When terrorists or insurgents are captured, or when a hideout is discovered, one of the first orders of business is to search for computers, memory sticks, cell phones, and other kinds of electronic devices. And then carry out forensics analysis on the electronic devices in hopes of finding information about things like attack plans, or identities of other terrorists.
For example, when Osama bin Laden's compound was raided, a wealth of digital data were captured: five computers, dozens of hard drives, and more than 100 other storage devices.
CBS News article, May 2011
CNN Article, May 2012
The term "forensics" refers to an application of scientific knowledge to a problem. When we use the term digital forensics we specifically mean the application of the scientific method in reconstructing a sequence of events involving an information system. In other words, can we figure out after the fact what happened in an information system.
One scenario in which we might want to reconstruct a sequence of digital events is that we know one of our servers has been hacked, and we'd like to know how it was done. Another scenario, is that we don't know whether we've been hacked into, and we'd like look around — if only to check that everything is okay. However, the sexiest scenario for digital forensics is more CSI style: you recover a computer and you want to know what kind of shenanigans was done with it. For example, you might be looking for criminal evidence. We'll focus on that kind of scenario.
In traditional, CSI-style forensics, one of the guiding concepts is Locard's Exchange Principle, which essentially says that in the commission of a crime, the perpetrator leaves something at the crime scene, and takes away with him something from the crime scene. These "somethings" are evidence. More colorfully:
Locard's principle holds in the digital world as well and, in fact, it holds whether you are perpetrating a crime or not. We have seen several examples of this already, and it's worth thinking about them.
amazon.comweb server? An entry in the web server log, of course! What evidence do you take with you? First of all a cookie from the
amazon.comserver. Second of all, your browser caches a copy of the web pages you visit — i.e. it stores a copy on your machine of each web page. This is so that when you look at a page a second time, you can just use the cached copy, provided the page hasn't changed, and not have to wait for the page to be resent from the server. Third of all, your browser keeps a history of all the pages you've visited — which it uses to offer you a list of completions of the URL you're currently typing. Additionally, DNS results for your system asking to resolve (look up) the IP address of
amazon.comare cached on your local system.
In addition to visiting websites, one of the ways we've seen that we "go somewhere" in the cyber world is by using SSH to get a terminal on a remote host. It's interesting to see what you leave behind when you do this:
/var/log/auth.logthat the sysadmin (System Administrator) has access to, that contains a log entry for every successful and unsuccessful attempt to login. Here's an example of a few entries:
Nov 1 08:38:05 rona sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.214.171.124 user=mxxxxxx Nov 1 08:38:05 rona sshd: Accepted password for stahl from 126.96.36.199 port 49961 ssh2 Nov 1 08:38:05 rona sshd: pam_unix(sshd:session): session opened for user mxxxxxx by (uid=0)This tells us that at 8:38am on 1 November, someone at host 188.8.131.52 tried to login as user mxxxxxx, gave the wrong password, then tried to login again and was successful. Think about how this could be used to track someone who was doing or trying to do bad things!
rona, for example, the sysadmin has a tool called
lastcommthat lists every command executed by any user. Here's an example of a few lines output by the command:
md5sum mxxxxxx ?? 0.00 secs Thu Nov 3 07:36 bash F mxxxxxx ?? 0.00 secs Thu Nov 3 07:36 ssh mxxxxxx ?? 0.00 secs Thu Nov 3 07:36 bash F mxxxxxx ?? 0.00 secs Thu Nov 3 07:36What do we learn from this? We learn that at 7:36am on 3 November user mxxxxxx computed an MD5 hash and then ssh'd to some host. Think about how that might be used as evidence.
In fact, there's a command called
history that will bring up the last N commands you've given, along with arguments like filenames, etc.
If you login to your
rona account and give the
history command, you'll see all the commands probably that you've ever given on
The digital forensics lab will explore in-depth the kind of information that stays behind — perhaps unexpectedly — on your Windows computer. So we mention only a few examples here:
regeditand look under:
Unmanagedyou'll see among other things the MAC Addresses of the Gateway Routers for networks you've been on.