logging in or signing up XLM H Rafael Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 423 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 13, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Intro to MIS – MGS351 Computer Crime and Forensics: Intro to MIS – MGS351 Computer Crime and Forensics Extended Learning Module HChapter Overview: Chapter Overview Computer Crime Overview Legislation, Trends, Statistics and Examples Computer Forensics Collecting, Authenticating, Preserving and Analyzing Digital EvidenceDOJ Definition of Computer Crime: DOJ Definition of Computer Crime "any violation of criminal law that involves a knowledge of computer technology for their perpetration, investigation, or prosecution." Simply stated, computer crimes are crimes that require knowledge of computers to commit. Organizations must protect against these computer crimes: Organizations must protect against these computer crimesKey Legislation: Key Legislation USA PATRIOTS Act Dept of Homeland Security monitors the Internet for "state-sponsored information warfare." HIPAA (protects healthcare info) Sarbanes-Oxley (SOX) of 2002 Computer Fraud and Abuse Act (CFAA) (Title 18 of U.S. Code § 1030) Digital Millennium Copyright Act (DMCA) Gramm-Leach-Bliley Act (GLB)Slide6: High school senior launched Blaster.B virus Jeffrey Lee Parson (t33kid) 48,000 computers infected Parson operated t33kid.com Faces up to 10 years in prison and $250,000 fine.Attack Trends: Attack Trends Growing Incident Frequency (reported to CERT) 1997: 2,134 1998: 3,474 (75% growth) 1999: 9,859 (164% growth) 2000: 21,756 (121% growth) 2001: 52,658 (142% growth) Growing Randomness, Malevolence and Attack AutomationWhy are Security Incidents Increasing?: Why are Security Incidents Increasing? Sophistication of Hacker Tools Packet Forging/ Spoofing 1990 1980 Password Guessing Self Replicating Code Password Cracking Exploiting Known Vulnerabilities Back Doors Sweepers Sniffers Stealth Diagnostics High Low 2000 DDOS -from Cisco Systems Disabling AuditsCSI/FBI Computer Crime and Security Survey: CSI/FBI Computer Crime and Security SurveyCSI/FBI Computer Crime and Security Survey: CSI/FBI Computer Crime and Security SurveyEmpirical Attack Data: Empirical Attack Data Riptech: Analyzed 5.5 billion firewall log entries in 300 firms in five-month period and detected 128,678 attacks - an annual rate of 1,000 per firm MessageLabs: One in every 200 to 400 e-mails is infected Honeynet project Win 98 PC compromised 5 times in 4 days LINUX PCs - about 3 days to compromiseEmpirical Attack Data: Empirical Attack Data SecurityFocus - data from 10,000 firms in 2001 129 million network scanning probes (13,000 per firm), 29 million website attacks (3,000 per firm), 6 million denial-of-service attacks (600 per firm) 31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!Digital Forensic Science (DFS): Digital Forensic Science (DFS) “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS) Subcategories of DFS: Subcategories of DFS Distinct types of DFS analysis Media Analysis Examining physical media for evidence Code Analysis Review of software for malicious signatures Network Analysis Scrutinize network traffic and logs to identify and locateComputer Forensics: Computer Forensics Computer forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court Two phases Collecting, authenticating, and preserving electronic evidence Analyzing the findingsWho need Computer Forensics Investigators?: Who need Computer Forensics Investigators? Computer forensics is used in The military for national and international investigations Law enforcement, to gather electronic evidence in criminal investigations Corporations and not-for-profits for internal investigations Consulting firms that special in forensicsPublic versus Private Investigations: Public versus Private InvestigationsOrganizations Use Computer Forensics for:: Organizations Use Computer Forensics for: Proactive education to educate employees on What to do and not to do with computer resources What to do if they suspect wrong-doing and how to investigate it Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptlyExcerpts from NASA E-Mail: Excerpts from NASA E-Mail “…something could get screwed up enough…and then you are in a world of hurt…” “I can only hope the folks…are listening…” Pertaining to the Columbia Shuttle disasterE-Mail from Arresting Officer in Rodney King Beating: E-Mail from Arresting Officer in Rodney King Beating “oops I haven’t beaten anyone so bad in a long time….”E-Mail from Bill Gates: E-Mail from Bill Gates “…do we have a clear plan on what we want Apple to do to undermine Sun…?” From Bill Gates in an intraoffice e-mail about a competitor in the MS antitrust actionE-Mail between Enron and Andersen Consulting: E-Mail between Enron and Andersen ConsultingE-Mail from Monica Lewinsky to Linda Tripp: E-Mail from Monica Lewinsky to Linda TrippCollection – Places to Look for Electronic Evidence: Collection – Places to Look for Electronic Evidence Floppy Disks CDs DVDs Zip Disks Backup Tapes USB Storage PDAs Flash memory Voice mail Electronic Calendars Scanner Photocopier Fax/Phone/Cellular IPodsWhat do we do with it?: What do we do with it? Acquire the evidence without altering or damaging the original. (Preservation) Authenticate that your recovered evidence is the same as the originally seized data. Analyze the data without modifying it.Preservation: Preservation If possible, hard disk is removed without turning computer on Special hardware is used to ensure that nothing is written to drive Forensic image copy – an exact copy or snapshot of all stored information Authentication: Authentication Authentication process necessary for ensuring that no evidence was planted or destroyed MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time Probability of two storage media having same MD5 hash value is 1 in 1038, or 1 in 100,000,000,000,000,000,000,000,000,000,000,000,000Computer Forensics Software Toolkit: Computer Forensics Software Toolkit EnCase – software that finds all information on disks (industry standard) Quick View and Conversions Plus – read files in many formats Mailbag Assistant – reads most e-mail Irfan View – reads image filesAnalysis: Analysis Interpretation of information uncovered Recovered information must be put in context Computer forensics software pinpoint files location on disk, its creator, the date it was created, and many other facts about the fileFiles Can Be Recovered from…: Files Can Be Recovered from… Email messages (deleted ones also) Office files Deleted files of all kinds Files hidden in image and music files Encrypted Files Compressed Files Web history Cache files Cookies Network Server files: Backup e-mail files Other backup and archived files System history files Web log files Files Can Be Recovered from…: Files Can Be Recovered from… Temp files Recycle Bin Info file fragments Recent link files Spool (printed) files Registry Unallocated Space Slack SpacePlaces to Look for Information: Places to Look for Information Deleted files and slack space Slack space – the space between the end of the file and the end of the cluster System and registry files Controls virtual memory on hard disk Has records on installs and uninstalls Has MAC address (unique address of computer on the network)Places to Look for Information: Places to Look for Information Unallocated space – set of clusters that has been marked as available to store information but has not yet received any Unused disk space Erased information that has not been overwrittenData Storage: Data Storage Tracks - Concentric rings Sectors - Tracks divided radially into parts Files storage The minimum space occupied by any file is one sector. Unused space in the sectors is known as slack space.Storage Media Basics: Storage Media Basics Sector: 512 Bytes Cluster (Block): 2 or more clusters (up to 64) … Slack Space: Slack Space RAM Slack: Portion of a sector that is not overwritten in memory. Disk Slack: Those sectors of the cluster that are not needed to store file. … EOF RAM Slack EOF Disk SlackSlack Space: Slack Space File Slack: Last cluster of file isn’t filled up completely, so data from the last use of that cluster isn’t overwritten. File Slack = Disk Slack + RAM Slack EOF Disk Slack RAM Slack File SlackFile Hash Analysis: File Hash Analysis Using database of known hashes from NIST, Encase can compare known systems files and programs and eliminate them from evidence. Also used by law enforcement to find files of “interest”.Digital Forensics Example: Digital Forensics Example Let’s recover a deleted file using the forensics equipment. This is one way forensic investigators uncover evidence.Ways of Hiding Information: Ways of Hiding Information Rename the file Change file extension Use Windows to hide files (ADS) Protect file with password Encryption – scrambles the contents of a file so that you can’t read it without the decryption keyAddressing Data-hiding Techniques: Addressing Data-hiding Techniques File manipulation File names and extensions Hidden property Disk manipulation Hidden partitions Bad clusters Encryption Bit shifting SteganographyChanging file extensions: Changing file extensions Rebuilding File Headers: Rebuilding File Headers Try opening the file first and follow steps if you can’t see its content Steps: Recover more pieces of file if needed Examine file header Compare with a good header sample Manually insert correct hexadecimal values Test corrected file Hiding Partitions: Hiding Partitions Delete references to a partition Re-create links for accessing it Use disk-partitioning utilities PartitionMagic System Commander LILO Account for all disk space when analyzing a diskMarking Bad Clusters: Marking Bad Clusters Place sensitive information on free space Use a disk editor to mark that space as a bad cluster Common with FAT systemsUsing Steganography: Using Steganography Means “covered writing” or “hidden writing” Hiding data in plain sight! Letter, word and digital steganography Suspect can hide information on image or text document files Very hard to spot without prior knowledge Tools S-Tools, DPEnvelope, jpgx, tteSteganography Example: Steganography Example PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. Letter Steganography Example: Letter Steganography Example PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. PERSHING SAILS FROM NY JUNE I Steganography Example: Steganography Example APPARENTLY NEUTRAL’S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BY-PRODUCTS, EJECTING SUETS AND VEGETABLE OILS. Letter Steganography Example: Letter Steganography Example APPARENTLY NEUTRAL’S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BY-PRODUCTS, EJECTING SUETS AND VEGETABLE OILS. PERSHING SAILS FROM NY JUNE I Steganography Example: Steganography Example 1985 Sports Illustrated article about Sidd Finch English orphan, raised by an archaeologist, educated at Harvard, and trained by a yogi in Tibet Showed up at the Mets training camp in Florida and could throw a fastball at 168 mph! Pitched with one foot bare and the other in a large hiking boot. Finch hadn’t decided if he was going to play for the Mets Sports Illustrated received 2,000 letters following the story from people hoping Sidd would play Steganography Example: Steganography Example “The Curious Case of Sidd Finch” He's a pitcher, part yogi and part recluse. Impressively liberated from our opulent life-style, Sidd's deciding about yoga -- and his future in baseball Issue date: April 1, 1985 By George PlimptonSteganography Example: Steganography Example “The Curious Case of Sidd Finch” He's a pitcher, part yogi and part recluse. Impressively liberated from our opulent life-style, Sidd's deciding about yoga -- and his future in baseball Issue date: April 1, 1985 By George PlimptonSteganography Example: Steganography Example “The Curious Case of Sidd Finch” He's a pitcher, part yogi and part recluse. Impressively liberated from our opulent life-style, Sidd's deciding about yoga -- and his future in baseball Happy April Fools Day Issue date: April 1, 1985 By George PlimptonSteganography Example: Steganography Example Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. All entry forms and fees forms should be ready for final dispatch to the syndicate by Friday 20th or at the latest I am told by the 21st. Admin has improved here though there is room for improvement still; just give us all two or three more years and we will really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours,Word Steganography Example: Word Steganography Example Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. All entry forms and fees forms should be ready for final dispatch to the syndicate by Friday 20th or at the latest I am told by the 21st. Admin has improved here though there is room for improvement still; just give us all two or three more years and we will really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours,Steganography Example (very hard): Steganography Example (very hard) THE MOST COMMON WORK ANIMAL IS THE HORSE. THEY CAN BE USED TO FERRY EQUIPMENT TO AND FROM WORKERS OR TO PULL A PLOW. BE CAREFUL, THOUGH, BECAUSE SOME HAVE SANK UP TO THEIR KNEES IN MUD OR SAND, SUCH AS AN INCIDENT AT THE BURLINGTON FACTORY LAST YEAR. BUT HORSES REMAIN A SIGNIFICANT FIND. ON A FARM, AN ALTERNATE WORK ANIMAL MIGHT BE A BURRO BUT THEY ARE NOT AS COMFORTABLE AS A TRANSPORT ANIMAL. Steganography Example: Steganography Example THE MOST COMMON WORK ANIMAL IS THE HORSE. THEY CAN BE USED TO FERRY EQUIPMENT TO AND FROM WORKERS OR TO PULL A PLOW. BE CAREFUL, THOUGH, BECAUSE SOME HAVE SANK UP TO THEIR KNEES IN MUD OR SAND, SUCH AS AN INCIDENT AT THE BURLINGTON FACTORY LAST YEAR. BUT HORSES REMAIN A SIGNIFICANT FIND. ON A FARM, AN ALTERNATE WORK ANIMAL MIGHT BE A BURRO BUT THEY ARE NOT AS COMFORTABLE AS A TRANSPORT ANIMAL. Other Steganography Approaches: Other Steganography Approaches Deliberate misspelling to mark words in the message Use of small changes in spacing to indicate significant letters or words in a hidden message Use of a slightly different font in a typeset message to indicate the hidden lettersDigital Steganography: Digital Steganography Message can be hidden inside of almost any type of file (image, audio, video). Let’s see an example! Which has the hidden data?: Which has the hidden data?Which has the hidden data?: Which has the hidden data?Hexadecimal file comparison: Hexadecimal file comparisonSteganography with Bitmapped image: Steganography with Bitmapped image Steganography is the mechanism to hide relatively small amount of data in other data files that are significantly larger. Bitmap image (raster image) is representation of a digital image as a matrix of picture elements (pixels). Examples: JPEG, GIF, BMP and TIFF formats The color of each pixel is individually defined as images in the RGB color space, for instance, often consist of colored pixels defined by three bytes—one byte each for red, green and blue. Examining Encrypted Files: Examining Encrypted Files Prevent unauthorized access Password or passphrase Recovering data is difficult without password Key escrow Cracking password Expert and powerful computers Persuade suspect to reveal passwordRecovering Passwords: Recovering Passwords Dictionary attack Brute-force attack Password guessing based on suspect’s profile Tools PRTK Advanced Password Recovery Software Toolkit @stake’s LC5 (L0phtCrack)A Computer Forensics Expert must: A Computer Forensics Expert must Know a lot about computers and how they work (hardware, software, OS, file systems, storage media, etc.) Always keep learning Have infinite patience “No such thing as point and click forensics.” Be detail-oriented Be good at explaining how computers work You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
XLM H Rafael Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 423 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 13, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Intro to MIS – MGS351 Computer Crime and Forensics: Intro to MIS – MGS351 Computer Crime and Forensics Extended Learning Module HChapter Overview: Chapter Overview Computer Crime Overview Legislation, Trends, Statistics and Examples Computer Forensics Collecting, Authenticating, Preserving and Analyzing Digital EvidenceDOJ Definition of Computer Crime: DOJ Definition of Computer Crime "any violation of criminal law that involves a knowledge of computer technology for their perpetration, investigation, or prosecution." Simply stated, computer crimes are crimes that require knowledge of computers to commit. Organizations must protect against these computer crimes: Organizations must protect against these computer crimesKey Legislation: Key Legislation USA PATRIOTS Act Dept of Homeland Security monitors the Internet for "state-sponsored information warfare." HIPAA (protects healthcare info) Sarbanes-Oxley (SOX) of 2002 Computer Fraud and Abuse Act (CFAA) (Title 18 of U.S. Code § 1030) Digital Millennium Copyright Act (DMCA) Gramm-Leach-Bliley Act (GLB)Slide6: High school senior launched Blaster.B virus Jeffrey Lee Parson (t33kid) 48,000 computers infected Parson operated t33kid.com Faces up to 10 years in prison and $250,000 fine.Attack Trends: Attack Trends Growing Incident Frequency (reported to CERT) 1997: 2,134 1998: 3,474 (75% growth) 1999: 9,859 (164% growth) 2000: 21,756 (121% growth) 2001: 52,658 (142% growth) Growing Randomness, Malevolence and Attack AutomationWhy are Security Incidents Increasing?: Why are Security Incidents Increasing? Sophistication of Hacker Tools Packet Forging/ Spoofing 1990 1980 Password Guessing Self Replicating Code Password Cracking Exploiting Known Vulnerabilities Back Doors Sweepers Sniffers Stealth Diagnostics High Low 2000 DDOS -from Cisco Systems Disabling AuditsCSI/FBI Computer Crime and Security Survey: CSI/FBI Computer Crime and Security SurveyCSI/FBI Computer Crime and Security Survey: CSI/FBI Computer Crime and Security SurveyEmpirical Attack Data: Empirical Attack Data Riptech: Analyzed 5.5 billion firewall log entries in 300 firms in five-month period and detected 128,678 attacks - an annual rate of 1,000 per firm MessageLabs: One in every 200 to 400 e-mails is infected Honeynet project Win 98 PC compromised 5 times in 4 days LINUX PCs - about 3 days to compromiseEmpirical Attack Data: Empirical Attack Data SecurityFocus - data from 10,000 firms in 2001 129 million network scanning probes (13,000 per firm), 29 million website attacks (3,000 per firm), 6 million denial-of-service attacks (600 per firm) 31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!Digital Forensic Science (DFS): Digital Forensic Science (DFS) “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS) Subcategories of DFS: Subcategories of DFS Distinct types of DFS analysis Media Analysis Examining physical media for evidence Code Analysis Review of software for malicious signatures Network Analysis Scrutinize network traffic and logs to identify and locateComputer Forensics: Computer Forensics Computer forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court Two phases Collecting, authenticating, and preserving electronic evidence Analyzing the findingsWho need Computer Forensics Investigators?: Who need Computer Forensics Investigators? Computer forensics is used in The military for national and international investigations Law enforcement, to gather electronic evidence in criminal investigations Corporations and not-for-profits for internal investigations Consulting firms that special in forensicsPublic versus Private Investigations: Public versus Private InvestigationsOrganizations Use Computer Forensics for:: Organizations Use Computer Forensics for: Proactive education to educate employees on What to do and not to do with computer resources What to do if they suspect wrong-doing and how to investigate it Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptlyExcerpts from NASA E-Mail: Excerpts from NASA E-Mail “…something could get screwed up enough…and then you are in a world of hurt…” “I can only hope the folks…are listening…” Pertaining to the Columbia Shuttle disasterE-Mail from Arresting Officer in Rodney King Beating: E-Mail from Arresting Officer in Rodney King Beating “oops I haven’t beaten anyone so bad in a long time….”E-Mail from Bill Gates: E-Mail from Bill Gates “…do we have a clear plan on what we want Apple to do to undermine Sun…?” From Bill Gates in an intraoffice e-mail about a competitor in the MS antitrust actionE-Mail between Enron and Andersen Consulting: E-Mail between Enron and Andersen ConsultingE-Mail from Monica Lewinsky to Linda Tripp: E-Mail from Monica Lewinsky to Linda TrippCollection – Places to Look for Electronic Evidence: Collection – Places to Look for Electronic Evidence Floppy Disks CDs DVDs Zip Disks Backup Tapes USB Storage PDAs Flash memory Voice mail Electronic Calendars Scanner Photocopier Fax/Phone/Cellular IPodsWhat do we do with it?: What do we do with it? Acquire the evidence without altering or damaging the original. (Preservation) Authenticate that your recovered evidence is the same as the originally seized data. Analyze the data without modifying it.Preservation: Preservation If possible, hard disk is removed without turning computer on Special hardware is used to ensure that nothing is written to drive Forensic image copy – an exact copy or snapshot of all stored information Authentication: Authentication Authentication process necessary for ensuring that no evidence was planted or destroyed MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time Probability of two storage media having same MD5 hash value is 1 in 1038, or 1 in 100,000,000,000,000,000,000,000,000,000,000,000,000Computer Forensics Software Toolkit: Computer Forensics Software Toolkit EnCase – software that finds all information on disks (industry standard) Quick View and Conversions Plus – read files in many formats Mailbag Assistant – reads most e-mail Irfan View – reads image filesAnalysis: Analysis Interpretation of information uncovered Recovered information must be put in context Computer forensics software pinpoint files location on disk, its creator, the date it was created, and many other facts about the fileFiles Can Be Recovered from…: Files Can Be Recovered from… Email messages (deleted ones also) Office files Deleted files of all kinds Files hidden in image and music files Encrypted Files Compressed Files Web history Cache files Cookies Network Server files: Backup e-mail files Other backup and archived files System history files Web log files Files Can Be Recovered from…: Files Can Be Recovered from… Temp files Recycle Bin Info file fragments Recent link files Spool (printed) files Registry Unallocated Space Slack SpacePlaces to Look for Information: Places to Look for Information Deleted files and slack space Slack space – the space between the end of the file and the end of the cluster System and registry files Controls virtual memory on hard disk Has records on installs and uninstalls Has MAC address (unique address of computer on the network)Places to Look for Information: Places to Look for Information Unallocated space – set of clusters that has been marked as available to store information but has not yet received any Unused disk space Erased information that has not been overwrittenData Storage: Data Storage Tracks - Concentric rings Sectors - Tracks divided radially into parts Files storage The minimum space occupied by any file is one sector. Unused space in the sectors is known as slack space.Storage Media Basics: Storage Media Basics Sector: 512 Bytes Cluster (Block): 2 or more clusters (up to 64) … Slack Space: Slack Space RAM Slack: Portion of a sector that is not overwritten in memory. Disk Slack: Those sectors of the cluster that are not needed to store file. … EOF RAM Slack EOF Disk SlackSlack Space: Slack Space File Slack: Last cluster of file isn’t filled up completely, so data from the last use of that cluster isn’t overwritten. File Slack = Disk Slack + RAM Slack EOF Disk Slack RAM Slack File SlackFile Hash Analysis: File Hash Analysis Using database of known hashes from NIST, Encase can compare known systems files and programs and eliminate them from evidence. Also used by law enforcement to find files of “interest”.Digital Forensics Example: Digital Forensics Example Let’s recover a deleted file using the forensics equipment. This is one way forensic investigators uncover evidence.Ways of Hiding Information: Ways of Hiding Information Rename the file Change file extension Use Windows to hide files (ADS) Protect file with password Encryption – scrambles the contents of a file so that you can’t read it without the decryption keyAddressing Data-hiding Techniques: Addressing Data-hiding Techniques File manipulation File names and extensions Hidden property Disk manipulation Hidden partitions Bad clusters Encryption Bit shifting SteganographyChanging file extensions: Changing file extensions Rebuilding File Headers: Rebuilding File Headers Try opening the file first and follow steps if you can’t see its content Steps: Recover more pieces of file if needed Examine file header Compare with a good header sample Manually insert correct hexadecimal values Test corrected file Hiding Partitions: Hiding Partitions Delete references to a partition Re-create links for accessing it Use disk-partitioning utilities PartitionMagic System Commander LILO Account for all disk space when analyzing a diskMarking Bad Clusters: Marking Bad Clusters Place sensitive information on free space Use a disk editor to mark that space as a bad cluster Common with FAT systemsUsing Steganography: Using Steganography Means “covered writing” or “hidden writing” Hiding data in plain sight! Letter, word and digital steganography Suspect can hide information on image or text document files Very hard to spot without prior knowledge Tools S-Tools, DPEnvelope, jpgx, tteSteganography Example: Steganography Example PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. Letter Steganography Example: Letter Steganography Example PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. PERSHING SAILS FROM NY JUNE I Steganography Example: Steganography Example APPARENTLY NEUTRAL’S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BY-PRODUCTS, EJECTING SUETS AND VEGETABLE OILS. Letter Steganography Example: Letter Steganography Example APPARENTLY NEUTRAL’S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BY-PRODUCTS, EJECTING SUETS AND VEGETABLE OILS. PERSHING SAILS FROM NY JUNE I Steganography Example: Steganography Example 1985 Sports Illustrated article about Sidd Finch English orphan, raised by an archaeologist, educated at Harvard, and trained by a yogi in Tibet Showed up at the Mets training camp in Florida and could throw a fastball at 168 mph! Pitched with one foot bare and the other in a large hiking boot. Finch hadn’t decided if he was going to play for the Mets Sports Illustrated received 2,000 letters following the story from people hoping Sidd would play Steganography Example: Steganography Example “The Curious Case of Sidd Finch” He's a pitcher, part yogi and part recluse. Impressively liberated from our opulent life-style, Sidd's deciding about yoga -- and his future in baseball Issue date: April 1, 1985 By George PlimptonSteganography Example: Steganography Example “The Curious Case of Sidd Finch” He's a pitcher, part yogi and part recluse. Impressively liberated from our opulent life-style, Sidd's deciding about yoga -- and his future in baseball Issue date: April 1, 1985 By George PlimptonSteganography Example: Steganography Example “The Curious Case of Sidd Finch” He's a pitcher, part yogi and part recluse. Impressively liberated from our opulent life-style, Sidd's deciding about yoga -- and his future in baseball Happy April Fools Day Issue date: April 1, 1985 By George PlimptonSteganography Example: Steganography Example Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. All entry forms and fees forms should be ready for final dispatch to the syndicate by Friday 20th or at the latest I am told by the 21st. Admin has improved here though there is room for improvement still; just give us all two or three more years and we will really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours,Word Steganography Example: Word Steganography Example Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. All entry forms and fees forms should be ready for final dispatch to the syndicate by Friday 20th or at the latest I am told by the 21st. Admin has improved here though there is room for improvement still; just give us all two or three more years and we will really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours,Steganography Example (very hard): Steganography Example (very hard) THE MOST COMMON WORK ANIMAL IS THE HORSE. THEY CAN BE USED TO FERRY EQUIPMENT TO AND FROM WORKERS OR TO PULL A PLOW. BE CAREFUL, THOUGH, BECAUSE SOME HAVE SANK UP TO THEIR KNEES IN MUD OR SAND, SUCH AS AN INCIDENT AT THE BURLINGTON FACTORY LAST YEAR. BUT HORSES REMAIN A SIGNIFICANT FIND. ON A FARM, AN ALTERNATE WORK ANIMAL MIGHT BE A BURRO BUT THEY ARE NOT AS COMFORTABLE AS A TRANSPORT ANIMAL. Steganography Example: Steganography Example THE MOST COMMON WORK ANIMAL IS THE HORSE. THEY CAN BE USED TO FERRY EQUIPMENT TO AND FROM WORKERS OR TO PULL A PLOW. BE CAREFUL, THOUGH, BECAUSE SOME HAVE SANK UP TO THEIR KNEES IN MUD OR SAND, SUCH AS AN INCIDENT AT THE BURLINGTON FACTORY LAST YEAR. BUT HORSES REMAIN A SIGNIFICANT FIND. ON A FARM, AN ALTERNATE WORK ANIMAL MIGHT BE A BURRO BUT THEY ARE NOT AS COMFORTABLE AS A TRANSPORT ANIMAL. Other Steganography Approaches: Other Steganography Approaches Deliberate misspelling to mark words in the message Use of small changes in spacing to indicate significant letters or words in a hidden message Use of a slightly different font in a typeset message to indicate the hidden lettersDigital Steganography: Digital Steganography Message can be hidden inside of almost any type of file (image, audio, video). Let’s see an example! Which has the hidden data?: Which has the hidden data?Which has the hidden data?: Which has the hidden data?Hexadecimal file comparison: Hexadecimal file comparisonSteganography with Bitmapped image: Steganography with Bitmapped image Steganography is the mechanism to hide relatively small amount of data in other data files that are significantly larger. Bitmap image (raster image) is representation of a digital image as a matrix of picture elements (pixels). Examples: JPEG, GIF, BMP and TIFF formats The color of each pixel is individually defined as images in the RGB color space, for instance, often consist of colored pixels defined by three bytes—one byte each for red, green and blue. Examining Encrypted Files: Examining Encrypted Files Prevent unauthorized access Password or passphrase Recovering data is difficult without password Key escrow Cracking password Expert and powerful computers Persuade suspect to reveal passwordRecovering Passwords: Recovering Passwords Dictionary attack Brute-force attack Password guessing based on suspect’s profile Tools PRTK Advanced Password Recovery Software Toolkit @stake’s LC5 (L0phtCrack)A Computer Forensics Expert must: A Computer Forensics Expert must Know a lot about computers and how they work (hardware, software, OS, file systems, storage media, etc.) Always keep learning Have infinite patience “No such thing as point and click forensics.” Be detail-oriented Be good at explaining how computers work