Cyber-Forensics
The Basics
CERTConf2006
Tim Vidas
Because you have to start somewhere
�Who are we?
Tim Vidas
Sr. Tech. Research Fellow
UNO/PKI/NUCIA
Certs: CISSP, 40xx, Guidance,
AccessData etc.
Instructor: UNO, Guidance, LM
RRCF
Joe Wilson
Recent Graduate (MS/MIS)
RRCF
2
�NUCIA
Nebraska University Consortium on
Information Assurance
IA full time
Traditional university coursework in
IA, Crypto, Forensics, Secure
Administration, Certification and
Accreditation, etc
STEAL Labs
Other work
Most of us are around CERTconf..3
�Who are you?
Who are you?
Where do you work?
What do you do?
How many of you are planning on
attending all Forensics sessions?
What are you expecting to get out
of them? (Ill try to be
accommodating)
4
�The learning theory:
A technical, practical, hands-on approach
Technical means the class(es) will either
require or provide a significant amount of
technical expertise.
Practical implies that the information covered
should provide you with the capacity to
conduct many cyberforensic activities.
Hands-on the additional hands-on
component provides an active experience in
which you will immersed in related exercises.
The best way to learn is by doing.
�Disclaimer
Even though this class touches on quite
a few legal topics nothing should be
construed as advice or legal instruction
Before performing many of the skills
learned this week on a computer other
than your own, you may need to seek
permission (possibly written) and or
seek advice from your own legal
counsel.
6
�_______ forensics
Whereas computer forensics is defined as
the collection of techniques and tools used to
find evidence in a computer,
digital forensics has been defined as the
use of scientifically derived and proven
methods toward the preservation, collection,
validation, identification, analysis,
interpretation, documentation, and
presentation of digital evidence derived from
digital sources for the purpose of facilitation or
furthering the reconstruction of events found to
be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to
planned operations
7
�What is Cyberforensics?
This really depends on the point of view
Traditionally Cyber forensics involves the
preservation,
collection,
validation,
identification,
analysis,
interpretation,
documentation and
presentation
of computer evidence stored on a computer.
Forensics is the application of science to the
legal process.
Jim Christy, DCCI
�Rapid-Response
Cyberforensics
Characterized by:
Live-response
Military-type contexts
But not of necessity
Judicious a priori planning
Prior strategic incident response planning
Requisite training in
Basic forensic procedures
Live-response
Network forensics
Continued updating of skills as technology
changes
Technically adept with a diversity of tools &
toolkits
�Viewpoint
According to the CFEWG curriculum
group there are three perspectives of
cyberforensics
Law enforcement
FBI/IRS
Business/Industry
Cisco
Military/counterintelligence
AF OSI/NSA
Although not mutually exclusive, each
can have its own thrust.
academia is becoming a fourth
10
�Viewpoint
11
�Viewpoint
Each perspective has different
objectives, even though there is
overlap, the approaches of each remain
mainly ah-hoc and uncoordinated
Technology is vendor-driven
No industry certification
No standards
ASCLAD for labs
Interesting situations with the court
system
Who is more believable?
Evidence isnt questioned
12
�Coverage from OS
perspective
Windows
95% of cases involve Windows (FBI)
Topics
File systems: FAT & NTFS
Multiple tools:
Commercial
Freeware
Windows & Linux
Live response
Network forensics
13
�Topics we will cover
Were going to start by establishing a basis for
cyber-forensics
Hexadecimal notation
Traditional post-mortem forensics
Duplication
Analysis
File systems
Footprints
Etc
Then build upon this foundation and explore other
avenues
Generally speaking, if you dont know how a
particular tool is working behind the scenes you
might not be able to hold weight on the witness14
stand (or corporate report, or ____ )
�Cybercrime &
Cyberwarfare
Information warfare specialists at
the Pentagon estimate that a
properly prepared and wellcoordinated attack by fewer than
30 computer virtuosos strategically
located around the world, with a
budget of less than $10 million,
could bring the United States to its
knees.
Center for Strategic & International Studies (CSIS)
15
http://www.csis.org/pubs/cyberfor.html
�Cybercrime &
Cyberwarfare
Such a strategic attack, mounted
by a cyberterrorist group, either
substate or nonstate actors, would
shut down everything from electric
power grids to air traffic control
centers.
Center for Strategic & International Studies (CSIS)
http://www.csis.org/pubs/cyberfor.html
16
�Scope of the Problem
In1990 a computer hard drive seized in
a criminal investigation would contain
approximately 50,000 pages of text
The same hard drives now contain 5
million to 50 million pages of data.
But the ability of these agencies to retain
computer talent is seriously jeopardized by
the compensation packages offered by the
private sector.
Center for Strategic & International Studies (CSIS)
http://www.csis.org/pubs/cyberfor.html
17
�Computer Crime
Sample of computer crimes from 2001
Demoted employee installs a logic bomb,
which later deactivates hand-held
computers used by the sales force.
eBay
User advertises goods, but on receiving payment
never ships the goods.
Advertised collectibles turn out to be fakes
Disgruntled student sends threatening
emails, leading to school closing down.
Ring of software pirates use web site to
distribute pirated software
Stephenson, 2001.
18
�Computer Crimes
Software company employee is indicted for altering
a copyright program to overcome file reading
limitations
Hacker accesses 65 U.S. Court computers and
downloads large quantities of private information.
Hacker accesses bank records, steals banking and
personal details.
15 year old boy runs scripts that invoke DOS against
eBay, Yahoo!, AOL, etc.
Moral: NO SUCH THING AS TYPICAL
COMPUTER CRIME.
Must be flexible in your response
Stephenson, 2001.
19
�Taxonomy of Computer
Crime Scenes
Computer Crime
Computer used to conduct crime
Examples?
Computer is target of crime
Examples?
Response
Live: real-time
After the fact
20
�Introduction
Computer forensics involves
Preservation
Evidence changed, court case is gone
Identification
Of the 100,000 files, what is evidence of a crime?
Extraction
Take the evidence off the hard drive for presentation
Documentation
Document what you found to present in court
Interpretation
Interpret the evidence in light of the charges
As much art as science
21
�Goals (Questions) of
Forensic Analysis
Identify root cause of an event to ensure it
wont happen again
Must understand the problem before you can be
sure it wont be exploited again.
Who was responsible for the event?
Most computer crime cases are not
prosecuted
Consider acceptability in court of law as our
standard for investigative practice.
Ultimate goal is to conduct investigation in a manner
that will stand up to legal scrutiny.
Treat every case like a court case!
22
Kruse & Heiser, 2002
�Cyberforensics
Procedures
Cyberforensics is a large, complex
problem composed of various
flexible steps
Each step has an input and an
output
23
�Preparation
Detection
IR Team Informed
First Response
Secure System
Create Response
Strategy
Incident?
Begin Evidence
Acquisition
Duplicate
Is this
Correct?
Duplication
Required?
Begin
Investigation
Report
Feedback to Preparation &
Secure System
24
Adapted from Mandia & Prosise 2003
�Preparation
What to do before the incident
Incident response plan
What to do in case of
User incident
User or customer reports problem
Application incident
Web page changed, etc.
System incident
Virus
Server down
Denial-of-service attack
Hostile code
Unauthorized access
Network probes
25
�Preparation
What to do before the incident
Incident response team
Systems administrators
Forensic analysts
Users
Managers
May have to wear more than one hat
26
�Detecting Incidents
You detect something you believe
to be an incident
Something outside the scope of
normal operation
Now what?
DO UNTIL DONE
Document everything
Document everything
Document everything
27
�Incident Detecting
Follow a well-defined methodology
Care and due diligence must proceed with
each case
TREAT EACH CASE AS IF IT MAY END
UP IN COURT
Dont begin analysis, decide you have a
problem, THEN start handling it as
evidence
TOO LATE by then, because you have changed
the scene of the crime.
Defense attorney wont care whether this was
done accidentally or not.
28
�Incident Detection
How to document
Create a notification checklist
Assure you wont miss any details
Facts to include:
Time & Date
Who or what is reporting the incident
User, sysadmin, IDS
When incident is suspected to have
occurred
Hardware/software
POC
29
�Chain-of-custody
CRITICAL that documentation regarding how
evidence is handled.
Establishes continuity of who/what/where RE
evidence
Who collected the evidence
What comprises the evidence
When evidence was collected
If hardware (take a photo)
Make, model, serial #
Description of the evidence, technical information
Name and signature of individual receiving evidence
Case number & tag (bag & tag)
If electronic, cryptographic hashes
Mandia & Prosise, 2003
30
�Chain-of-custody
How to bag & tag electronic evidence?
Cryptographic hash of the electronic file
More on this stuff a bit later
Time & date stamp before and after
capture
31
�Evidence Checkout Log
Item
Date
Time
Dell Inspiron 8000 SN# 4005
10/8/2002
13:05
Dell Inspiron 8000 SN# 4005
10/9/2002
8:02
Dell Inspiron 8000 SN# 4005
10/9/2002
15:33
Dell Inspiron 8000 SN# 4005
10/11/2002
7:30
Dell Inspiron 8000 SN# 4005
10/11/2002
12:00
Location
Name
Reason
Locked up in STEAL Lab cabinet
Vidas
Safekeeping
Removed
Vidas
Analysis
Locked up in STEAL Lab cabinet
Vidas
Safekeeping
Removed
Nicoll
Analysis
Locked up in STEAL Lab cabinet
Nicoll
Safekeeping
Adapted from Kruse & Heiser, 2002
32
�Handling Evidence
Chain-of-Custody
Goal is to protect the integrity of your evidence
Make it difficult for the defense attorney to
successfully argue that the evidence was tampered
with it while it was in your custody
Document following questions
Who collected the evidence?
How was it collected? From where was it collected?
Who took possession of it?
How was it stored and protected in storage?
Who took it out of storage and why?
33
Kruse & Heiser, 2002
�Chain-of-Custody
Be meticulous
Defense attorney will cross-reference
with other documents to determine
any inconsistencies
Fewer people who have access to
your evidence or locker room, the
better.
Defense attorneys will argue
otherwise
34
�Chain-of-Custody
What does a typical CoC list look
like?
CoC is quite a bit different with
digital evidence these days
35
�First Response
Youve detected an incident, now
what?
Verify incident and related
information
Initiate network monitoring if appropriate
IDS
Sniffer
Users involved
Business impact if any
36
�Formulate/Execute
Response Strategy
Your response strategy should be
driven by your incident response plan
If you dont have one, you must develop on
the fly.
Select the most appropriate strategy
Best if you have thought about this beforehand
Context determines whether to do a live
response or a off-line media analysis
after forensic duplication
Big difference between the two, notwithstanding
legal implications
37
�Formulate/Execute
Response Strategy
Determine
How serious the problem is
Sensitivity of the compromised information
Potential offenders
Whether the incident is public or private
Internal network vs. web page
Level of access gained by intruder
Skill of the intruder
Level of tolerable downtime
Determines live response vs. offline
$$$$ lost
Mandia, Prosise & Pepe, 2003
38
�Formulate/Execute
Response Strategy
Incident:
DOS
Example
SMURF attack
Strategy
Reconfigure router to minimize effect of
flooding
Establishing perpetrator too costly
Likely outcome
Reconfiguration reduces effect of flooding
Mandia, Prosise & Pepe, 2003
39
�Formulate/Execute
Response Strategy
Incident:
Unauthorized use
Example
KPorn surfing from company workstation
Strategy
Perform forensic duplication
Offline analysis
Interview user
Likely outcome
Suspect identified and evidence collected for
disciplinary action.
Mandia, Prosise & Pepe, 2003
40
�Formulate/Execute
Response Strategy
Incident:
Computer intrusion
Example
Buffer-overflow gives intruder root access to critical
system
Strategy
Monitor intruder activities
Isolate the machine, reduce problem scope
Secure and recover the system
Likely outcome
Vulnerability identified, system recovered.
Mandia, Prosise & Pepe, 2003
41
�Formulate/Execute
Response Strategy
Incident:
Stolen information
Example
Stolen CC numbers from company database
Strategy
Issue public statement
Perform forensic duplication & analysis
Contact LE
Likely outcome
LE agents participate in investigation
Systems offline until problem resolved.
Mandia, Prosise & Pepe, 2003
42
�Considerations
Presenting strategies to management,
consider
Downtime
Network/system
User
Legal liability
e.g., downstream liability
Stolen CC
Publicity
Most intrusions are not reported
Theft of IP
Mandia, Prosise & Pepe, 2003
43
�Forensic Duplication
Your strategy is to take the system
offline.
Case may go to court or high-cost damage
Need to perform a bit-level copy of the
system
WHY?
Two types of analysis
Logical
Physical
44
�Forensic Duplication
Your strategy is to take the system
offline.
Cant do a physical analysis on a
mere logical copy of the hard drive
Misses ambient data that may contain a
wealth of evidence
Must access each sector of the HD
Ambient data found in areas no privy to
the user
45
�Forensic Duplication
Your strategy is to take the system
offline.
Offline analysis allows you to preserve the
system as-is, i.e., like putting yellow police
tape around the scene of a crime
Offline analysis doesnt affect the integrity
of the evidence because you are doing
analyses on copies of the evidence.
Of course youll likely loose all volatile data
by shutting down the machine
46
�Forensic Duplication
More on this a little later
47
�Authenticate the Evidence
It is difficult to show that evidence of
any kind collected is the same as what
was left behind by a criminal
Computer drives deteriorate slowly
Child pornography and Taliban terror plans
dont show up randomly on a HD
Chain of custody and other handling rules
assure the jury that no unanticipated or
introduced changes occurred.
prove who was at the keyboard problem
48
Kruse & Heiser, 2002
�Investigation
Answers
Who, what, when, where, how
How you perform the investigation
determined by whether you have a
forensic duplicate, or whether you
are conducting a live response.
IE..Cant get certain portions of a hard
disk if working with live-response
Cant do a string search on a swap file
under live-response
49
�Investigation
What is the goal?
Search for appropriate types of information
Graphics/images
Text
Problems:
There are hundreds or thousands of files
Needle in a stack of needles problem
Files can be hidden
Kiddy porn graphic saved as myhomework.doc
Steganography or alternate data streams
Files deleted
.files
Hidden areas of disk
obfuscation
50
�Common Mistakes
Altering time and date stamps.
Killing rogue processes.
Patching the system before the
investigation.
Not recording commands executed on
the system.
Using untrusted commands and
binaries.
Writing over potential evidence by:
Installing software on the evidence media
Running programs that store their output on
51
the evidence media.
Kruse & Heiser, 2002
�How do you know something
is wrong?
Failed login attempts
Logins into dormant and default
accounts
Activity during nonworking hours
Presence of new accounts not
created by the systems
administrator
Unfamiliar files or programs
52
�Running Processes
What is this?
Whats wrong with
this?
Linux: top, ps
53
�Other:
Event Log
Computer management (mmc)
Open Shares (mmc)
Network connections (netstat)
Services ( mmc)
Connected users (mmc)
MMC, administrative tools, and 3rd party
applications are all going to be valuable
54
�Detection
Unexplained changes in file and
directory permissions
Unexplained elevation or use of
privileges
An altered web page
Presence of pornographic images
on a system
55
�Detection
Use of commands or functions not
normally associated with a users
job
Presence of contraband utilities
(cracking, hacking, crypto,
obfuscating, etc)
Gaps in or erasure of system logs
56
�Detection
Changes in DNS tables or router
or firewall rules that cannot be
accounted for.
Unusually slow system
performance
System crashes
Social engineering attempts
57
�Where do I find this
evidence?
It depends on the OS
For Windows
it will likely be in various GUI-based
utilities
Or in highly obfuscated portions of
specific files
For UNIX/Linux, it will likely be in
various text files
58
�The Initial Assessment
What probably happened?
Best response?
Investigator must assess scene and
respond accordingly
Difference between
Someone lying on the ground bleeding at scene
of the crime
Someone lying on the ground dead at the scene
of the crime
Response differ depending on
circumstances
Mandia & Prosise, 2003
59
�Incident Notification Checklist
Who called:
Time/Date
Phone
Nature of incident
When did it occur?
How was it detected?
When was it detected?
Immediate and future impact to client:
Mandia & Prosise, 2003
60
�Always practice safe hex.
Hex
�Why HEX?
While hex is less readable than
ascii text, it is more readable than
code the machine understands
The number 65535 would be written
down as 16 ones, or
11111111111111112
Prone to errorwas that 16 or 17 1s?
To condense the same information we
use a base 16 system, called
hexadecimal.
62
�What is HEX?
Hex uses decimals first,followed
by alphabetic characters.
It is fairly straightforward to convert
back and forth from binary to hex
0 1 2 3 4 5 6 7 8 9 1
0
1
1
1
2
1
3
1
4
1
5
0 1 2 3 4 5 6 7 8 9 A B C D E F
63
�BIN %
OCT
DEC
HEX 0x
10
11
100
101
110
111
1000
10
1001
11
1010
12
10
1011
13
11
1100
14
12
1101
15
13
1110
16
14
1111
17
15
10000
20
10
10
10001
21
11
11
64
�Converting
If you write down
1234, (base 10)
you are talking
about the number
one thousand,
two hundred and
thirty four.
This can be
rewritten as:
65
�Converting
It is the same in all other bases,
each place represents a power of
the base:
66
�Converting
What is 0xCB in Decimal?
C = 12 and B = 11 so
12 * 16^1 + 11 * 16^0 = 203
What about binary?
C = 12 = 1100 B = 11 = 1011
CB =
1100 .
1011
so 0xCB = %11001011
67
�Converting
What is 0xAF1 in Decimal?
A = 10, F = 15 so
10 * 16^2 + 15 * 16^1 + 1 * 16^0 = 2801
What about binary?
A = 1010 F = 1111 1 = 0001
AF1= 1010 . 1111 . 0001
so 0xAF1 = %101011110001
68
�Practical bits
Netmask:
So most people just type in:
255.255.255.0
What does this mean?
69
�Practical bits
Netmask:
IP address are dotted quad,
basically the dots just break up bits
to make them easier to read.
How many bits does it take to
represent 256 (base 10)?
70
�Practical bits
Netmask:
11111111 = 255, so 8 bits for 256 unique
values
Therefore, 255.255.255.0 is decimal dotted
quad for the base 2 number:
11111111.11111111.11111111.00000000
This is also sometimes referred to as as /24
network because there are 24 1s
Netmasks almost always start with
sequential 1s and end with sequential
0s
71
�slight diversion now
Netmask:
11111111 . 11111111 . 11111111 . 00000000
network (subnet)
host
So this particular netmask (/24) allows for 256
different hosts(well actually a bit less but
lets just say 256) on one subnet. Every time
you add a bit to the netmask, you get more
subnets and less hosts per subnet.
Example:
192.168.100.0 192.168.100.255
72
�slight diversion now
Netmask:
11111111.11111111.11111111.1 0000000
network (subnet)
host
So this particular netmask (/25) has 2 subnets...
Example:
192.168.100.0 192.168.100.127
subnet1
192.168.100.0 192.168.100.255
subnet2
So /26 has 4 subnets, /27 has 8 subnets, all the
way through /30 which has 64 subnets (4 hosts
per)
73
�slight diversion now
Netmask:
Looking at Netmasks that lower than /24 get into
Class A,B,C type discussions and are definitely
out of scope here
Basically each fourth of the dotted quad controls a
class, so using letters to represent the class a
bit belongs to:
AAAAAAAA.BBBBBBBB.CCCCCCCC.xxxxxxxx
Class D is used for broadcasting
Class E is Experimental is basically a leftover
from bureaucratic / political design by
committee fallout
74
�Practical Bits
Netmask:
Whats the mask actually do?
Used for Bitwise AND with a hosts address
If my computer is 137.48.112.123
and my netmask is 255.255.255.0
10001001.00110000.01110000.01111011
11111111.11111111.11111111.00000000
AND 10001001.00110000.01110000.00000000
so for the very common /24 netmask the result
may be familiar then the last number (123) is the
host id, and the others 137.48.112 is the network.
75
�Why does all this matter?
So as a forensic examiner you
might not be overly concerned with
netmasks, or the class of a
particular network
And you may not be able to decode
machine language when you see it
But you should understand what it is
and realize that decoding it correctly
could change data into
information
76
�Why does all this matter?
In the physical world if an
investigator found a letter at a crime
scene he would not throw it away
just because the crime was
committed in Nebraska and the
letter was written in Chinese.
77
�Why does all this matter?
A set of 1s and 0s that translates
into an peculiar set of Hex
characters may appear to be
gibberish, but upon proper
decoding, it may reveal an MIME
encoded message (for example)
Just because the data isnt in a
particularly useful form, doesnt
mean that its not valuable.
78
�Peek into the Future:
Windows stores all kinds of data in
all kinds of places
And interesting example are lnk
files
And extension of .lnk means?
79
�Peek into the Future:
Turns out that the date / time
information for the original file the
lnk points to (deleted or not) is
stored in the lnk.
Starting at byte offsets 28, 36, and
44 you can gleam creation, last
access and last modification
times..
These are Windows Date/Time
values 64 bit little Endian
80
�Peek into the Future:
CST is 6 hours behind GMT
Notice the highlighted portion of
hex in winhex
What happened on 11/16/04 at
about 9:54 AM?
81
�Peek into the Future:
What are the odds?
Every time a document is
accessed a lnk is created in the
hidden system folder RECENT
This folder exists for all users
individually
Obviously this knowledge has a
variety of uses
82
�Encoding is not Encrypting
It is also important to note the
different between Encoding and
Encrypting
Encoding is done primarily to make
information EASY to interpret
Encrypting is done primarily to
make information HARD to interpret
83
�Encoding is not Encrypting
The very fact that data has been
encrypted is sometimes enough to
raise red flags
Depending on circumstances the
existence of encrypted files may
create, or be a contributing factor
for Probable Cause
This is not the case with encoded
files
84
�The Hex Editor
In windows you may find a tool
such as winhex, frHed, or Hackman
valuable:
In Linux maybe something like xxd,
Heme, SHED, gHex, KHexEdit or
some other abstraction (Autopsy for
example has a hex view option).
85
�Hex Editor
You can use these hex tools at
varying granularityby file:
Viewing a FILE
NOTICE
the offset
starts at 0
86
�Hex Editor
How is this different?
Viewing a DISK
Contents
do not
start at 0
87
�Files
Many low level things can be
determined at the Hex level
Files always have particular
header information (this is different
then file-extensions like .doc or
.jpeg)
This is often called a file signature
or Magic numbers
88
�Files
When considering graphics files
; Windows Bitmap graphics BMP=0x00:"BM" ; Compressed
BM? File BM_=0x00:"SZDD"
; Graphics Interchange Format bitmap graphics
GIF=0x00:"GIF8"
; Graphics Interchange Format bitmap graphics (GIF 87a)
GIF87A=0x00:"GIF87a"
; Graphics Interchange Format bitmap graphics (GIF 89a)
GIF89A=0x00:"GIF89a"
; JPEG Bitmap graphics
JPE=0x00:0xFF,0xD8,0xFF,0xE0,0x00,0x10,"JFIF"
; JPEG Bitmap graphics
JPG=0x00:0xFF,0xD8,0xFF,0xE0,0x00,0x10,"JFIF"
JS=0x00:"/"
These are standard types, the information is widely
available, these particular lines came from drivespy.ini
89
�Files
This is the hex representation of a
jpg:
90
�Files
If files are simply stored in hidden areas,
like unallocated, slack, or interpartition
space, they will still have header
information
If files are enciphered some way (like
stereography) then there is no header
information
If files are encrypted / compressed, there
may not be header information about the
file, but there will typically be header
information about the encryption /
compress for decryption / decompression
purposes
91
�Files
In some cases you may find portions
or fragments of a file. If you suspect
that the fragment may be part of
what used to be JPEG for example
(because near where the header
should be you found FIF and you
know that jpeg headers contain
JFIF) you can attempt to recover
the file by editing the correct header
information back to the disk.
92
�Hashing
No. Not that kind.
�Hashing
One of the best ways to describe
hashing is to describe a hash as a
fingerprint [of an image].
Fingerprints uniquely identify a
much larger object (human) from a
much smaller object ( the
fingerprint)
94
�Hashing
similarly, a digital hash is a unique
representation of a larger object like
an image
This hash is a file that is completely
separate from the image that it is
fingerprinting and has a fixed length
like 128 or 160 bits.
A 1 MB file and a 1 GB files will both
produce hashes of the same length
95
�Hashing
The general idea is that a very
small (any) change in the source
file will result in a very large
change in the hash
The hashes we are referring to are
one-way hashes
96
�Hashing
There are many automated tools
that provide hashing components.
Most *nix distributions provide
hashing tools by default, for
windows youll have to download
software
97
�Hashing
The algorithm is independent of
OS the same hash is produced
from the same file on Linux and
Windows
98
�Hashing
The same software typically
provides the means to check to
see if the hash of a given file has
changed in this case a c
option
Add a single space to the email
99
�Hashing
MD5 128 bits
Sha1 160 bits
Sha256 256 bits
sha384, sha512
100
�Hashing
Use something like md5deep or sha1deep for
recursion:
101
�Side Rant: Hashing DLs
When downloading software a
hash is often provided along with
the download.
What purpose does this hash serve?
102
�MD5 hash collisions
Whats all this hoopla about?
Who has heard of this?
explain
103
�Hash Collisions
Hash Collision (n): a term in
computer programming for a
situation that occurs when two
distinct inputs into a hash function
produce identical outputs.
What does this mean to us
forensically?
http://en.wikipedia.org/wiki/Hash_collision
104
�Hash Collisions
Its all computation time relative
1) Create bad file
2) Gen MD5
3) Was is the MD5 I wanted? (no)
4) Mod bad file in some way
5) go to 2 (until done)
Turns out that if you can produce,
locate, etc two strings of the same
arbitrary length that happen to hash to
the same MD5, then you can do some
interesting things
105
�Hash Collisions
With getting too into it
Message Digest 5 uses MerkleDamgard construction rounds
Starting at 128 bits then adding
(processing?) in 512 more bits at a time
Unfortunately, at time+X for two
arbitrary files going through rounds if at
any given round in either file the
current hash matches, then arbitrary
data can be appended afterward.and
the resultant hashes will match
106
�Hash collisions
Tools like stripwire can actually
create 2 files that have the same
md5and very quickly
stripwire $VERSION: Conflation Attack Using Colliding MD5 Test
Vectors
Author:
Dan Kaminsky(dan\@doxpara.com)
Example: ./stripwire.pl -v -b test.pl -r fire.bin
Options: -b [file.pl]
: Build encrypted archives of this
perl code
-r [file.bin]
: Attempt to self-decrypt and
execute this file
-v
: Increase verbosity.
-a
: Rename
active payload
(fire.bin)
-i
: Rename inactive payload (
ice.bin)
107
�Hash Collisoins
What does this mean to us?
Actually very little!
Since we are creating two new files
with the same MD5 this doesnt even
effect Known Hash Set Lists, like KFF
or NIST / NSRL
This whole disscussion was on MD5,
but does/may apply to other hashing
algorithms
This can be mitigated by simply storing
dual hashes or in a weaker sense by
108
storing other metadata like filesize
�Difference between the 2
109
�Difference between the 2
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c
2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89
55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a
08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b
d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6
dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0
e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e
c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70
110
�Bit Rot
Has anyone ever heard of Bit
Rot?
111
�Bit Rot
There is actually a lot of DA
backlash about hashing as part of
Chain of Custody
Over time, MTBF kicks in and a bit
mysteriously flips on an HD.
This one bit obliterates the hash
What are the legal repercussions to a
re-opened case?
112
�Resources
http://md5deep.sourceforge.net/
www.doxpara.org
En.wikipedia.org
113
�References
Casey, E. (2001). Digital Evidence and
Computer Crime. Academic Press.
Casey, E. (2002). Handbook of Computer
Crime Investigation: Forensic Tools and
Technology. Academic Press.
Kruse, W.G. III, & Heiser, J.G. (2002).
Computer Forensics : Incident Response
Essentials. Addison-Wesley.
Mandia, K., Prosise, C., & Pepe, M. ( 2003).
Incident Response: Investigating Computer
Crime. Osborne.
114
�References
Stephenson, P. (2001).
Investigating Computer-Related
Crime. CRC Press.
Center for Strategic & International
Studies (CSIS)
http://www.csis.org/pubs/cyberfor.h
tml
http://www.ascld-lab.org/
http://www.Dcci.gov
115
