Digital Forensics and the Most Famous Egg: How
DIGITAL FORENSICS AND THE MOST FAMOUS EGG How did Humpty Dumpty fall? Humpty Dumpty sat on a wall, Humpty Dumpty had a great fall. All the king's horses and all the king's men Couldn't put Humpty together again Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com REASONS FOR HUMPTY’S FALL He was pushed He jumped He was inebriated The wall was structurally unsound He faked his own demise Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com AGENDA Chain of Custody Data Sources & Imaging Data Types Types of Cases What to Look For in Forensic Provider Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com CHAIN OF CUSTODY Doesn’t have to be complicated Document the following: • Device Characteristics: Make, Model, Serial, Time Zone, State of Device • Date & Time • Custodian • Method of Transfer • File hash • Any actions performed on the device Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com DATA SOURCES Memory Hard Drives • Rotational v. SSD • RAID • Encryption Mobile Removable Media Cloud Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com MEMORY What was going through Humpty’s mind? Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com HARD DRIVES What was Humpty doing leading up to his death? Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com MOBILE What did Humpty do while away from his computer? Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com REMOVABLE MEDIA What else did Humpty save data to? Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com CLOUD Which cloud services did Humpty use? Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com WHAT DO WE KNOW? Largest egg producer We don’t have RAM We have his computer No encryption or RAID Always carried his smartphone Used a tablet at home and on the road Never seen using removable media Might have had cloud accounts Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com DATA TYPES Actual Files Deleted Files Email Operating System Files Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com ACTUAL FILES DOCX, XLSX, PPTX, PDF, JPG • Content • Metadata • • File System File LNK • Metadata • CLUE: Keyword search for “poached” turns up 2 hits. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com DELETED FILES Can be found anywhere Due to both user and system activity Mass deletions in short timeframe = RED FLAG Greater chance of recovery IF • Less time from file deletion • Less activity on the disk CLUE: Found deleted JPG. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com RECOVERED PHOTO Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com EMAIL FILES Outlook Lotus Notes Windows Mail Mozilla Thunderbird Webmail • CLUE: No email files, but webmail URL’s found in Internet History. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com WINDOWS OPERATING SYSTEM FILES Registry Event Logs Browser LNK Prefetch MFT and USN Journal Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com REGISTRY ANALYSIS C:\Windows\System32\Config C:\Users\<user_name>\NTUSER.dat MRU & Jump Lists Shellbags USB History • CLUE: New USB drive plugged in 7 days prior to Humpty’s death. Last plugged into the PC the morning of Humpty’s death. 2nd USB drive plugged in same day. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com BROWSER ARTIFACTS Depends upon the browser IE, Firefox and Chrome All very different & rapidly changing Index.dat, SQLite, JSON CLUE: Carve for webmail content, but no meaningful fragments, BUT we find a new email address and domain that looks interesting. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com MOBILE ARTIFACTS Device Encryption & Passcodes Volatile Data ~2M app’s between Android & iPhone Most rely on plist or SQLite structure Common ones are handled by mobile forensics suites • CLUE: Words With Friends has a chat feature. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com REMOVABLE MEDIA Write-block it Physical image best, unless encrypted PC USB PC USB • CLUE: Term sheet between Humpty Dumpty Eggs and Chicken Little Enterprises found. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com WHAT DO WE KNOW? Pam’s recipe for Eggs Benedict from the Internet saved to the desktop. Deleted JPG originating from Humpty’s phone puts him at Chicken Little’s house when the thumb drive is inserted. Internet history reveals new email address. Subpoena shows communication with the baker about expansion plan. Words With Friends shows chat log with “Ace” 1st USB drive contains term sheet between Humpty Dumpty Eggs and Chicken Little Enterprises 2nd USB drive is unknown Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com HD & CL HATCH A PLAN TO CORNER THE EGG MARKET Humpty Dumpty and Chicken Little conspire to establish an egg cartel and expand. Part of the egg-spansion is into other food goods, like hollandaise. Humpty pretexts the baker with a phony email address to get his recipe. (Turns out it’s really PAM’s) Baker finds out about Humpty’s plans. Baker pushes Humpty and copies the recipe. • Butcher & Candlestick maker both have alibies. Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com PUSH BUTTON FORENSICS Know what you’re getting from the analyst Be sure that you’re forensics analyst knows their tools Don’t accept reports that don’t include context and analysis Ensure that multiple data sources are being analyzed together and data is correlated Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com FORENSIC ANALYSIS QUESTIONS? Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate Mike Lombardi, MBA, CISSP, GCFE, GCIH Vertigrate © 2015 www.vertigrate.com
© Copyright 2024