Digital Forensics


Published on

Memory Forensics, N/W Alanlsis

Published in: Technology

Digital Forensics

  1. 1. Lets do some Autopsy!!
  3. 3. BUT CLOSE…
  4. 4. BUT CLOSE…
  5. 5. What is forensics Why to forensics Anti-Forensics How To Become Forensics Expert Some terms Computer Forensics Memory analysis Volatile/non-volatile Encryption/stegnography N/w Analysis Hands on Challenges
  6. 6. Vikas Jain Follow me at @ervikey
  7. 7. Forensic is Related to Court and Trials or To Answer Questions Related to Legal System Computer Forensics Helps answering If a Digital Device is part of cyber crime or victim of cybercrime purpose Is to find evidence which can prove things done on the system in court of case Five Aspects: IF WHO WHAT WHEN WHY
  8. 8. Fraud Drug traffic king Child pornog raphy Espio nage Copyrig ht infringe ment Discover what was lost Recover Deleted Data Discover entry point CYBER - ATTACKS
  9. 9. A set of techniques used as countermeasures to forensic analysis Ex. Full-Disk Encryption Truecrypt on Linux,Windows and OSX Filevault 2 on OSX BitLocker Windows File Eraser AbsoluteShield File Shredder Heidi Eraser Permanent Eraser
  10. 10. TOO DAMN EASY!!
  11. 11. Operating Systems File System Disk Partitioning Networking Memory Management
  12. 12. Operating Systems File System Disk Partitioning Networking Memory Management And Of Course A little of these…..
  13. 13. Collect evidence and present in the court Search and seize the equipment Conduct preliminary assessment to search for evidence Find and interpret the clues left behind Determine if an incident had occurred
  14. 14. Acquisition e-discovery Chain of custody Expert witness First Responder
  15. 15. Branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information. Computer ForensicsMemory Analysis Network Data Analysis Document or file analysis OS Analysis Mobile Analysis Database Analysis
  16. 16. Hardware Removable HD enclosures or connectors with different plugs Write blockers A DVD burner External disks USB2, firewire, SATA and e-SATA controllers, if possible Software Multiple operating systems Linux: extensive native file system support VMs running various Windows versions (XP,Vista, 7, 8) Forensics toolkits E.g., SleuthKit Winhex Internet Evidence Finder
  17. 17. Non-Volatile Memory • Stored Data Does not gets erased when powered off • Ex. Hdd, SDD,CD,DVD, USB Sticks Volatile Memory • requires power to maintain the stored • Ex. Ram, pagefiles, Swap, caches, processes
  18. 18. It’s extremely important to understand this Trying to obtain the data may alter them Simply doing nothing is also not good A running system continuously evolves The Heisenberg Uncertainty Principle of data gathering and system analysis As you capture data in one part of the computer you are changing data in another use write blockers
  19. 19. Data type Lifetime Registers, peripheral memory, caches, etc. nanoseconds Main Memory nanoseconds Network state milliseconds Running processes seconds Disk minutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years
  20. 20. RAM contains the most recent data such as processes, Open Files, Network Information, recent chat conversations,social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook,Twitter, Gmail and other communications. Tools to be used:- Belkasoft Live RAM Capturer Memory DD MANDIANT Memoryze
  21. 21. Data is stored permanently on the disk. Shift + Delete will NOT remove it If data is deleted there ARE tools to recover it. It all based on type of file format being used NTFS, FAT, ext, HFS….
  22. 22. dd dd if = /dev/sda1 of /dev/sdb1/root.raw dcfldd Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw ProDiscover EnCase FTk Seluth kit(autopsy) Winhex
  23. 23. After a clone or an image is made it is very important to make a hash of it. After the complete analysis of the disk or an image we again calculate the hash. This is important because we need to prove in the court that the evidence has not been tampered. Currently Indian courts accept SHA-256 Tools for calculating hashes:Winhex, Sleuthkit, ENCase.
  24. 24. The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could take a look at the files as they were on the machine. This makes the entire task of analysis easier.
  25. 25. With tools like Live View it is even possible to recreate the entire scenario like the actual operating system on a Virtual Machine. Live view is only compatible until XP. The tools to really looked upon for this are: Mount Image Pro and Virtual Forensic Computing
  26. 26. Slack Space ADS streams Stenography Hidden Partitions Unallocated space Modified file extensions META DATA
  27. 27. While Imaging or cloning a disk the exact copy is made and hence the hidden data remains as it is. There is no specific tool for the extraction of the hidden data and hence we need to perform manual analysis on the image or the disk using hex editors Eg:Winhex
  28. 28. While performing analysis on disks and images there are very good chances that we come across encrypted data. This creates a problem for an forensic analyst. Even though there are tools and techniques to break encryptions we sometimes fail to do so.
  29. 29. A series of attacks are carried out to break encryptions: Brute Force Attack Dictionary Attack Known Plain Text Attack Rainbow Table Attack Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files. AZPR AOPR Decryptum(Online) Passware kit
  30. 30. If we come across any type of encryption files or data that have been encrypted with tools like PGP, True Crypt etc., It becomes really difficult from the forensics point of view to get through. In such cases the farthest we can do is look for the keys on the machine.
  31. 31. From a culprits point of view steganography is something that would stand beyond cryptography. This is because detecting steganography manually is a big challenge to any individual. And with not enough tools to detect steganography in the market it makes the job even more tiresome. Different tools use different algorithms for hiding data and one can easily develop a steganography algorithm. Not a big task to achieve. That makes it difficult in detection Confidential information
  32. 32. Speaking of the tools used for steganalysis, these tools may sometimes give you false positives as well. StegDetect StegSecret
  33. 33. Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Why Network Forensics plays an important role? Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
  34. 34. Tcp Dump Wireshark Network minner Snortc
  35. 35. Activity: Find as much information as you can…
  36. 36. Happy Hacking!!!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.