Digital Forensics and the War on Terror

When terrorists or insurgents are captured, or when a hideout is discovered, one of the first orders of business is to search for computers, memory sticks, cell phones, and other kinds of electronic devices. And then carry out forensics analysis on the electronic devices in hopes of finding information about things like attack plans, or identities of other terrorists.

For example, when Osama bin Laden's compound was raided, a wealth of digital data were captured: five computers, dozens of hard drives, and more than 100 other storage devices.
CBS News article, May 2011
CNN Article, May 2012

Abbottabad Compound

What is Digital Forensics?

The term "forensics" refers to an application of scientific knowledge to a problem. When we use the term digital forensics we specifically mean the application of the scientific method in reconstructing a sequence of events involving an information system. In other words, can we figure out after the fact what happened in an information system.

One scenario in which we might want to reconstruct a sequence of digital events is that we know one of our servers has been hacked, and we'd like to know how it was done. Another scenario, is that we don't know whether we've been hacked into, and we'd like look around — if only to check that everything is okay. However, the sexiest scenario for digital forensics is more CSI style: you recover a computer and you want to know what kind of shenanigans was done with it. For example, you might be looking for criminal evidence. We'll focus on that kind of scenario.

Locard's Exchange Principle

In traditional, CSI-style forensics, one of the guiding concepts is Locard's Exchange Principle, which essentially says that in the commission of a crime, the perpetrator leaves something at the crime scene, and takes away with him something from the crime scene. These "somethings" are evidence. More colorfully:

Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent witness against him, his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value. — Paul L. Kirk. 1953.

Locard's principle holds in the digital world as well and, in fact, it holds whether you are perpetrating a crime or not. We have seen several examples of this already, and it's worth thinking about them.

A few more examples of "things you leave" on remote hosts

In addition to visiting websites, one of the ways we've seen that we "go somewhere" in the cyber world is by using SSH to get a terminal on a remote host. It's interesting to see what you leave behind when you do this:

  1. Login attempts: Every attempt you make to login to a system, successful or not, is logged! On rona, for example, there is a file /var/log/auth.log that the sysadmin (System Administrator) has access to, that contains a log entry for every successful and unsuccessful attempt to login. Here's an example of a few entries:
    Nov  1 08:38:05 rona sshd[3962]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=131.122.6.104  user=mxxxxxx
    Nov  1 08:38:05 rona sshd[3962]: Accepted password for stahl from 131.122.6.104 port 49961 ssh2
    Nov  1 08:38:05 rona sshd[3962]: pam_unix(sshd:session): session opened for user mxxxxxx by (uid=0)
    This tells us that at 8:38am on 1 November, someone at host 131.122.6.104 tried to login as user mxxxxxx, gave the wrong password, then tried to login again and was successful. Think about how this could be used to track someone who was doing or trying to do bad things!
  2. Commands executed: Every command you execute is logged! On rona, for example, the sysadmin has a tool called lastcomm that lists every command executed by any user. Here's an example of a few lines output by the command:
    md5sum                 mxxxxxx  ??         0.00 secs Thu Nov  3 07:36
    bash              F    mxxxxxx  ??         0.00 secs Thu Nov  3 07:36
    ssh                    mxxxxxx  ??         0.00 secs Thu Nov  3 07:36
    bash              F    mxxxxxx  ??         0.00 secs Thu Nov  3 07:36
    What do we learn from this? We learn that at 7:36am on 3 November user mxxxxxx computed an MD5 hash and then ssh'd to some host. Think about how that might be used as evidence.

    In fact, there's a command called history that will bring up the last N commands you've given, along with arguments like filenames, etc. If you login to your rona account and give the history command, you'll see all the commands probably that you've ever given on rona!

A few more examples of things that stay with you on your machine

Altering the registry on a Windows system can lead to system instability or system crashes. Do not modify registry data unless you know what you are doing. In SY110 we will not have you modify registry values, you will only read registry values.
Follow the below steps to launch an alternate version of regedit:

The digital forensics lab will explore in-depth the kind of information that stays behind — perhaps unexpectedly — on your Windows computer. So we mention only a few examples here:

  1. Browser cache: We discussed this above.
  2. Recently accessed files: If you launch regedit and look under:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    you will see a list that shows files that you opened recently, sorted by file extension. If you right-click and choose "Modify", you'll see the file names.
  3. Networks you've been on:
    KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures
    and then look under both Managed and Unmanaged you'll see among other things the MAC Addresses of the Gateway Routers for networks you've been on.
  4. "Meta-data" in documents: Programs like Microsoft Word store "meta data" in the documents they create. For example, If you right-click on the icon for a Word file, choose "Properties" and look under the "Details" tab, you often find information like the name of the author of the document, an e-mail address, the username of the author, and so forth. Thus, documents that get published to the world may leak information that could be put to evil purposes.