What is forensics
Why to forensics
How To Become Forensics Expert
Hands on Challenges
Er.firstname.lastname@example.org Follow me at @ervikey
Forensic is Related to Court and Trials or To Answer
Questions Related to Legal System
Computer Forensics Helps answering If a Digital
Device is part of cyber crime or victim of cybercrime
purpose Is to find evidence which can prove things
done on the system in court of case
IF WHO WHAT WHEN WHY
CYBER - ATTACKS
A set of techniques used as countermeasures to forensic analysis
Ex. Full-Disk Encryption
Truecrypt on Linux,Windows and OSX
Filevault 2 on OSX
AbsoluteShield File Shredder
And Of Course A little of these…..
in the court
to search for
Chain of custody
Branch of digital forensic
science pertaining to legal
evidence found in computers
and digital storage media.
The goal of computer
forensics is to examine digital
media in a forensically sound
manner with the aim of
recovering, analysing and
presenting facts and opinions
about the digital information.
Removable HD enclosures or connectors with different plugs
A DVD burner
USB2, firewire, SATA and e-SATA controllers, if possible
Multiple operating systems
Linux: extensive native file system
VMs running various Windows
versions (XP,Vista, 7, 8)
E.g., SleuthKit http://www.sleuthkit.org
Internet Evidence Finder
• Stored Data Does not gets erased
when powered off
• Ex. Hdd, SDD,CD,DVD, USB Sticks
• requires power to maintain the
• Ex. Ram, pagefiles, Swap, caches,
It’s extremely important to understand this
Trying to obtain the data may alter them
Simply doing nothing is also not good
A running system continuously evolves
The Heisenberg Uncertainty Principle of data gathering and system analysis
As you capture data in one part of the computer you are changing data in another
use write blockers
Data type Lifetime
Registers, peripheral memory,
Main Memory nanoseconds
Network state milliseconds
Running processes seconds
Floppies, backup media, etc. years
CD-ROMs, printouts, etc. tens of years
RAM contains the most recent data such as processes, Open Files, Network
Information, recent chat conversations,social network communications, currently
open Web pages, and decrypted content of files that are stored encrypted on the
hard disk. Live RAM/volatile memory analysis reveals information used by various
applications during their operation, including Facebook,Twitter, Gmail and other
Tools to be used:-
Belkasoft Live RAM Capturer
Data is stored permanently on the disk.
Shift + Delete will NOT remove it
If data is deleted there ARE tools to recover it.
It all based on type of file format being used
NTFS, FAT, ext, HFS….
dd if = /dev/sda1 of /dev/sdb1/root.raw
Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
After a clone or an image is made it is very important to make a hash of it.
After the complete analysis of the disk or an image we again calculate the hash.
This is important because we need to prove in the court that the evidence has not
Currently Indian courts accept SHA-256
Tools for calculating hashes:Winhex, Sleuthkit, ENCase.
The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so
that you could take a look at the files as they were on the machine.
This makes the entire task of analysis easier.
With tools like Live View it is even
possible to recreate the entire
scenario like the actual operating
system on a Virtual Machine.
Live view is only compatible until XP.
The tools to really looked upon for
Mount Image Pro and Virtual
Modified file extensions
While Imaging or cloning a disk
the exact copy is made and hence
the hidden data remains as it is.
There is no specific tool for the
extraction of the hidden data and
hence we need to perform manual
analysis on the image or the disk
using hex editors
While performing analysis on disks and images there are very good chances that
we come across encrypted data.
This creates a problem for an forensic analyst.
Even though there are tools and techniques to break encryptions we sometimes fail
to do so.
A series of attacks are carried out to break encryptions:
Brute Force Attack
Known Plain Text Attack
Rainbow Table Attack
Tools: A variety of stand-alone as well as online tools are
available which helps us cracking the encrypted files.
If we come across any type of encryption files or data
that have been encrypted with tools like PGP, True
Crypt etc., It becomes really difficult from the
forensics point of view to get through.
In such cases the farthest we can do is look for the
keys on the machine.
From a culprits point of view steganography is
something that would stand beyond cryptography.
This is because detecting steganography
manually is a big challenge to any individual.
And with not enough tools to detect
steganography in the market it makes the job
even more tiresome.
Different tools use different algorithms for hiding
data and one can easily develop a steganography
algorithm. Not a big task to achieve. That makes it
difficult in detection
Speaking of the tools used for steganalysis, these tools may
sometimes give you false positives as well.
Network forensics is a sub-branch of digital forensics relating to the monitoring
and analysis of computer network traffic for the purposes of information gathering,
legal evidence, or intrusion detection.
Unlike other areas of digital forensics, network investigations deal with volatile and
Why Network Forensics plays an important role?
Network Forensics can reveal if the network or a machine from which the crime has
occurred was compromised or not. Which can turn out to be really handy in some