Digital Forensics: Overview and its Relationship to Cybersecurity 數位鑑識：簡介及與資安的關係 Dr. Sheau-Dong Lang (郎小棟) Visiting Professor (Sept. 16 – Oct. 26, 2016) Department of Information Management Chang Gung University lang@cs.ucf.edu

自我介紹和開場白 郎小棟 (Sheau-Dong Lang) 台灣大學數學學士 美國賓州州立大學(Penn State)電腦碩士，數學博士 美國中佛州州立大學(UCF)電腦系副教授(退休)，數位 鑑識碩士學位協調人(2008-2015) 美國Orlando市，Orange County Sheriff's Office DFU (數位 鑑識組)，從事志願工(2006 到現在) International Association of Computer Investigative Specialists (IACIS) 准會員 IACIS CFCE (Certified Forensic Computer Examiner) 數位鑑識證照 (2011 到現在)

演講大綱 (Outline) 自我介紹和開場白 (Introduction and opening remarks) 數位鑑識的起源和定義 (What is Digital Forensics) 數位設備在民事或刑事偵察的角色 (Roles of digital device in investigations) 處理數位證據的程序 (The process of handling digital evidence) 數位鑑識的應用範圍 (Applications of digital forensics) 工具的功能 (Features of digital forensics tools) 技術，法律，和道德上的論點 (Technical, legal, and ethical issues) 一般工作 (Typical digital forensic examination tasks) 資安鑑識 (Cyber forensics) 工具示範：FTK，TSK/Autopsy (Tool demonstrations) 教育，培訓，證照 (Education, training, certification) 案例研討 (Case studies) 結論和Q&A (Conclusion and Q&A)

數位鑑識的起源和定義 What is Digital Forensics Computer forensics is largely a response to a demand for service from the law enforcement community (執法界 的需求) * The term "Computer Forensics" (電腦鑑識) was coined in 1991 in the first training session held by the International Association of Computer Investigative Specialists (IACIS, http://www.iacis.com) in Portland, Oregon ** (*) Noblett, Pollitt, and Presley, Recovering and Examining Computer Forensic Evidence, Forensic Science Communications, Volume 2, Number 4, US Department of Justice, October 2000 (**) Marcella and Greenfield, Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition, Chapter 17, Auerbach Publishers, 2002

法院 法院 數位鑑識的起源和定義2 Computer forensics is “application of science and engineering to the legal problem of digital evidence” (科學與工程中的應 用，以解釋數位證據的法律問題) * Digital Evidence (數位證據)：Information of probative value that is stored or transmitted in binary form (以二元形態儲存或傳輸，並 可作法院證據用的資訊) ** Formation of the new Digital and Multimedia Sciences Section of the American Academy of Forensic Sciences (美國鑑識科 學院 ), February 20, 2008 (*) Sammes and Jenkinson, Forensic Computing, Springer-Verlag, 2000 (**) Scientific Working Group on Digital Evidence publication https://www.swgde.org/pdf/Archived%20Documents/69b40005-6645-3561-9bbc-818f37959520.pdf

Digital Device in Criminal or Civil Investigations 電腦(數位)設備在民事或刑事偵察的角色 As the instrument (工具) to committing a crime: a hacker or a malware writer using computers in illegal activities As the target (目標/受害者): a comprised system, data stolen or deleted As a container or storage (存儲器) for (or incidental to) a crime: e.g., a cell phone has pictures of a stolen car, text messages with a suspect, phone numbers of recent calls Note: Sometimes combinations of digital evidence types are found during examination, e.g., a hacker’s computer hard drive contains hacking tools (the instrument) and stolen credit card number and related card identification data (the storage). Also, digital evidence may lead to other information that aids investigation, e.g., the 2005 BTK serial killer case in the US, (1), (2).

The Process of Handling Digital Evidence 處理數位證據的程序 Preservation Identification Extraction Examination Reporting (1) 保存 (2) 識別 (3) 抽取 (4) 檢查 (5) 報告/解釋 Crime Scene 犯罪現場 Courtroom 法庭

處理數位證據的程序2 Preservation (保存): acquiring evidence without tampering, chain of custody (監管鏈), transport and storage, collecting data within legal constraints (e.g., according to a search warrant 搜索令) Identification (識別): labeling each item of evidence, bagging and tagging, identifying with case number, descriptions, date/time of collection, signatures of handlers

搜索令 Search Warrant A sample search warrant application and affidavit (搜索令的申請和宣誓書), and search warrant (搜索令): 搜索令的語言包括: evidence of crime exists (犯罪證據存在), applicable crime statutes (法律條文), location and direction to the property to be searched (地點指示), identity and qualification of the applicant (搜索令申請和宣誓人的身份和資格), the affidavit for probable cause (搜索的理由), descriptions of items to be seized and searched (搜索物件的描述) 搜索令申請必須由法官核准

監管鏈 (Chain of Custody) Sample Property Form 所有物表 (front side): The form has 7-page carbon copies (複寫本), one for each of the following destinations: Evidence section Records Forensic & identification State attorney Investigation Person in possession Officer’s copy

監管鏈 (Chain of Custody) Property Form 所有物表 (back side): Received By List Article # and Pkgs Reason Date & Time Received

Identification (識別) Search warrant site inventory worksheet 搜索場地清單: Date/time, location, agency, investigator, status of the computer when seized, peripherals, cables, relevant notes, software or manuals

Identification (識別) PC Internal Parts Inventory Sheet (PC內部零件清單): Date; case #; computer description; S/N; CMOS time and Actual time; submission and receiver names; internal drive info (make, model, S/N, size); computer slot info

處理數位證據的程序3 Extraction/examination (抽取/檢查): authenticating evidence using hashes (MD5, SHA-1), using tools and established procedures for data analysis, keyword searches (關鍵字搜索), using hex and graphics viewer, media player, establishing timeline of events, corroborating evidence, attempting to answer the 5W1H questions of who-what-when-where-why-how (何人， 何事，何時，何地，為何，如何)

Forensic Disk Imaging 符合鑑識標準的硬碟複製 Use tools (such as AccessData’s FTK Imager) to make a bit-stream duplicate (位元串流複製) of the hard disk, verify matching hashes, then save the acquired image file(s) to a “server” or “forensic station” before examination Use of a “write blocker” (阻斷器) between the suspect’s hard disk and the examiner’s forensic computer to prevent any modifications (write operations) to the subject’s disk

Tableau Forensic Bridge Subject Drive Write Blocker

Tableau TD3 Touch Screen Forensic Imager Imaging to a local hard drive

處理數位證據的程序4 Reporting/documentation (報告/記載): actions taken during investigation, the findings, composing forensic reports Interpretation (解釋): testifying and presenting in the court; as an examiner or as expert by rendering opinions, see news articles on a 2006 computer sabotage trial, and 2011 Casey Anthony trial’s Wiki page and PBS page

鑑識報告的例子 Sample Forensic Examination Report 主要部份 ： seizure and processing notes (檢取(扣押)和處理的摘要) notable files (顯要的文件) such as text, html, graphics files, Registry for Windows system file system (文件系統) and physical structure (實體結構) of the hard drive OS (操作系統) version and registration information (注冊訊息) time zone settings (時區設置) user profiles (用户信息)

數位鑑識的應用範圍 Applications of Digital Forensics Host-based (個人主機) forensics deals with personal or desktop devices, small enough to be taken down and imaged for analysis Network forensics (網路系統鑑識) deals with servers, company databases, network devices such as routers (路由器), firewalls, intrusion detection (入侵檢測) Enterprise system forensics (企業系統鑑識) Cloud forensics (雲端系統鑑識) Mobile device forensics (流動系統鑑識) Embedded system forensics (嵌入式系統鑑識): An embedded system is a computer system that controls operation of a special purpose machine or device, such as automobile engine, brake, navigator, SCADA/ICS device, GPS, smart meter, CCTV camera recorder, washing machine, smart watch, activity tracker, etc.

數位鑑識工具的功能 Features provided by forensics tools to aid in forensic examination: Recognize disk partitions and common file systems (Windows FAT and NTFS, Linux ext2, ext3, and ext4, MAC HFS+, Unix UFS) Recover previously deleted files and folders Carve/recover graphics and other files of known signatures from unallocated disk clusters Search strings using regular expressions Review Registry files (on Microsoft Windows systems) Recover user passwords Recover emails and instant messages (IMs) Recover Internet search records, temporary Internet files, cookies Provide timelines of file access activities based on date/time stamps Identify known files based on hash sets Identify artifacts specific to the operating system on disk Live system forensics and incident response (e.g., RAM capture) etc.

Technical, Legal, and Ethical Issues 技術，法律，和道德上的論點 Technical (the can-we issue, 技術問題, 能否嗎): are there tools to extract the necessary evidence, does the investigator have the expertise Legal (the may-we issue, 法律問題, 可以嗎): is there violation of the 4th amendment of the US Constitution which guards against unreasonable search and seizure; other laws such as Computer Fraud and Abuse Act (CFAA) of the US Ethical (the should-we issue, 道德問題, 應該嗎): ethical concerns relating to the use of computer forensics Code of Ethics posted at the IACIS website for its members http://www.iacis.com/membership/overview (檢查客觀，詳細，合理，不隱藏證據，不誇張資歷), and ISFCE’s Code of Ethics and Professional Responsibility at http://www.isfce.com/ethics2.htm

數位鑑識的一般工作 Typical Examination Tasks  Data Analysis Forensic examiners typically are given some background information from the investigator (or case agent, or attorney) – things like names, addresses, time window, types of files (spreadsheets, pictures, movies), installed applications -- that will aid the examination phase. Examiners typically use integrated computer forensics tools to recover deleted files/folders, carve data based on known file signatures, perform keyword searches based on provided keywords or phrases, perform hash analysis to identify known files, extract system configuration information (OS install date, user accounts, time zone settings, disk partitions, etc.) Experienced examiners know where (files, folders, Windows registry, unallocated clusters) to look for relevant evidence, how to use forensic tools efficiently and effectively to extract the evidence, how to corroborate the evidence, and how to write the examination report and present the findings at deposition or testimony in court

數位鑑識的一般工作 Typical Examination Tasks  Emails, IMs Find email artifacts in client-based email (e.g., Outlook’s PST files, Outlook Express DBX files) and web-based email (Yahoo, Hotmail, Gmail) Use FTK, EnCase, X-Ways, or other commercial tools, to reconstruct emails and instant messages (IMs) Apply string searches (grep) to filter relevant emails and instant messages (IMs) Track email origins (reading email header information)

數位鑑識的一般工作 Typical Examination Tasks  Web-Browsing Activities Internet Explorer (IE) and other browsers use history, cookies, and temporary Internet Files (i.e. Internet cache) to save web activities Use FTK, EnCase, X-Ways, or similar digital forensic tools, to extract browser activity evidence Use commercial tools Netanalysis, Cacheback, or Magnet's IEF (Internet Evidence Finder) to extract Internet cache, history, cookies, even in unallocated clusters

數位鑑識的一般工作 Typical Examination Tasks  Windows Registry Files Identify installed applications (date/time, configurations, deleted applications) Identify installed malicious code (on compromised systems with virus, rootkit, spyware programs) Identify “most recently used” documents to understand recent activities on a computer Identify USB devices connected to the computer Identify wireless connections and much more … Use FTK’s Registry Viewer to view Registry files

Cyber Security: The Big Umbrella 資安鑑識 Cyber Forensics Cyber Security: The Big Umbrella Information Assurance Malware Detection Incident Response Intrusion Detection Software Vulnerability Analysis Penetration Testing Secure Programming Wireless Security Digital Forensics Mobile Device Forensics Cyber Warfare

資安鑑識 Cyber Forensics 通常的資安問題： 數位證據需用數位鑑識人員和工具來處理檢查 社群網路防護 密碼管理 病毒、間諜程式防護 封鎖惡意網頁 防堵駭客入侵 即時通訊防護 垃圾信、詐騙郵件防護 防止個人資訊外洩 家長防護功能 數位證據需用數位鑑識人員和工具來處理檢查

數位鑑識工具 AccessData’s FTK (v5) Explorer view All descendants of the selected folder are in the listing The Explorer View of FTK’s GUI

數位鑑識工具 AccessData’s FTK (v5) Select Email Tree>Text Internet Email, highlight an individual message in the upper-right pane, FTK presents the message in human-readable format in the lower-left pane

數位鑑識工具 AccessData’s FTK (v5) Select the Graphics tab, select a folder in the Explorer Tree pane, then select a (any) graphic file in the File List pane, FTK presents Thumbnails of all graphic images in the Thumbnails pane (top), and the picture of the selected graphic file in the File Content pane (middle-right pane)

數位鑑識工具 AccessData’s FTK (v5) Select the Internet/Chat tab > IE Cache Entries, highlight an individual entries in the File List pane, FTK presents a selected cache entry in the File Content pane

數位鑑識工具 AccessData’s FTK (v5) Select Index Search tab, enter a term (keyword) into the Terms box, search results in the upper-right pane can be expanded (drilled down) to individual search hits and saved as bookmarks

數位鑑識工具 AccessData’s FTK (v5) Select File>Report, for each of the bookmark categories, highlight and check the boxes for “Include email attachment”, “Export files …”, “Include thumbnail …”, to include them in the report

數位鑑識工具 TSK/Autopsy (v. 3.0) TSK/Autopsy’s Interface for File Analysis

教育，培訓，證照 Education, Training, Certification Many institutions offer courses, certificates, and degrees, at undergraduate or graduate levels, in digital forensics, see link http://www.forensicfocus.com/computer-forensics-education- directory Vendors such as GuidanceSoftware, AccessData, X-Ways, Cellebrite, offer training Professional certification by vendors or organizations: ACE by AccessData, EnCE by GuidanceSiftware, GCFA by SANS, CFCE by IACIS, DFCB by NCFS, CCE by ISFCE, CCFP by (ISC)2, etc. Striving for excellence using the KSA model (knowledge 知識, skills 技術, abilities 能力)

UCF’s Master of Science in Digital Forensics (2008  present, http://msdf.ucf.edu/) A multi-disciplinary (跨領域) program and collaborative effort between: Computer Science Forensic Science of Chemistry Criminal Justice Legal Studies National Center for Forensic Science  a State of Florida Type II Center and a member of the National Institute of Justice Forensic Resource Network of the Department of Justice

Course Requirements and Flowchart A total of 30 credit hours: Four required classes (shown in double box) Two electives in computing One elective in criminal justice or e-discovery One legal class A thesis (6 hours); or additional two electives for the non-thesis option Elective courses from Criminal Justice are not listed in the chart CHS 5596 Forensic Expert in Courtroom, offered in spring semester of even-number years (*) Computer programming skills expected (**) Offered in both fall and spring semesters

CFCE 證照 (Certified Forensic Computer Examiner) Offered by IACIS Certified Forensic Computer Examiner Core Competences * There are Seven (7) competency areas addressed in the CFCE Program: Pre-Examination Procedures and Legal Issues Computer Fundamentals Partitioning Schemes Windows File Systems Data Recovery Windows Artifacts Presentation of Findings (*) Overview of the Certified Forensic Computer Examiner Program http://www.iacis.com/certifications/cfce

CFCE 證照 (Certified Forensic Computer Examiner) The CFCE certification program consists of a two stage process: Peer Review (同業考察) Four (4) practical problems 30 days to complete each problem Assigned a coach to guide you through the problems’ learning point Certification Testing (證照考試) Hard Drive practical problem – 40 days to complete Knowledge based objective test – 14 days to complete Must score at least 80% to pass CFCE must be re-certified (繼續證照) every three years

工作機會 Digital Forensics Career Opportunities Computer Forensic Examiner 數位鑑識檢查員: Conduct examination and analysis of computers and digital media to develop evidence Incident Response Examiner 即時事件檢查員 : Investigate network intrusions and other cyber security breaches Forensic Examiner (eDiscovery) 電子證據開示檢查员: Conduct computer forensic investigations and electronic discovery requests for legal and corporate clients Malware Analyst / Reverse Engineering Specialist 惡性代碼分析員 : Conduct malicious code forensic analysis

案例研討 (Case studies) Evidence found in a bank robbery suspect’s cellphone (搶銀行嫌犯的手機證據):

案例研討 2 An SSH password guessing attack (SSH密碼猜測攻擊): A user’s account was broken on a Linux box that allowed SSH (remote login) connections, presumably compromised by a brute-force password guessing attack (Linux電腦上的個人賬戶被駭) The attacker ran scripts to attack other systems (port scanning, password guessing, etc.) and changed the user’s password, before the attacked systems notified the university’s Network Operation Center (駭客用“黑客腳本”去攻擊別的系統) Attack scripts, logs, user’s history file were recovered from the compromised user account on the Linux box (鑑識員復原黑客腳本，紀錄文件，帳戶的歷史，駭客工具) After the incident, the SSH connection is placed behind the university-wide firewall (事件發生後，SSH伺服器被放在學校的防火牆後面)

SSH密碼猜測攻擊，cont’d Part of the history file (帳戶的歷史): Suspicious files and folders (可疑文件和文件夾): … w ps x cd htp chmod +x * nohup ./mass 72 & >> /dev/null passwd exit An attack script “a” (黑客腳本): Two malicious executable files (惡意代碼): A password dictionary “pass.txt” (密碼字典): root ubuntu root 123456 root 123123 root q1w2e3r4 root qwertyu root qwerty root 1qazxsw2 root testing root changeme root 159357 root 1234 root 121212 (skipped...) #!/bin/bash (skipped...) sleep 1 ././pscan2 $1 22 echo "[+] Alright.. bruteforcing..." ./Xploit 200 echo "[+] Sleeping 10 secs" sleep 10 File name: "htp/pscan2" Malware name: "HackTool.Linux.Small.af“ File name: "htp/Xploit" Malware name: "HackTool.Linux.BF.e"

案例研討 3 駭客攻擊事件的三個有關機構 : Bank: Issues (發行)ATM cards used for the purchase of goods, service, and cash advance through MasterCard, Visa, etc. 銀行 商品銷售 卡片處理 Marketing firm: markets (促銷) cards and implements programs to consumers and corporations including distribution and usage of cards Card Processing Firm: provides ATM card processing services(處理服務): card set-up and maintenance, transaction authorization, processing, system access, security and fraud control, and activity reporting

機構間的合約 (Service Agreements) 銀行 To provide "fraud prevention and security“ (資安服務和防止詐欺), and be responsible for "all expenses associated with and the losses (賠償所有損失) resulting from over limit processing, cardholder fraud, value load fraud, and under floor limit processing" 商品銷售 卡片處理

事件和處理 Incident and Response Hacker(s) used SQL injection to gain cardholder data and credentials 第二步 第一步 In April 2008, hacker(s) gained access to the card processor's system via API calls made from the marketing firm's computer, adding $1500 to the balance of over 3000 cards (卡片增值) 第三步 “Cashing crews" (領錢人員) hired by the hackers withdrew money from ATM machines located in Canada and other countries, and the bank suffered a loss of over 2 million dollars (两百萬) due to value load fraud via ATM card withdrawals

調查和定罪 Investigation and Conviction US Secret Service (美國密勤局) and law enforcement of other countries investigated the incident, a hacker (駭客) named "Ehud Tenenbaum" was arrested in Canada and extradited (引渡) to the US in September 2008, released on bond in August 2010 after agreeing to plead guilty (認罪) In July 2012, Tenenbaum accepted a plea bargain (認罪交 易) which may have involved cooperation in the investigation, was sentenced to the time already served in prison and also ordered to pay $503,000 and given three years' probation (缓刑)

民事案件 A Law Suit 銀行和商品銷售公司合解；銀行告卡片處理公司, 要求賠償两百萬損失和法律费用 銀行和商品銷售公司合解；銀行告卡片處理公司, 要求賠償两百萬損失和法律费用 One dispute (爭議) is the following language (合約的語言) used in the insurance company's contract with the card processor, defining "computer violation" (電腦侵犯) as follows: Computer Violation means an unauthorized (未被授權的): entry (進入) into or deletion from a computer system; change (更改) to data elements or program logic of a Computer System, which is kept in machine readable format; or introduction of instructions (傳入代碼), programmatic or otherwise, propagate themselves through a computer system; directed solely (單一指向) against any insured organization.

結論和Q&A 數位鑑識人員需要學習技術性的專業知識 數位鑑識的挑戰：反數位鑑識工具，加密碼文件，個 人隱私保護，新興技術，落伍的法律，培訓和工具的 費用 資安人員需要有數位鑑識的基本知識，訓練，工具 數位鑑識和資安有密切關係： 數位鑑識是“尋找笨蛋做壞事的證據” 資安是“尋找聰明人做笨事的證據”