Algumas Dicas de Procedimentos Para Apresentar e Analisar Uma Evidência Digital Durante Um Processo Legal

Opa, e aí?

Tudo Bem?
Eu recebi um email com algumas dicas de como apresentar e analisar uma evidência digital diante de uma corte jurídica e de um processo legal.

Imaginem que estamos analisando uma evidência digital (e.g. uma imagem forense de um HD) e que o caso será apresentado para um juizado qualquer. A outra parte (consultoria jurídica da outra parte) pode duvidar do seu processo de aquisição da imagem forense.
Então essas dicas a seguir serve para mostrar como fazer a aquisição de uma imagem forense, minimizando os riscos de questionamento da outra parte.

Essas dicas são do Nick Klein:
Some tips from my experience:

- I’m not aware of any cases of a court mandating a forensic tool (interested to hear if anyone can quote a case). In fact, I’ve worked on cases where ‘experts’  have misinterpreted evidence they acquired using “court validated” forensic tools. As the old saying goes - just because you’re holding a scalpel, doesn’t make you a surgeon. Don’t be fooled by people who tell you evidence is by default inadmissible if you don’t use a particular tool or process.

- However you DO want your evidence to be strong in terms of integrity and authenticity. Document every step you take while acquiring. Take photographs. Use well established industry processes.

- Some excellent (free) tools include:

  -- Linux boot distros like Paladin / DEFT which don’t mount internal drives by default (therefore no changes to them) and have easy to use imaging tools.

  -- You could also make Windows read-only for USB devices by making a Registry change, then use a tool like FTK Imager. Note these only stop writes through the Windows API, but that should be sufficient unless you have programs that access the device raw. 

- To ensure you have the most amount of data for analysis, use a tool and process that captures the entire data area of the drive, not just live files. Tools like Ghost refer to “images” but they’re NOT the same as a full forensic image that include every sector of the original physical medium (which I assume you want).

- In my experience (in Australia) if the court accepts your evidence is what you represent (because you’ve followed these steps) the onus of proof falls to the other side to disprove its authenticity. I’ve never had a case where the other side has successfully won such an argument.

- If the other side are attacking your credibility or your process, then your evidence is probably strong.



Essas outras dicas são de uma pessoa chamada VSuen:
Your Question:
  • Are there free or open source tools that you can use in place of a hardware write blocker that is admissible in court?
Answer:
  • Yes. But your reference to the term "admissible in court" is a bit vague. See Nick's comment.
    • Don't let EnCase tell you they are the only court-verified tool. That's marketing FUD.
      • I like and use their product, but I don't like sales people that much. They make a good product, but there are a lot of good products out there.
    • You should be more concerned about your processes, documentation, and validation activities than the specific court-approved tool since there is no such thing.
      • Consider the possibility that what you write can be discoverable.

Examples:
For the following examples, I encourage you to test the process out with some other media BEFORE you attach your real evidence. Practice makes perfect-ish.
  • MS Windows:
    • There is a simple registry tweak that you can make to prevent writing to USB devices. Search for "Software USB Write Block" and you should have at least two results. One is Irongeek's Thumbscrew and another is DSI's USB Write Blocker
      • Both software and manual registry change work the same way.  It changes one registry value. I believe this functional from Windows XP and up. You will want to double check that.
      • Manual Registry Change: http://www.ghacks.net/2011/03/18/how-to-enable-write-protection-of-usb-devices-under-windows/
        • I don't recommend this method for those new to forensics. It is very easy to forget what write/read state you're in. If you go the software route, I encourage you to use an application that reflects the write state you are in.
    • I have used an IDE/SATA to USB adapter that you can purchase from Amazon for about $25
    • Once you have this properly working, you can use FTK Imager or EnCase Imager (or any imager) to create a forensic image.
      • I personally prefer a commonly used forensic file format like EWF, RAW, or AD1 over disk duplication because the impact of "accidentally" plugging in the drive to a read/write situation is significantly lower. A disk duplication scenario can result in you "altering" files.
    • If you already have EnCase Forensic Edition, I believe they have a Softblock feature that allows you to prevent writes to devices AFTER the feature has been enabled. It has been a while since I've used it. Consult with Guidance Software for confirmation.
  • Linux - Forensic Distributions Only:
    • You want to ask: Is the distribution specifically built for forensics or information security?
      • Some consumer distributions of Linux (such as consumer Ubuntu) will automatically mount file systems read/write (r/w) to be consumer friendly. You don't want that because there is a chance that something will write to the drive.
      • Forensics-oriented distributions such as CAINE, Kali, Paladin, SANS SIFT, etc. will recognize your drive is attached but typically will not automatically mount the device or its file systems.  This is good.
        • Distrowatch is a good place to start if you want to go this route. The link I embed drops you straight to the search feature with the "Forensics" category highlighted.
        • This method, effectively, is your "free open source write blocker"
        • Here are some commands to get comfortable with:
          • man [command] - manual for the binary you are executing
          • sudo - run the next command with elevated credentials (admin-level)
          • fdisk - this will show you what devices the OS has detected as attached to your computer
          • mount - this is the command you will run to mount the drive
            • Warning. This is the one you really want to be careful with.
              • Consider looking at these options via the man page:
                • -o ro (or -r): mount device as read only
          • umount - unmount device
          • without knowing what you are doing, you'll probably run these commands in this order:
            • sudo fdisk -l
              • Show me all the devices I've attached
              • This will give you the "/dev/sda#" I mention below.
              • Don't see anything? You probably didn't "sudo"
            • sudo mount -l
              • Show me what devices are mounted, if they are ro/rw, where are they mounted, etc.
            • sudo mount -o rw /dev/sda1 /media/sda1
              • Human: Mount in read only mode partition 1 on device "sda" to logical location/mount point /media/sda1
              • Complaints: You might get some errors regarding file system type. You will have to research that.
            • sudo mount -l
              • Show me the devices again AND confirm that the device you mounted is "ro"
        • "Easy" way?
          • Mount your target media as rw via command line or similar
          • Use Guymager, AIR, or whatever the forensic acquisition tool of choice is
          • Attach your original evidence; do not mount
          • Point Guymager (or similar) to the row that reflects that new device, right click, acquire to target media
            • Add notes appropriate for the image file format you use
              • I like evidence ID, custodian name, source metadata like make|model|SN, date of acquisition, forensics collection person responsible for the image, etc.
  • Mac OS X:
    • I don't really play in this area. Someone else might have a better suggestion. I won't validate these suggestions. I won't testify to the effectiveness either.
    • Not free, but have you looked at BlackBag Technologies' Softblock?
    • Command line use of diskutil?
      • Do not do this one:
        • One method you will see if Google for it is the use of diskutil to identify your UUID then alter your fstab file to always force the device to "rw". However, that's ridiculous because you will have already attached your device at that point and OS X would have had already attempted to mount the partition. At that point you have already placed your evidence at risk.
      • This *might* work:
      • Probably the better solution if you know what you are doing:

Basic Logic of Software-based Write Blockers:
  • Write blocking is only enabled for all devices attached _AFTER_ you have enabled the write blocking feature.
    • This suggests that all devices attached _BEFORE_ you enabled the write blocking feature will continue to be writable.
    • In theory, this also suggests that all devices attached _AFTER_ write blocking is disabled, all devices attached BUT NOT REMOVED prior to disabling software write blocking will continue to be not writable.
      • I wouldn't trust it. Just play it safe and attach all your "write to" media _BEFORE_ you perform a software write block and attach your "original evidence" media.


To expand a bit on Chris' comments...

Somethings you might want to do right away:
  • Evidence Control:
    • Did you create a chain of custody document and associate it with this piece of physical evidence?
      • If not, I highly suggest you properly document the life cycle of the media you received from the time you received it. You can easily search on the SANS reading room for a simple Chain of Custody form. Not having basic evidence history makes it challenging to defend that you have had positive control over the media at all times.
    • Where do you store this evidence when you are not using it?
      • Ideally you have a secure storage location that only you have access to.  A locked desk drawer is a starting point, but we can venture into multiple layers of significantly better storage controls. Start with what you can afford because it sounds like you are running on a budget. There's no shame in that.  Ideally, like any evidence management solution, you should clearly label the device and associate it with your evidence. You don't want to accidentally misplace it in your secure storage location and accidentally associate it with another case.
    • When you use the Evidence (for imaging or for investigation), what is your procedure?
      • Ideally you are checking out the evidence from your really great Evidence Management System.  If you are not so blessed, consider using the Chain of Custody form to indicate when you have moved it from storage to your work space for doing a task. It can be overkill, but you want to do this right. I've seen people do this on Excel too.
      • When you are manipulating the evidence, do you do this from a clean workstation and in a secure area that only you have access to?
        • Opposing counsel's view can include: "How do I know you this evidence wasn't tampered with if you aren't the only one who has physical access to this media?"
  • Forensic Preservation Procedures:
    • Do you have at least a Primary and Secondary Forensic copy of the evidence?
      • I'm jumping the gun on your question here obviously. However, if you decide to duplicate the media, I encourage you to make at least two copies.  One you keep as your "working" copy and another as your "backup" copy in the event something frustratingly happens to the working copy.  It happens all the time. Trust me. You want at least two copies.
        • If you are creating a copy for opposing counsel, make a copy but don't give away your two copies. Asking opposing counsel for a copy _after_ you damaged your only copy looks bad and can impact the timeliness of your response to discovery.
    • When you create your forensic copies, did you document other appropriate metadata?
      • You can probably google for a basic Computer Evidence Acquisition form.  You want to capture several things that you probably don't need immediately but can assist with the individual who will be performing your forensic investigation.  This isn't exhaustive, but I want to give you ideas of what would help:
        • Original Asset Information:
          • State of Asset
            • On, Logged in, Logged in & locked, Off, Other (BSOD, Frozen, etc.)
          • Make, model, and serial number of original asset; Make, model, serial number, and sectors of media.
            • Where did this hard drive come from? How do we know you didn't just grab the hard drive out of someone else's computer?
            • It helps to have a digital photo with a date/time stamp too. I typically do this with the evidence ID I assign it written on a post-it note along with the primary custodian name. This way if I'm hitting multiple computers with multiple people I can easily flip through pictures to find relevant items.
          • Who is/was the custodian associated with the original asset?
            • Location of the asset, the username(s), the given name of the user(s), etc.
          • BIOS/EFI Date/Time vs. Real Date/Time
            • If you're not working in the same time zone as you collected the evidence then this will really mess with your timelining process.
          • Notes?
            • What else does your form not include but should be documented?
            • Items that I commonly see: Company Asset Tag #, asset damage information, location of asset at time of preservation, symptoms reflecting physical media failure.
    • Did you mess up? Maybe you did. Don't freak out.
      • This is where your meticulous documentation skills kick into high gear. What did you do? What was the expected result? What actually happened? What time did this occur? What files were potentially altered?
      • Know when you are in over your head. If this is important, hire someone who knows a little bit more than you and won't put your case in jeopardy.
    • SUPER IMPORTANT: Do you know what you are doing? Can you explain why you chose to do X instead of Y to a jury?
      • Can you testify to the actions that you performed were best practice and did not impact the evidence?
        • If so, great.
        • If not, consider getting a professional forensics expert or have a forensics firm on retainer or MSA.
          • For forensic imaging services, you can typically see:
            • Billing method 1: time and materials
            • Billing method 2: fixed fee
            • Billing method 3: fixed fee and materials.
          • Rates and quality of work product vary by region. I'm sure those on this list can give you recommendations.
  • Forensic Analysis:
    • If you don't know what you are seeing, consider the possibility that you might be over your head in this phase.  Highly consider the need to employ a professional that can and has testified in court for digital forensics. Ideally, someone who has testified in a case similar to yours.
    • Consider the possibility that what you are seeing can be interpreted in more than one way.
      • Remove unfounded opinion from any statements you choose to document.
      • State only the facts that you can observe.
    • Note: Forensic Expert bill rates can be different from a Forensic Preservation bill rate.

There's a lot more. I see that Nick has responded too.  He knows his stuff.

Good luck and thanks for letting me stand on this soapbox.
V.

Eu recebi todas essas informações por email e resolvi colocá-las aqui.
São dicas muito boas.

Bom, é isso, galera
Um Abração!

Parsing da MFT

Opa, e aí galera.

Tudo bem?
Neste post falamos sobre como extrair a MFT de uma imagem forense. Hoje, nós vamos mostrar algumas ferramentas para fazer o parsing da mft extraída, e assim, poder analisá-la.

Vamos falar de 2 ferramentas para fazer o parsing da MFT: log2timeline e analyzemft.py. Existem outras ferramentas, mas vamos falar sobre essas 2. Se vocês quiserem ver outras ferramentas, podem acessar este link aqui.

1) Log2timeline
Esta ferramenta foi criada por Kristinn Gudjónsson como paper final para a certificação GCFA Gold. Ele criou esta ferramenta com o intuito de se criar uma super timeline do sistema a ser investigado. Isto traria uma melhor compreensão e uma visão holística dos eventos de um sistema a ser investigado. Super timeline significa ter um timeline de várias fontes de informação e artefatos do sistema operacional (e.g. histórico do I.E., timeline de informações do squid, apache, IIS, prefetch, evt, setupapi.log, userassist, etc); ou seja, podemos juntar todos os timelines de todos esses artefatos em um grande arquivo, e, assim, teremos um melhor contexto necessário para ter uma melhor visão do que realmente aconteceu no sistema comprometido.
O log2timeline funciona usando módulos. Cada módulo trabalha em cima de um tipo de artefato. Por exemplo, o módulo prefetch vai trabalhar em cima de artefatos do prefetch, o módulo IIS vai trabalhar em cima de artefatos do IIS, o módulo squid vai trabalhar em cima de artefatos do squid, o módulo mft vai trabalhar em cima de artefatos da MFT, e assim por diante.

"Versão 0.x do log2timeline tem sido extremamente útil, mas foi escrito em Perl e tem limitações de desempenho. Está em curso um grande esforço para reescrevê-la em Python, chamada Plaso. Alguns lançamentos alfa desta ferramenta forma liberados." (tradução livre, fonte: aqui).

Se você quiser instalar o plaso, pode seguir as instruções desta página. Mas, se você estiver tendo algum tipo de problema na instalação, pode seguir as instruções desta página.
Aqui neste post, nós não vamos falar do plaso; nós vamos falar do log2timeline mesmo. E vamos focar na análise da MFT. Se alguém quiser ver algum outro uso do log2timeline, você pode entrar aqui, aqui e aqui.

Podemos usar o log2timeline em um arquivo de imagem forense ou podemos montar a imagem forense e depois usar o log2timeline.
Para usar o log2timeline em um arquivo de imagem forense é bem simples. Nosso arquivo de imagem forense aqui se chama image.001. Eu vou ter como parâmetros o -f que indica qual módulo eu vou trabalhar. Neste caso, como eu vou analisar a mft, então eu vou usar o módulo para se trabalhar com a mft; este módulo, por curiosidade, se chama mft :). Por último, eu vou usar o parâmetro -w que vai me indicar qual será o outuput de escrita, ou seja, o parâmetro -w me indica qual arquivo ele vai armazenar o resultado depois de realizar o parsing. No nosso caso, a ferramenta log2timeline vai armazenar o resultado no arquivo timeline.csv. Assim, eu posso abrir o calc e analisar o resultado em uma planilha.

Se eu quiser, eu posso usar o parâmetro -z local. Assim, o timezone que ele vai analisar não será o UTC, e sim o timezone usado na máquina invadida (máquina esta à qual o log de eventos pertence), o que facilita a interpretação e contextualização dos acontecimentos.

A figura a seguir mostra o resultado do log2timeline. Como o resultado foi um arquivo do tipo .csv, eu abri o arquivo no calc.


2) Analyzemft.py
Outra ferramenta para analisar a MFT é um script em python, o analyzemft. O link para baixar a ferramenta é este aqui. Esta ferramenta é bem simples de trabalhar.
Vale lembrar que ela já vem instalada na SIFT.

O comando funciona assim: python analyzeMFT.py -f [mft extraída] -o [arquivo onde os resultados serão armazenados]
No meu exemplo a mft etraída se chama mft.raw e eu vou escrever os resultados no arquivo mftanalyzed.csv.
Portanto, a linha de comando fica assim: python analyzeMFT.py -f mft.raw -o mftanalyzed.csv
Essa é a linha de comando normal. Só que no meu caso, eu estou usando a SIFT 3.0, vai dar um erro:

Esse erro aconteceu porque eu preciso passar o caminho completo do script analyzemft. Então, a linha de comando correta é: python /usr/bin/analyzeMFT.py -f mft.raw -o mftanalyzed.csv.
Pronto, agora vai tudo normal como mostra a imagem a seguir:

O arquivo de output é do tipo .csv. Isso significa que podemos abrir e analisar o arquivo em um software de planilha, por exemplo, o calc ou o excel.
Quando abrirmos o arquivo no calc, vai aparecer a seguinte tela:

Esta tela mostra como o calc vai interpretar as informações. Nós vamos falar para o calc separar os dados através da vírgula. Assim, cada coluna (campo) será um tipo de dado.
Os campos são:

  • Record Number: MFT Entry
  • Good: se a entrada é válida
  • Active: se a entrada é ativa
  • Record type: mostra o tipo de registro
  • Sequence Number: o número de sequência do registro
  • Parent file record number
  • Parent file record sequence number: número de sequência de registro de arquivo pai
  • Filename: nome do arquivo/diretório
  • Algumas informações do Atributo Standard Information: mactimes referentes ao atributo Standard Information
  • Algumas informações do Atributo File_Name: mactimes referentes ao atributo File_Name
  • Object ID
  • Birth Volume ID
  • Birth Object ID
  • Birth Domain ID
  • e outros;
Podemos usar as teclas CTRL+F para procurar por um arquivo.
Na imagem a seguir, eu procurei pelo arquivo "satriani". Ele me encontrou o arquivo "satriani.jpg", cujo record number (MFT record) é 45931; assim, eu posso usar o icat para extrair o conteúdo referente a esta entrada MFT, ou qualquer outra entrada que eu queira.


Bom, é isso galera.
Mostramos um pouquinho sobre as 2 ferramentas. É claro que elas fazem muito mais do que isso, eu só quis "dar um empurrão". :)
Um abraço!






Referências Bibliográficas: