apart from the novice.
…
Prepare your test data:
1) find a small drive or drives, smaller is better as you are going to wipe it over and over as your training continues.
2) DoD wipe the drive.
3) try something easy to begin with like deleted files.
4) if you were successful in recovery wipe the drive and try harder issues. This is why a small drive comes in handy so the wiping will not take too long.

Some software vendors offer free versions of their software, some are limited in functionality, others are not:

Technology Pathways, LLC, offers ProDiscover® Basic, a freeware version of the ProDiscover Computer Forensic Software. ProDiscover Basic provides a complete computer forensic solution including the ability to collect, preserve, analyze, and report on computer evidence. ProDiscover Basic is an easy to use, GUI based, complete forensic package.

Accessdata offers a demo version but it only will process a limited amount of files.
Win hex offers a limited version to download of their powerful tool but it’s a great way to learn by using a hex editor.
If you are in law enforcement Microsoft offers a free forensic tool called COFEE, which stands for Computer Online Forensic Evidence Extractor,

http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html

Share on Facebook

Tweet This Post

Interesting dilemma between the cyber security and the cyber forensic / ediscovery hats that I wear, do you want to protect a missing or stolen device or preserve the data on a digital device for use in a forensic / ediscovery matter?

There has been passwords on devices and some, like the Blackberry claim to wipe the data if you enter 10 incorrect passwords. Some claim to be able to get around it but I haven’t seen any successful methods…. Yet… So the cyber security front that is a good thing, cyber forensics? Not so much.

Today I updated my iPad software and noticed that Apple added a new find feature which isn’t that new, but also a remote wiping feature.

http://blogs.computerworld.com/16318/secure_ipad

So once again the dilemma for me is if I ever lost my iPhone or iPad and I can stop my hands from shaking due to the withdrawal I’d be experiencing to work a device with a mouse (ouch) would be to either find it with any luck or if all, and I mean all, else fails remotely wipe it. Again wearing the security hat great, forensic hat not so much… Now I’m not going to test the remote wipe feature on my iPad or iphone I’ll assume that Apple really means data would be lost versus a normal delete which may be recovered.

For cyber forensics this is another good reason to place the device in a faraday bag (http://www.search.org/files/pdf/Cell%20Phone%20Investigation%20Toolkit%200506.pdf)

Next blog deals with data mapping… At a recent conference everyone was talking about automatic data mapping but don’t forget interviews as a valuable source of info….

Share on Facebook

Tweet This Post

An appropriate quote from the Georgetown Advanced eDiscovery conference yesterday:
Judge John Facciola “It is becoming quite clear that federal agencies do not have preservation policies in place,” he said.

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202475092072&Judicial_Panel_Captivates_Crowd_at_Georgetown_Conference

Warren G. Kruse II, CISSP, CFCE, DFCP, EnCE
Principal
Cyber Technology

Booz | Allen | Hamilton

Share on Facebook

Tweet This Post

I can’t believe how little press this received: http://www.trustedsource.org/blog/515/US-Based-Internet-Traffic-Redirected-to-China

Data redirected and hardly any mention in mainstream media. Think of your email going to destination via China and most were probably unencyrpted.  Again shows the need to encrypt e-mail!  The problem wasn’t that it was just 18 minutes but that it was able to happen and can happen again.

Share on Facebook

Tweet This Post

I get asked all the time about how to get into computer forensics, what classes are good, etc.  So I’m going to use this page to list some classes that I know of.  If you are an instructor please email me (wgkruse [at] computer-forensic.com) and I’ll review it for possible inclusion.  If you attended a class please post what class you attended and why others should attend it.

Computer Forensics:

• Search www.search.org
• Guidancesoftware www.encase.com
• Accessdata www.accessdata.com
• Asrdata, www.asrdata.com
• Mares and Co., www.dmares.com
• Paraben, www.paraben.com
• CompuForensics www.CompuForensics.com/training.htm
• Knowledge Solutions www.forensic-science.com
• Computer Forensic Training Center Online www.cftco.com/details.htm
• Foundstone, www.foundstone.com
• High Tech Crime Institute LLC, www.hightechcrimeinstitute.com
• Security University, www.securityuniversity.com
• Wetstone, www.wetstonetech.com

Computer Crime/Security Conferences:

• HTCIA International Conference and Expo. The HTCIA is a nonprofit organization designed to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership.
  
• TheTrainingCo www.thetrainingco.com
• CSI – Computer Security Institute gocsi.com
• MISTI – MIS Training Institute misti.com
• DoD Cyber Crime Conference, http://www.dodcybercrime.com

Law Enforcement Only Forensics:

• FBI Academy www.fbi.gov
• Federal Law Enforcement Training Center www.fletc.gov
• IACIS www.cops.org
• Department of Defense Computer Investigations Training Program www.dcitp.gov

Computer Crime Investigations:

• Canadian Police College (Law Enforcement Only) www.cpc.gc.ca
• Institute of Police Technology and Management (Law Enforcement Only) www.iptm.org
• National Center for Missing Exploited Children (Protecting Children On-line) (Law Enforcement Only) www.foxvalley.tec.wi.us./ojjdp
• California Commission on POST- Advanced Training Center(Law Enforcement Only) www.post.ca.gov

University Programs:

• University of New Haven (Computer Forensics) unhca.com
• Champlain, www.champlain.edu
• George Washington University (Masters in Computer Fraud) www.gwu.edu
• Eastern Michigan University (Computer Forensics) www.emich.edu
• James Madison University (Masters in Information Security) www.infosec.jmu.edu
• University of Glamorgan (M.Sc. Information Security and Computer Crime) www.comp.glam.ac.uk
• Redlands Community College (Computer Forensics) www.redlandscc.net
• Wright State University www.wright.edu
• Anne Arundel Community College www.mdcybercrime.org
• Wright State University (OH)
• Southern Methodist University (TX)
• Sinclair College (OH)
• Roane State College (TN)
• College of Dupage (IL)
• Utica College (undergrad): http://www.utica.edu/ssm/crim_justice-econ/CriminalJusticeECI.htm
• Utica College (graduate): http://www.utica.edu/gce/graduate/ecm_masters.htm

Share on Facebook

Tweet This Post

According to “10 ways electronics will change in 10 years” By JONATHAN LANSNER
http://m.ocregister.com/articles/years-270370-electronics-mcgregor.html

“6. Dramatic increases will come in cybercrime — including a good possibility that a major financial institution suffers a catastrophic blow from some variation of cyber attack.”

I like the fact that the threat of cybercrime is making the list, but number 6?  Trillions of dollars are transferred daily.  If it’s a good possibility that “a major financial institution suffers a catastrophic blow”  then wouldn’t that negate the 5 higher ranking items?

Share on Facebook

Tweet This Post

It wasn’t that long ago that security mostly involved alarm systems, locks and security guards. For decades, even after we entered the computer age, almost all fraud was perpetrated on site or by very sophisticated professional hackers. Fraudsters had to either physically – or at least electronically, enter the building.

Today, as you know, everything is stored online – financials, intellectual property, employee’s personally identifiable information, customer data. There are substantial benefits to this – more users can access more information any time. I recall how nice it was to be able to drive to the bank after hours and check my balance and one of those new computer “ATM” machines. Now, I can check it anytime and almost anywhere from my laptop, cell phone, tablet, etc. That’s good news for business – who can get more done in less time and in more places. But, where I used to have to drive to the bank building and enter a card, now all I need is a password and the ubiquitous Internet. That’s risky. – the data is by nature in a more accessible place.

All of this is both a result of and a cause for technology.
-It’s technology that allows for the increased efficiency in the first place
-On the other hand, the bad guys have developed technology that puts all that to risk
-A solution for fighting fraud is also in development of new technologies.

This is the kind of cat and mouse game we’re all facing.

Outsiders

-Hackers have technology that makes it harder to detect
-applications and controls allow you to run queries that could identify fraudulent activity earlier. Ie A company can purchase databases that contain valid domains and valid US-based addresses that can be used to prevent online fraud.

-Identify a problem that can be solved by testing
-as more technology is rolled out, more continual testing is
required for tight integration.

-But sometimes it’s the testing that is the problem. I’ve had two recent cases with the application developers were using a test environment, with non production servers, non production software, etc., taking necessary steps to ensure the production environment is not used … except they were using live data in the development environment. Both times those systems were compromised and real data taken. One such case was the Atlantis ID Theft, where personal data from 55,000 of the resort’s customers, including social security numbers and bank account data, was stolen when an outsider breached their test systems.
Insiders

While breaches from outside get a lot of play in the press, I worry about the “trusted” “superstar” employees more then outsiders. Outsiders are looking for the “keys to the kingdom,” but the insiders already have them. They may know the software and controls you have in place…. And worse…
- Those that want to circumvent controls may also be able to
overwrite the transaction
- Less manual oversight because transactions are automated. In
some cases, millions of transactions a day. How do you identify the
potential fraud.
- How do you know that your employees are not taking the data?
Can you trust all of your employees?
- How do you control all of the data and maintain the technology
during every occurring corporate restructuring, merger, etc.?

Conclusion
I’m sure you understand the cat and mouse game that’s going on; it will not stop anytime soon. The only way to stay effective is to keep up-to-date on what the mice – and other cats – are doing. So let’s get started.

Share on Facebook

Tweet This Post

• US Secret Service BEST PRACTICES FOR SEIZING ELECTRONIC EVIDENCE

http://www.secretservice.gov/electronic_evidence.shtml

• Best Practices for Forensic Image Analysis Scientific Working Group on Imaging Technology (SWGIT)

http://www.fbi.gov/hq/lab/fsc/backissu/oct2005/standards/2005_10_standards01.htm

• RFC 3227 – Guidelines for Evidence Collection and Archiving.  Entire RFC located here:

http://www.faqs.org/rfcs/rfc3227.html

Share on Facebook

Tweet This Post