Digital Forensics <br />Evidence <br />
Road Map<br />Basic Digital Forensics<br />Traditional Digital Forensics<br />Live Digital Forensics <br />Anti-Digital Fo...
Basic Forensics<br />Registry <br />Thumbs.db<br />Index.dat <br />Commands<br />
Registry <br /><ul><li>Last Logon</li></ul>HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon<br />Securi...
Thumbs.DB<br />Pictures opened in Windows OS<br />Filmstrip<br />Thumbnails <br />Thumbs.DB Viewer<br />
Index.DAT<br />Contains all of the Web sites <br />Every URL<br />Every Web page<br />All email sent or received through O...
Commands<br />Dir: Lists all files and directories in the directory that you are currently in.<br />Ls: List the contents ...
Traditional Forensics<br />Hardware Write Block/Software Write Block<br />Cell Phones<br />Digital Forensics Programs <br ...
Hardware Write Block<br />
Hardware Write BlockHard Drive Connected <br />
Hardware Write Block Image in process<br />
Destination Drive<br />
Safe Block XP<br />
Software Write Block<br />Registry Edit USB Block<br />HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolici...
Cell Phone <br />
USB Drive<br />
Hex Editor<br />
FTK<br />
EnCase<br />
EnCase Continued<br />
ProDiscover<br />
Live Digital Forensics <br />ProDiscover IR<br />Helix<br />Sleuth Kit & Autopsy <br />Caine<br />FTK/EnCase making them l...
ProDiscoverIR<br />
Live environment warnings <br />
Helix<br />
Helix Continued <br />
Sleuth Kit & Autopsy <br />
Caine<br />
FTK/EnCase Live?<br />Older versions no. <br />EnCase 4.6 no.<br />FTK 1.8 no. <br />New versions yes <br />EnCase 6 suppo...
Problems <br />Firewalls/Routers/Switches<br />Proxies<br />IP packets<br />TTL issues<br />IDS<br />
Anti-Digital Forensics <br />Steganography<br />Encryption<br />Data Wiping<br />Metadata Spoilage<br />Alternative Data S...
Steganography<br />Detection<br />WetStone Technologies' Gargoyle<br />Niels Provos' Stegdetect  <br />Hiding<br />StegoMa...
StegoMagic<br />
wbStego<br />
HIP<br />
Encryption<br />File encryption<br />Full disc-encryption<br />
Data Wiping<br />M-Sweep Pro Data Eliminator <br />DBAN<br />DOD 5220.22M<br />File Shredder Beyond DOD<br />
M-Sweep Pro Data Eliminator <br />
DBAN<br />
File Shredder<br />
Metadata spoilage <br />Metaspolit<br />TimeStomp<br />Slack<br />Metachanger<br />
Metasploit<br />
Timestomp<br />
MetaChanger<br />
Alternative data streams<br />Data fork Resource fork old Macintosh Hierarchical File System<br />Impossible to protect yo...
Alternate Data Streams scan engine<br />
Locations of Index.DAT files VISTA<br />Users<Username>AppDataRoamingMicrosoftWindowsCookiesindex.datUsers<Username>AppDat...
Index.DAT Analyzer <br />
Thumbs.DB Viewer<br />
Death of Digital Forensics<br />SSDs are much like memory<br />Smallest part written too is a sector<br />Erases data in a...
Conclusion<br />We can see the live digital forensics is best used for starting an investigation. <br />Traditional Digita...
Questions<br />
Digital Forensics
Upcoming SlideShare
Loading in...5
×

Digital Forensics

2,177

Published on

A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,177
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
111
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Digital Forensics"

  1. 1. Digital Forensics <br />Evidence <br />
  2. 2. Road Map<br />Basic Digital Forensics<br />Traditional Digital Forensics<br />Live Digital Forensics <br />Anti-Digital Forensics <br />Questions<br />
  3. 3. Basic Forensics<br />Registry <br />Thumbs.db<br />Index.dat <br />Commands<br />
  4. 4. Registry <br /><ul><li>Last Logon</li></ul>HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon<br />Security Center<br /><ul><li>HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center </li></ul>Recent Documents<br /><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.doc </li></ul>Typed URLs<br /><ul><li>hkcusoftwaremicrosoftinternet explorer ypedurls</li></li></ul><li>
  5. 5. Thumbs.DB<br />Pictures opened in Windows OS<br />Filmstrip<br />Thumbnails <br />Thumbs.DB Viewer<br />
  6. 6. Index.DAT<br />Contains all of the Web sites <br />Every URL<br />Every Web page<br />All email sent or received through Outlook or Outlook Express<br />All internet temp files<br />All pictures viewed <br />
  7. 7. Commands<br />Dir: Lists all files and directories in the directory that you are currently in.<br />Ls: List the contents of your home directory by adding a tilde after the ls command.<br />Ps: Displays the currently-running processes.<br />Fdisk: A utility that provides disk partitioning functions, and information. <br />
  8. 8. Traditional Forensics<br />Hardware Write Block/Software Write Block<br />Cell Phones<br />Digital Forensics Programs <br />Hex Editor<br />FTK<br />EnCase<br />ProDiscover<br />
  9. 9. Hardware Write Block<br />
  10. 10. Hardware Write BlockHard Drive Connected <br />
  11. 11. Hardware Write Block Image in process<br />
  12. 12. Destination Drive<br />
  13. 13. Safe Block XP<br />
  14. 14. Software Write Block<br />Registry Edit USB Block<br />HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies<br />Write protect<br />Disable WriteProtect dword:00000001<br />Enable WriteProtect dword:00000000<br />
  15. 15. Cell Phone <br />
  16. 16. USB Drive<br />
  17. 17. Hex Editor<br />
  18. 18. FTK<br />
  19. 19. EnCase<br />
  20. 20. EnCase Continued<br />
  21. 21. ProDiscover<br />
  22. 22. Live Digital Forensics <br />ProDiscover IR<br />Helix<br />Sleuth Kit & Autopsy <br />Caine<br />FTK/EnCase making them live?<br />Both newer offerings have live capabilities<br />
  23. 23. ProDiscoverIR<br />
  24. 24. Live environment warnings <br />
  25. 25. Helix<br />
  26. 26. Helix Continued <br />
  27. 27. Sleuth Kit & Autopsy <br />
  28. 28. Caine<br />
  29. 29. FTK/EnCase Live?<br />Older versions no. <br />EnCase 4.6 no.<br />FTK 1.8 no. <br />New versions yes <br />EnCase 6 supports network and live digital forensics.<br />FTK 3 supports live digital forensics<br />
  30. 30. Problems <br />Firewalls/Routers/Switches<br />Proxies<br />IP packets<br />TTL issues<br />IDS<br />
  31. 31. Anti-Digital Forensics <br />Steganography<br />Encryption<br />Data Wiping<br />Metadata Spoilage<br />Alternative Data Streams<br />Index.Dat<br />Thumbs.db<br /> Death of digital forensics<br />
  32. 32. Steganography<br />Detection<br />WetStone Technologies' Gargoyle<br />Niels Provos' Stegdetect <br />Hiding<br />StegoMagic<br />wbStego<br />HIP (Hide In Picture)<br />
  33. 33. StegoMagic<br />
  34. 34. wbStego<br />
  35. 35. HIP<br />
  36. 36. Encryption<br />File encryption<br />Full disc-encryption<br />
  37. 37. Data Wiping<br />M-Sweep Pro Data Eliminator <br />DBAN<br />DOD 5220.22M<br />File Shredder Beyond DOD<br />
  38. 38. M-Sweep Pro Data Eliminator <br />
  39. 39. DBAN<br />
  40. 40. File Shredder<br />
  41. 41. Metadata spoilage <br />Metaspolit<br />TimeStomp<br />Slack<br />Metachanger<br />
  42. 42. Metasploit<br />
  43. 43. Timestomp<br />
  44. 44. MetaChanger<br />
  45. 45. Alternative data streams<br />Data fork Resource fork old Macintosh Hierarchical File System<br />Impossible to protect your system against ADS.<br />Cannot be disabled<br />No way to limit this capability <br />redirect [>] and colon [:] to fork one file into another.<br />C: est> type c:windows otepad.exe > ads.txt:hidden.exe<br />
  46. 46. Alternate Data Streams scan engine<br />
  47. 47. Locations of Index.DAT files VISTA<br />Users<Username>AppDataRoamingMicrosoftWindowsCookiesindex.datUsers<Username>AppDataRoamingMicrosoftWindowsCookieslowindex.datUsers<Username>AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5index.datC:Users<UserName>AppDataLocalMicrosoftWindowsHistoryContent.IE5index.dat<br />
  48. 48. Index.DAT Analyzer <br />
  49. 49. Thumbs.DB Viewer<br />
  50. 50. Death of Digital Forensics<br />SSDs are much like memory<br />Smallest part written too is a sector<br />Erases data in a block <br />Anything changes physical placement of data<br />Logical placement stays the same. <br />Black boxes from a system's point of view<br />Property<br />
  51. 51. Conclusion<br />We can see the live digital forensics is best used for starting an investigation. <br />Traditional Digital forensics is best for collecting the data <br />And knowing the techniques of Anti-digital forensics can help the investigator find data that he/she might not other wise be able to find. <br />
  52. 52. Questions<br />
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×