Computer Hacking Forensics

CFHI Module 02 Part 1 Investigative Process from..

My name is Leo Dregier. Welcome to Cybrary IT. I’m going to be your local subject-matter expert. Today we’re going to look at modern forensics. Let’s take a closer look. Forensics has, basically, evolved time. Alright? In 1822 through about 1911 this is where we had our first study of fingerprints. And now we can all appreciate this today but it really goes back in to the 18th century. In 1887 through about the, uh, 1954 timeframe this is where we started looking at blood grouping. Um, at this point we could [inaudible 00:42] Type A, verses B, verses Type O, uh, blood types. We weren’t nearly getting in to DNA at least as we were today. In 1891 through about 1955 this is where we had the study of firearms pioneered by Goddard. You had 1858 through about 1946 this is where documentation-style evidence was pioneered by Osborn. You had 1847 through 1915 this is the criminal investigation process by Gross. You had 1932 the invention of the Federal Bureau of Investigations. Up until about 1984 computer analyses and response teams sort of became mainstream. 1993 we had the first international conference on cybercrime. Up until 1995 this is where we had the International Organization of Computer Evidence. 1998, getting close to modern times, this is where we had the first science symposium. 2000, most of the FBI regional offices were deployed. And 2015 welcome to Leo Dregier and Cybrary IT. So most attacks realistically still focus on external attacks and internal attacks. And that’s what we see up here. But the study of forensics as a whole was basically using any sort of physical sciences to basically find and prove the truth. And you have to keep your, your thoughts grounded in that concept because, ultimately, at the end of the day we’re just looking for scientific facts that prove the truth, okay? Now, since we are talking about evidence keep in mind that, ultimately, we want to preserve evidence to the point that we can do something with it. Most of the time that means actually getting it in to a courtroom, so we try to avoid contamination wherever possible. Uh, and you can chalk this up to manipulating evidence or any unauthorized change, modification, or alteration in the scope of the evidence as you’re trying to get it from the different parts of the process, ultimately in the court, okay? So the big picture processes here are is somebody’s got to identify evidence as evidence, okay? Once it’s identified as evidence then we have to preserve it, ah, to make sure that from the time it’s identified all the way through the lifecycle it, it has a, basically, a chain-of-custody. You cannot talk about anything forensics-oriented without the magic words of chain-of-custody because chain-of-custody dictates who, what, when, where, why, and how of the evidence throughout the complete lifecycle. The extraction of the evidence, in other words how do we take it from the crime scene, ultimately, in to a lab, analyze it, do some reports on it, and ultimately get it to court? Ah, the interpretation of that evidence, uh, by both prosecution and defense, the documentation of that evidence which is ultimately reporting to include things like chain-of-custody, and evidence preservation and things of the like, and then ultimately to the courtroom, okay? So if we take those steps, those big picture process steps, and kind of break them down in to a little bit more detail, basically a crime has happened. Well, just because a crime has happened doesn’t mean that anybody has identified it as a crime yet, okay? So this is where someone’s going to have to identify – hey, a crime scene has taken place. So I would chalk both Steps 1 and 2 here in to the identification process. Next, the preservation concepts, you may have to get a warrant or a subpoena or voluntary consent for the evidence. There’s going to have to be a First Responder that goes to the scene and actually evaluate the evidence. And, ultimately, we’re going to have to seize it. In other words, we’re going to have to take it, preserve it, so that we can take it back to our lab and actually analyze it. Um, and then I would go in to the third step here, extraction. This would be transporting it, actually making the bit-by-bit copies of the evidence – in this case digital evidence as opposed to DNA, or blood types, or something of the like, firearms. We’re going to have to prove that it has integrity, integrity. And this is where we use our message digest and our SHA algorithms to analyze hard drives, and file systems, and partitions to prove that there’s no unauthorized modification or alterations, ultimately chain-of-custody, and then the storage of it to where we actually get it to the point where we can review the evidence. Then we have to actually analyze it. This would be the interpretation. Report on it. This would be the documentation. And, ultimately, go to court where this is where we make our final presentation to a judge or jury, um, so that they can make the best determination possible, okay? So that’s really the big picture of what goes on in the modern forensics world, but a few other very, very important factors to keep in mind here, okay? Evidence needs to be whole, admissible, accurate, authentic, and acceptable. So let’s talk about each one of these just briefly. Whole – whole means complete. In other words, you have the whole smoking gun. You have the whole fingerprint. You have the whole hard drive. Not just working in parts of things because when you’re only working on a fraction of a piece of evidence, well, what about the other half of it that you don’t have? It’s really hard to prove or disprove something if you have missing pieces. Admissible – it has to be able to get in to a court. And this is where we look at is the evidence competent? In other words, proper evidence, um, collecting procedures. Um, is, is it relevant to the case? Does it prove or disprove something, okay? Is it accurate? In other words, is the evidence trustworthy? In other words, um, if you run a forensics tool against something is the results actually proving or disproving a fact relevant to the case? We like evidence to be authentic. Um, this is more of, uh, a easier concept than it really sounds. Authentic, just meaning true evidence, best evidence, original evidence, and, you know, as close to the smoking gun as we possibly can get, and ultimately acceptable. In other words, the judge or the jury’s going to accept it in, in a way that ultimately is going to prove or disprove a fact or finding, okay? So let’s look at how we can apply these basic concepts to all of the different types of, um, dare I say crimes that happen in the modern world today, okay? So, there’s all sorts of really, really big fancy names that we use today. Like, for example, clickjacking – hijacking clicks on the Internet so that when you think you’re clicking on Link X it really takes you to Webpage Y. Uh, it could be something as traditional or as simple as extortion. It could be investment fraud that you have to analyze, uh, something like software piracy or copyright piracy, uh, denial-of-service, auction frauds, email bomb, spam and hoaxes. You know, you would think that by the year 2015 we wouldn’t be uh, uh, pushing out 80% of all email still being, you know, spam-oriented, and so unauthorized solicitations and things like that. But the fact of the matter is, is, uh, email is still very, very popular of a tool. Um, you have identity theft which is another multi-billion dollar industry. You have viruses, and worms, and Trojans – more, a little bit more traditional computer security oriented. You have malware, a malicious software and you’re seeing these become ever so important, especially if you just look at the news. I’m not going to mention any names here but if you just look at the news and recent events and see that malicious software has been used to, basically, data mine credit card systems. And some of the largest companies that you would think would have their act together are actually having to go through the incident handling process and really just, just cover themselves dramatically because even the best of us are still vulnerable. Cyberstalking or cyberbullying. Alright? Financial fraud, child pornography, embezzlement, and countless, and countless, and countless more examples of, uh, new terms and names – like phishing which is really just throwing the net out there and seeing what you get. Or pharming which is once you throw that phishing net out there, somebody’s got to collect that information. Or whaling – going after like the CEO or big per, big person of a company. Uh, or spear phishing – very, very targeted, uh, phishing attacks. Alright? So there’s no shortage of types of crimes that we have to investigate these, these days. Ultimately, to – insert any of the specifics here – in to a generic process, a lifecycle of sorts, and ultimately identify the evidence, preserve it, extract it, um, analyze it, document it, and present it in court, okay? So, one of the things that I encourage you to do is actually do some hands-on here. This is mostly going to be research oriented, okay? There are plenty computer security institute – or FBI-type studies that are out there in the worlds of forensics. Um, just like business professionals read the Wall Street Journal, you should actually be looking at these, these cybercrime studies or these forensic studies, so the FBI has some resources for you. Or simply go to cybercrime.gov. Alright? This is very easy to do. Uh, be familiar with the, these websites that are driven by their government entities or private sector entities that are leading the industry. Some of those are going to be a little more proprietary like EnCase, and then you have the other end of the spectrum like FTK. These can be a wealth of information so don’t discount those at all. Alright? And let Google be your friend. So, this is realistically what goes on in the world of modern forensics these days. Um, I encourage you to get involved. But let’s go ahead and move on to the next sections and then we can start dissecting this, uh, down a little bit more. But right now all we’ve done at this point is just highlight, realistically, what goes on in modern forensics today. Thank you for watching. My name is Leo Dregier. And thank you for looking at Cybrary IT.