The Computer Hacking Forensic Investigator (CHFI) is certification offered by EC-Council as a vendor-neutral overview of digital forensics.
Below are some informal notes from my CHFI preparation:
- Modern Forensics
- Forensics Investigation Process
- Searching and Seizing
- Digital Evidence
- First Responder Procedures
- Computer Forensics Lab
- Disk and File Systems
- Windows Forensics
- Data Acquisition
- Deleted Files and Partitions
- Image Files
- Password Crackers
- Logs and Events
- Network Forensics
- Wireless Forensics
- Mobile Forensics
- Expert Witness
- Linux Forensics
- Mac Forensics
- CD/DVD Forensics
- Incident Handling
Modern Computer Forensics
Highlights from the History of Computer Forensics
- In 1932, the FBI Forensics Lab was formed
- In 1984, FBI Computer Analysis & Response Teams (CART) emerge
- In 1991, the International Law Enforcement meeting was conducted to discuss computer forensics and the need for a standard approach
- In 1993, First International Conference on Cyber Crimes
- In 1997, the Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards
We need to preserve evidence and avoid contamination.
3 A’s of Computer Forensics
- Acquire, Authenticate, Analyze
High Level Process:
- Identification (detecting the crime/event)
- Preservation (chain of evidence, documentation)
- Collection (data recovery, evidence collection)
- Examination (tracing, filtering, extracting hidden data)
- Analysis (analyzing evidence)
- Presentation (investigation report, expert witness)
- Decision (report)
More Details Process Flow:
- Crime occurs
- Identify the crime scene
- Obtain a warrant
- First responder engages
- Seize Evidence
- Create 2 bit-by-bit copies
- Chain of Custody
Evidence Needs To Be:
In which of this electronic device evidence is found through Address book, Notes, Appointment calendars, Phone numbers and Email?
- Digital Watches
The result of which analysis may indicate the additional steps that needs to be taken in the extraction and analysis processes?
- Application and File Analysis
Types of Investigation:
- Identity theft
- Virus and worms
- Cyber stalking
- Financial fraud
- Child porn
- Investment fraud
- Software piracy
- Copyright piracy
- Denial of service
- Auction fraud
- Email bomb/spam/hoax
- & more
Scientific Working Group on Digital Evidence (SWGDE) Standards
In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and use broadly accepted procedures, equipment, and materials.
Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
Standards and Criteria 1.3
Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
Standards and Criteria 1.4
The agency must maintain written copies of appropriate technical procedures.
Standards and Criteria 1.5
The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
Standards and Criteria 1.6
All activity relating to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
Standards and Criteria 1.7
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
Forensic Investigation Process
- 18 USC 1029 Fraud and related activity in connection with access devices
- 18 USC 1030 Fraud and related activity in connection with computers
- 18 USC 1362 Communication Lines, Stations, or Systems
- Rule 402 Admissible Evidence
- Rule 901 ID & Authentication
- Rule 608 Conduct of Witness
- Rule 609 Impeachment of Evidence
- Rule 502 Attorney Client Privilege
- Rule 614 Interrogation of Witness
- Rule 701 Opinion Testimony
- Rule 705 Disclosure of Facts
- Rule 1002 Requirement of Original Evidence
- Rule 1003 Admissibility of Duplicates
- 1986 Electronic Communications Privacy Act (ECPA)
- 2001 USA Patriot Act
- 1980 Privacy Protection Act
- 1980 Cable Communications Policy Act
Guiding Laws Breakdown
18 USC 1029 Fraud and related activity in connection with access devices
- Law is applicable if
- person intentionally uses, produces or possesses one of more counterfeit access devices, and unauthorized access devices to defraud
- obtains anything of value aggregating $1,000 or more
18 USC 1030 Fraud and related activity in connection with computers
- Law is applicable if:
- person intentionally accesses a computer without authorization or exceeds authorized access
- obtains restricted data or information that needs executive order
18 USC 1362 Communication Lines, Stations, or Systems
- Law is applicable if:
- person willfully injures or destroys any of the works, property, of material of any means of communication
- maliciously obstructs, hinders, or delays the transmission of any communication
18 USC 2319A Authorized fixations of and trafficking in sound recordings and music videos of live musical performances
- Law is applicable if:
- person knowingly and for purposes of commercial advantage fixes the sounds and images or reproduces copies or phonorecords.
- transmits the sound of images to the public without the consent of the performer
Reporting Security Breaches to Law Enforcement
Computer Hacking, Password Trafficking
- FBI Local Office
- U.S. Secret Service
- Internet Fraud Compliant Center
Internet fraud and SPAM
- FBI Local Office
- U.S. Secret Service (Financial Crimes Division)
- Federal Trade Commission (Online Complaint)
- Securities and Exchange Commission (Online Compliant)
- The Internet Fraud Complaint Center
High Level Process:
- Building a Workstation
- Dates and Times
- Deleted Files
- Removable Media
- Analyze Drive
- Build a Team
- Roles and Responsibilities
- Incident Response
- Expert Witness
Investigative Process Steps:
- Search Warrant
- Secure the Scene (photograph, label, forms)
- Collect Evidence (media, cables, peripherals, trash)
- Secure Evidence (chain, origin, management)
- Acquire Data (image integrity)
- Analyze (file systems, ftk, recovery software)
- Document and Report
Bullzip.com has an MD5 Calculator that allows you to right-click to get an MD5 hash of anything.
PC Inspector File Recovery 4.0 allows you to
- Recovery deleted files
- Find lost data
- Find lost drive
Search and Seizure
4th Amendment – protects us from unreasonable search and seizure
Patriot Act is important to be familiar with.
Understand the following concepts:
- Exigent Circumstances
- Plain View
- Lawful Arrest
- Inventory Searches
- Workplace Searches
Codes and Laws to be familiar with:
- 18 USC 2510-2522 Title III Wiretap Statute
- 2518 Interception Pursuant
- 2511 (2) C-D Consent
- 2511 (2) (a) (i) Provider
- 2511 (2) (i) Computer Tresspasser
- 2511 (5) (a) Extension Telephone
- 2511 3 (b) (iv) Inadvertently Obtained
- 2511 2 (g)(i) Accessible to the Public
- 3121-31 27 Pen Registers Tap & Trace
- ECPA (Privacy Act)
- 2701-2712 Statutory Privacy Rights
- 2510 Electronics Communications Service
- 2711 Remote Computing
- Cable Act 47 USC 551
- Can have multiple
- No knock warrants
- Sneak & Peak
- Rule 41 Return of Property
In-applicability to Hearsay (Gen Records)
Applicability to Hearsay (Stored Records)
When analyzing a system for one particular crime, but find evidence of another crime, that other crime might need to be ignored until you can talk about it with a legal professional.
Warrants must be written for a specific machine and specific situation.
A computer is generally considered a closed container and warrant must be specific enough to include its contents.
Cases have happened when third-parties have received digital evidence (like a computer repair shop) and have turned in the evidence to the cops.
A search warrant is typically not needed in corporate environments where hiring paperwork or logon banners include verbiage similar to “no expectation of privacy.”
The plainview doctrine allows evidence to be considered without a warrant if visible from a legal standing position.
Warrants are not needed at borders (sometimes within 100 miles of border).
Warrants are certainly not needed when the owner authorizes the search in a clear manner.
Cases occur were multiple warrants are required.
“No Knock” warrants are performed without advance warning to the suspect (like when battering rams are used in movies).
“Sneak and Peak” warrants are performed when the suspect is not home.
Forensic investigators have a responsibility to protect the data of others that might be co-mingled with the suspect’s data (ex: credit card numbers of others as part of a breach investigation).
Already familiar with.
First Responder Procedures
Already familiar with.
Computer Forensics Lab
This section has an emphasis on software to include as part of a computer forensics lab.
Stress ability to respond to a variety of operating systems.
Digital evidence can be found on anything from computers, to printers, to cars.
Digital Forensic Suites
Disks and File Systems
Nearly every investigation revolves around analyzing hard drive images
– Removable Devices
– Flash Storage
CHS = Cylinder Head Sector (Addressing Scheme)
– examine CHS using fdisk (linux command: fdisk -1 /dev/sda)
Sector is the smallest amount of data that a drive can handle (read/write)
Head is the number of read/write heads in the drive, each platter contains two headers (top and bottom)
Cylinder is the number of tracks on each platter
LBA = Logical Block Addressing
– examine using the sleuthkit
– get information via fsstat command (fsstat -o 2048 /dev/sda)
– simpler scheme that replaces CHS and is used by modern drives
– Data is addressed directly by block number
Master Boot Record (MBR)
– holds the initial boot code (intel based)
– for forensics value it holds the partition table (holds information for each partition)
Partition is a sub-section of the hard drive
– partitions usually contain a filesystem
– dual boot machines have two partitions, one for each OS
MBR w/ MMLS command
– mmls /dev/sda
MBR was replaced by GPT (for Apple PCs and High-End Intel Servers)
– Can handle 128 partitions
– MBR limits partitions to 2 TB, GPT’s limit is zettabtye
– Windows/Linux will eventually adopt it
Some notes about file systems…
(1) FAT (File Allocation Table)
– the simplest filesystem
– first version FAT12, was created in 1980
– FAT16 was used in DOS
– FAT32 was used in Windows 9x
– FAT32 is still in heavy use
Why do we care about filesystems?
– disk forensics revolves around recovering data
When analyzing a particular filesystem, we want three pieces of information:
– How the filesystem stores data
– How the filesystem stores metadata (filenames, sizes, MAC times)
– How files/directories are deleted/modified
– Boot Sector
– Filesystem Information Sector
– FAT Tables
– File/Directory Data
– is the smallest unit of data that can be read/write at one time (one byte write, ends up being 512 byte often)
– Sectors per cluster
– Number of FAT tables
– Number of total sectors
– Also includes volume label
File Information Sector
– not really useful for forensics
– used to determine how much free space is available and where it is
– these tables are used to link the chains of clusters that store afile or directories data (an array really)
– A Cluster is a set of contiguously allocated sectors
FAT File/Directory Data
– directory entries contain: file name, size, attributes, size, starting cluster, create time is correct, access time is only accurate to a day, modified time is normal
– FAT has a special designation of the “root” directory
– Once root is found, the rest can be recursively discovered
– for example, find /home/bob/file.txt (would start at root)
How are files deleted?
– when deleted, FAT table indexes are set to 0
– first letter of filename is set to 0xe5
– the directory entry is marked as free
– file names can be received minus first character
– metadata can be recovered
– file contents are harder, we can read the size of the file start at the first cluster and hope the clusters were not overwritten.
FSSTAT on a FAT Filesystem
– Generates disk/filesystem data
SUMMARY: FAT is still very important in forensics investigations
– Most important filesystem for investigators to understand
– Windows filesystem from XP onwards
– Much more complicated than FAT
– Understand the NTFS layout
– Recovery Steps
Everything in the filesystem for NTFS is considered a file (including metadata)
All data is stored in the Master File Table (MFT)
Initial MFT entries are the first 16, which are reserved by the operating system for metadata files
– $MFTMirr = Mirror of the MFT
– $LogFile – contains journal info
– $Volume –
– $AttribDef – holds attrs about files
– contains the root directory
– $Bitmap – cluster allocation bmap
– $Secure – ACL information (security for files)
An MFT entry contains the type of the attribute, its size, its name
Directories are stored in a B-tree
– $INDEX_ROOT attribute contains information on the files and sub-directories of the current directory
How file data is stored
– files have their own MFT entries and the contents of the file is stored in the $DATA attribute
– MAC time information is stored i $STANDARD_INFORMATION
When a file is deleted
– the files entry in the director’s MFT is removed
– the in-use flag of the file’s MFT is cleared
– the $DATA attribute of the $BITMAP entry for the file is cleared
– Clusters of the file are marked as unallocated
– The directory in the b-tree is resorted
– finding deleted files is easy, simply walking the MFT and looking for not-in-use entries
– if a file is 700 bytes or less, its contents can be completely recovered as they are stored in the MFT itself and not overwritten
– recovery of larger files depends on if the clusters used to the store the data were overwritten since deletion of the file
– journaling is used by all modern filesystems to ensure data consistency in the face of unexpected events (sudden shutdown, temporary drive instability)
– before data is written to the destination block of the hard drive it is first written to the filesystem journal
– NTFS uses journaling, which microsoft calls logging
– Journal is stored in the MFT entry 2 named $LogFile
– Can be analyzed using the Sleuthkit and other forensics tools to determine recent actions on the files system
– It’s used by recovery tools to fix the filesystem
SUMMARY: NTFS is a complex filesystem much more so than FAT, ability to deeply analyze NTFS is a required skill for all forensic investigators
(3) EXT Filesystems
– EXTended filesystems are the core linux filesystems and used by nearly all Linux distributions and environments
– Investigators who will encounter
Filesystem NEED TO KNOW
– How Stored Data
– How Stored Metadata
– How Deleted/Modified
EXT3 is the default filesystem for the majority of Linux installs (EXT4 is slowly being adopted)
– EXT3 adds journaling
The first data structure is the superblock (stored at the beginning, holds size of filesystem)
– uses BITMAP
– are a unix/linux specific construct
– store the metadata about a file or directory (size, owner information, MAC times, permissions, list of blocks)
– Modified (file is created or contents are modified)
– Changed (Not Created) (refers to changes in metadata only)
How Files are Stored
– files are stored in their own blocks (groups of sectors)
– for small files the list of blocks are stored directly in the in ode
– for larger files, indirect block pointers are used to track all the blocks for a file
– files are stored in directory entry structures
– Entries store: name of the file, inode location, location of the next file in the directory
EXT3 & Journaling
– journaling provides transaction support to filesystems
– EXT3 has 3 journaling modes
– – Journal logs all data
– – ordered logs only metadata, flushes file data on each write
– – write back ONLY logs metadata
File Deletion & Recovery
– when files and directories are deleted
– – the inode and block bitmaps are cleared
– – the directory entry preceding the item being deleted is change to skip past the current one (leaves all data intact though)
– when files are deleted
– – EXT2 block pointers are kept-in-tact (easy file recovery)
– – EXT3 block pointers are cleared (hard drive recovery)
SUMMARY: EXT family of filesystems dominates the Linux Scene and will continue to do so for a long-time
(4) HFS+ Filesystem
HFS+ OnDisk Structure
– Sector 2, the volume header, contains information including the block size and the locations of other data
– An HFS+ volume contains five files that store information about the filesystem and its data
– Describes the folder and file hierarchy (stored as a balanced tree)
– Contains per-file metadata, size, permissions, MAC times
– Stored in the catalog file structure
– holds the information necessary to locate the contents of a file
– files are stored in extents, which are contiguously allocated blocks
– – non-fragmented files only have one extent
– Stores metadata about the file (Menus, icons, non-contents related data)
File Time Information (MAC Times)
– M = the time either forks were modified
– A = the last time the file contents (data fork) were accessed
– C = when the file was created
– B = when the file was backed up
– contains attribute information for files and folders
– doesn’t seem to be useful from a forensics perspective
Allocation File (Bitmap)
– similar to the $BITMAP file of NTFS
– used to track the allocation status of blocks in the volume
– contains information for non-MAC systems to use the HFS+ filesystem
Extents Overflow File
– tracks which extents belong to a file
– only after the first eight, which are tracked in the file catalog
– used only for very fragmented files
When files are deleted
– the record in the catalogue file is removed
– extent and attribute records are removed
– fork data NOT overwritten
SUMMARY: the HFS+ filesystem is the main Apple filesystem and knowledge of it is required for investigators examining such machines
Data Acquisition and Duplication
Data formats created by forensic tools:
- RAW – the RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.
- AFF (Advanced Forensic Format) is an emerging standard to be used across all forensic tools.
- Proprietary formats like: EnCase specific formats often lock you in within the EnCase tool suite.
Bit stream images are ideal for carving out areas of a disk where a user believe they “deleted” content.
More review of WSCC and SysInternals.
Types of Imaging
- Bit to Bit Copy (exact copy)
- File System Capture (logical copy, doesn’t capture deleted files)
- Parse Copy (copy individual files as needed, perhaps helpful for investigations in the cloud)
Registry Analysis is a useful place to perform analysis (WSCC has tools that are helpful for this).
Log and Event Correlation
Look for Security Related Events.
Windows now allows for very rich logging of activity.
Investigating Wireless Attacks
Analyzing Web Applications
Investigating Email Crimes
Deleted Files and Partitions
Image File Forensics
CHFI Self-Assessment Notes
What does ETI stand for?
- Enterprise Theory of Investigation,the standard investigative model used in conducting investigations against organized crime.
Federal Rules of Evidence Rule 901
- Requirement of authentication or identification
Should you use original evidence for analysis?
Admissible Evidence must be related to the fact being proved.
The term probative means having the quality or function of proving something.
Volatile data is examples include:
- system time
- logged-on user(s),
- open files,
- network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history.
Non-volatile data is used for secondary storage and long-term persistence.
Federal Rules of Evidence Rule 1003
- Admissibility of Duplicates
Know the Scientific Working Group on Digital Evidence (SWGDE) Standards like:
- Standards and Criteria 1.3
Archival media isn’t very volatile.
Tracks are numbered from 0 (outermost on platter) to 1023 (innermost on platter).
Which one of the following is the smallest allocation unit of a hard disk, which contains a set of tracks and sectors ranging from 2 to 32, or more, depending on the formatting scheme?
In RAID 0, data is striped across multiple drives.
In RAID 1, data is mirrored from one drive to another.
HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system.
Audit Polices from the Registry (HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv)
- A = restart, shutdown, system
- B = logons and logoffs
- C = file and object access
- D = use of user rights
- E = process tracking
- F = security policy management
- G = user and group management
- Z = determines if the policy is enabled or disabled
Audit Polices from the Registry (HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv)
- If any of the values (A,B,C,D,E,F,G) are set to 1, success auditing is enabled on those areas.
- If any of the values (A,B,C,D,E,F,G) are set to 2, failure auditing is enabled on those areas.
- If any of the values (A,B,C,D,E,F,G) are set to 3, both success and failures are audited on those areas.
- If the value of Z is 1, the policy is enabled; if it is 0, auditing is disabled.
Important dates are available in the contents of the binary data for the F value such as time/date stamps, represented as 64-bit FILETIME objects. Bytes 24-31 represents the date that the password was last reset.
FTP Server Return Codes:
- 1xx: Positive preliminary reply
- 2xx: Positive completion reply
- 3xx: Positive intermediate reply
- 4xx: Transient negative completion reply
- 5xx: Permanent negative completion reply
- 6xx: Protected reply
- IEEE 802.11a speeds of up to 54Mbps in the 5GHz band
- IEEE 802.11b speeds of up to 11Mbps in the 2.4GHz range.
- IEEE 802.11g speeds up to 54Mbps in the 2.4Ghz range
- IEEE 802.11n speeds up to 600Mbps in both 2.4Ghz and 5Ghz
A Syllable attack is combination of both brute force and dictionary attack