Digital Forensics - Bitly

1 downloads 220 Views 1MB Size Report
→Stored in live RAM (DIMM and SIMM chips). – Can extract ... by a hardware+software combination, such as .... →7-Z
Ediscovery and Digital Forensics in Litigation Presentation by: Marc Yu Chief Forensic Examiner

You can also follow along at: http://PensacolaForensics.com/mba.pdf

http://bit.ly/WxOr3j

Ediscovery is exciting! • High demand and high growth area - this is a science-based field Even attorneys are giving up their law practices to start a career in electronic discovery

• There are many changes recently made in government to make the ediscovery process more efficient, such as the Electronically Stored Information (ESI) discovery conference: http://judicial.alabama.gov/library/rules/cv26.pdf

Data, Data Everywhere! • 95% of all documents are created and stored digitally either through a spreadsheet, word processor, email, text messages, photos, and so on

• All civil court documents now must be served by e-mail under Administrative Policies and Procedures for Electronic Filing in the Civil Divisions of the Alabama Unified Judicial System as of October 1, 2012 for state courts*

Types of Data • Two Kinds of Memory can be captured for analysis and examination: Persistent memory →Includes electromechanical SATA/PATA/IDE hard drives (both internal and external), Secure Digital cards (cameras and phones), USB flash drives, Solid State Drives (no moving parts), internal flash memory (such as that in cell phones)

Volatile memory →Stored in live RAM (DIMM and SIMM chips) – Can extract keys for encrypted data and passwords for files

This includes Phones! • Logical data can be extracted and analyzed by software-only solutions, such as Katana or Oxygen Forensics • Physical data must be extracted and analyzed by a hardware+software combination, such as Cellebrite or XRY • All regular cell phones and smartphones are included, such as: Android iPhones

This even includes GPS devices! • It can be as simple as connecting the GPS via USB to a computer and copying out some files The extrapolated data can use Google Earth to track the routes used and even create animation tracks

• Information about GPS systems: http://www.gpsforensics.org

• Commercial software options: Blackthorn2 Cellebrite

Acquisition • Hardware: Write Blockers for SATA, PATA/IDE, & USB devices →Tableau and Wiebetech

• Commercial Software: EnCase, Forensic Tool Kit (FTK), X-Ways / WinHex

• Open Source Software: dd, dcfldd, dd_rescue (Linux command line tools) Guymager imager (in Deft & Paladin suites)

Creating a Forensic Image • A forensic image is a bit-for-bit exact copy of electronically stored information (ESI) from: Hard Drives, RAM chips, USB Flash Drives, Secure Digital cards, GPS devices, smartphones, NAND, etc. →ESI from some devices, both older and newer, cannot be forensically imaged due to lack of software, hardware, and/or encryption keys

• This forensic image is created on a sterilized piece of media, such as an external hard drive A forensic image is validated using hash values (MD5)

• Creating a forensic image in this manner is the most defensible method of collecting ESI

Chain of Custody Forms • This is a chronological documentation form that must be kept with the digital evidence or the media containing the forensic image created from the digital evidence • There are several samples available on the Internet Should always be used if there is any chance the findings from media will be used in a criminal case

Anti-encryption Tools • Software: Passware & Elcomsoft (COTS dictionary/brute force) Ophcrack (open source rainbow tables) John the Ripper (open source dictionary/brute force)

• Hardware: Password accelerators (TACC1441) Graphic cards (NVIDIA CUDA, OpenCL), Cubix

• Software as a Service Password-Find.com Amazon Elastic Compute Cloud

Automated Forensic Analysis • Commercial Software: EnCase Forensic Tool Kit (FTK) X-Ways / WinHex

• Open Source Software: Autopsy 3.0 (Windows version now available) →Is the front end for the tools provided in The Sleuth Kit (TSK) →Updated to release version 3.0 on October 12, 2012

Scalpel (Linux) Is the successor to the defunct Foremost

Looking for Metadata • What is Metadata? Information about the data →What is the name of the document? →Who created it? →When was it created? →When was it last printed? →Does it have encryption/password protection? →When was it last edited and by whom? →What program was used to open/edit it?

• Software Metadata Analyzer

Internet Usage ESI • Commercial: Internet Evidence Finder Mandiant Web Historian

• Open Source: Autopsy 3.0 for Windows Xplico (part of the DEFT build) →Real-time analysis

Electronic Discovery Reference Model

http://www.edrm.net/resources/edrm-stages-explained or http://bit.ly/poCXtM

Starting the E-discovery Process • Triggering Events • Preservation Notice As it pertains to ESI

• Litigation Holds and Notices • Possible sanctions for negligent failure to preserve potentially relevant evidence

E-discovery Processing • E-discovery software to process evidence Traditional software such as: AccessData Summation, EMC Kazeon, EnCase eDiscovery, dtSearch, et al. “Software as a Service” (SaaS) which is also known as cloud computing such as Orange Legal Technologies, Valora Technologies, et al.

• Some features of this type of software Searches forensic images as well as individual files and directories De-duplication of ESI Distributed processing

Splitting 1 Large File or Many Large Files • On September 6, 2012, the Chief Justice rendered an order mandating e-filing for attorneys in all civil cases • Three major technical specifications for document attachments:  Scanned documents should be at resolution 200 dpi  Scanned documents are to be in black and white, not color  All attached documents must not exceed ten megabytes (10MB) in size, as the system will reject them →must be divided and sent as separate attachments, no one of which may exceed 10MB in size →Use a file compression/splitting program to break one or more files into 9MB segments →7-Zip (free open source), WinZip, or WinRAR

http://youtu.be/fVDPtnrkUYk

Questions?

Photographs and graphics courtesy of the royalty-free service of the Stock Photo Exchange – http://sxc.hu