File000152
Upcoming SlideShare
Loading in...5
×
 

File000152

on

  • 149 views

 

Statistics

Views

Total Views
149
Slideshare-icon Views on SlideShare
149
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    File000152 File000152 Presentation Transcript

    • Module XXXIX – USB Forensics
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Taiwan on High Alert After Military Leak Source: http://www.iol.co.za/
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Boeing Worker’s Data Case Goes to Jury Source: http://seattletimes.nwsource.com/
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Universal Serial Bus (USB) • USB Flash Drive • Misuse of USB • USB Forensic • USB Forensic Investigation • Forensic Tools This module will familiarize you with:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Universal Serial Bus (USB) USB Forensic USB Flash Drive Misuse of USB USB Forensic Investigation Forensic Tools
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Universal Serial Bus (USB) USB is the serial bus standard to interface devices to a host computer It allows many peripherals to be connected to a host computer using a single standardized interface socket It is generally used to connect computer peripherals such as mouse, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal media players, and flash drives
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Flash Drive USB flash drive is the portable and rewritable data storage device integrated with a USB interface It is supported by modern operating systems such as Windows, Mac OS X, Linux, and other Unix-like systems The speed of USB 2.0 is to read up to 30 MB/s and write at about 15 MB/s • Male type-A USB connector • USB mass storage controller — implements the USB host controller • NAND flash memory chip • Crystal oscillator — produces the device's main 12 MHz clock signal and controls the device's data output through a phase-locked loop There are four parts of a flash drive:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: USB Flash Drive
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Misuse of USB • It is a crime in which critical information of the company may be leaked using USB flash drive Data Theft: • USB devices can be used to propagate and install malicious program such virus, Trojan, spyware, and rootkits which can damage information and other computer resources Installing malicious program:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Forensics • Find the date and time of the data theft • Know the person who has installed the malicious program • Collect the data stored in USB • Collect the information about the data leaked from the computer • Trace the criminals who has done the crime using USB flash drive It helps the forensic investigators to: USB forensics is the technique of recovering and analyzing digital evidence from a USB flash drive and affected computer in a forensically sound manner
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Forensic Investigation Secure and evaluate the scene Document the scene Image the computer and USB device Acquire the data Examine the computer Analyze the USB Generate reports
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Secure and Evaluate the Scene Ensure that only the authorized person handles the scene Handle USB evidence properly to maintain physical evidence such as fingerprints Interview the owner of the USB, ask for any security code or password to gain access to the contents in USB Do not allow the suspects to handle the USB and the computer Search surrounding area and rooms, other than where a device is found
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document the Scene and Devices Document the state of each device and computer that is synchronized with it Record the location and condition of USB, computers, storage media, and other digital devices Refer the non-electronics evidence such as invoices, manuals, and packaging material which may provide the information about USB capabilities and unlocking code Document the date and time of the evidence collected Photograph the crime scene including USB, cables, cradles, power connectors, and computer Avoid touching the USB while photographing Maintain a chain of custody
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image the Computer and USB Device Prepare the bit-by-bit copy of memory, configuration of the affected computer using the tool like Safe Back Create the image of USB flash drive using the USB Image Tool 1.31 Use the hashing techniques such as MD5 to check the integrity of the imaged data
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire the Data Collect all the data from the USB image and computer devices • Bad data Pro • Data Doctor Recovery You can use these recovery tools to recover the deleted files:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Check Open USB Ports Option 1: Go to Device Manager Open Port Closed Port In Registry Editor, locate and then click the following registry key: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor In the details pane, double-click Start In the Value data box, 3 denotes enabled USB and other values indicates disabled USB Option 2:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine Registry of Computer: USBTOR Footprints or artifacts are created in registry when a USB device is connected to the Windows system Plug and Play (PnP) Manager queries the device descriptor in the firmware for information about the device After the identification, registry key will be created beneath the following key: •HKEY_LOCAL_MACHINESystemCurrentControlSetEnumUSBSTOR Sub key beneath this key look like: •Disk&Ven_###&Prod_###&Rev_###
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine Registry of Computer: DeviceClasses Navigate to the following key: •HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDevice Classes The value iSerialNumber is a unique instance identifier for the device It is similar to the MAC address of a network interface card ParentIdPrefix value can be used to correlate additional information from within the Registry ParentIdPrefix determines the time when the USB device was last connected to the Windows system
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine Registry of Computer: MountedDevice Path to the MountedDevice is: •HKEY_LOCAL_MACHINESystemMountedDevice MountedDevices key stores information about the various devices and volumes mounted to the NTFS file system Use the ParentIdPrefix value found within the unique instance ID key to map the entry from USBSTOR to the MountedDevices
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Generate Reports Note the name of the investigator List of evidence gathered Documents of the evidence and other supporting items List of tools used for investigation Devices and set up used in the examination Brief description of the examination steps Details about the finding: • Information about the USB data • Computer related evidence • Data and image analysis Conclusion of the investigation
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Forensic Tools: Bad Copy Pro http://www.jufsoft.com/ Bad Copy Pro recovers the deleted files, formatted drive, or data loss due to damage, media error, and bad sectors of the USB flash drive It is a safe data recovery software that performs read-only operations on the USB flash drive and saves the recovered files
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Doctor Recovery http://www.datadoctor.in/ Data Doctor Recovery supports major USB device manufacturer’s Super flash, Kingston, Samsung, Transcend, Sony, and other latest series The software is easy and simple to use providing user friendly interface Features: • Recovers lost files including jpg, jpeg, gif, bmp, mpeg, and other stored records • Supports USB drive including pen drives, Zip drive, SD card, PC card, Flash memory etc. • Scans and transports data to the safe location according to the preloaded file structure • Recovers damaged data from any software Virus attack
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Doctor Recovery: Screenshot
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Image Tool http://www.alexpage.de/ USB Image Tool is the freeware which can create images of USB memory sticks • Creates image files of USB drives • Restores images of USB drives • Compressed image file format • Shows USB device information • Manages favorite USB images Feature of USB Image Tool:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Image Tool: Screenshot
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USBDeview http://www.nirsoft.net/ USBDeview is a small utility that lists all USB devices that are currently connected to your PC or have been connected to it in the past Along with the device’s name and description, it displays the serial number, date the device was added and last connected, VendorID, and other information It can also be used to gather USB devices from a remote computer via command line
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USBDeview: Screenshot
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary USB is the serial bus standard to interface devices to a host computer USB flash drive is the portable and rewritable data storage device integrated with a USB interface USB forensics is the technique of recovering and analyzing digital evidence from a USB flash drive and affected computer under forensically sound conditions Footprints or artifacts are created in registry when a USB device is connected to the Windows system USB CopyNotify is a software utility that notifies when a USB Stick is being used on any of the PCs on the network
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited