D marques   digital forensics 101
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
431
On Slideshare
366
From Embeds
65
Number of Embeds
1

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 65

http://intranet.drc.pt 65

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.D a v i d M a r q u e sE - m a i l : D M a r q u e s @ D R C . p tMorada: Rua Alexandre Herculano, Edifício Central Park, 1 - Piso 7, 2795-242 Linda-a-Velha | Coordenadas GPS: 38o 43 02.17 N, 09o 14 16.50 OTelefone: 707 200 017 | Telefone: (+351) 214 146 810 | Serviço de urgência: (+351) 964 944 112 | Fax: (+351) 214 146 819 |Digital Forensics 101
  • 2. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13Agenda | Digital Forensics 101Tools & TrainingDefinitionsHistoryPortuguese LawBranches & MethodologiesFuture?2
  • 3. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.“Digital Forensics” (Computer Forensics)Definition(Wikipédia): Digital forensics (sometimesknown as digital forensic science) is a branch offorensic science encompassing the recovery andinvestigation of material found in digital devices, oftenin relation to computer crime. The term digital forensicswas originally used as a synonym for computerforensics but has expanded to cover investigation of alldevices capable of storing digital data.Definition26-Apr-13 3DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados..: 3 :.
  • 4. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.“Digital Forensics” (ComputerForensics)Applications:• Support or refute a hypothesis beforecriminal or civil court.• Internal corporate investigations or intrusioninvestigationDefinition26-Apr-13 4DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados..: 4 :.
  • 5. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History“Forensics”Derived from the Latin forum and therequirement to present both sides of a casebefore the judges (or jury) appointed by thepraetor.26-Apr-13 5
  • 6. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History• 1248 – A Chinese treatise describes featuresallowing to destinguish between drowningand strangulation drawing on medicalknowledge• 1609 – F. Demelle (France) publishes a treatiseon systematic document examination• 1686 – M. Malpighi (Italy) noted fingerprintcharacteristics26-Apr-13 6
  • 7. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History• 1810 – First documented case of document analysisbased on ink dyes.• 1813 – M. Orfile (Spain) publishes a toxicology guide• 1823 – J. Purkinje (Poland) publishes first systematicclassification of fingerprints• 1835 – H. Goddard (UK) uses bullet comparison toidentify a murder weapon based on irregularities in abullet mould26-Apr-13 7
  • 8. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History26-Apr-13 8• 1870 – Albert Bertillon– First technician at La Surete Nacionale (Paris)– Recorded criminals by photographs and bodymeasurements– Took photographs of victims, measuredfootprints, stains and tool marks– Said that “no two human bodies were exactlyalike”
  • 9. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History• 1910 – Edmond Locard–Founded first Forensic CrimeLaboratory in Lyon–Locard’s Exchange Principle: “Everycontact between individuals & objectsresults in a transfer of materialbetween them”926-Apr-13 926-Apr-13 9
  • 10. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History• 1970s – First cases of crimes envolving computersystems.• On the first documented cases using magneticmedia and computers as evidence, theyattempted to transfer the “document” analogy tothe digital representations.• The US FBI Laboratory started a formalprogramme to examine computer based evidence(CART – Computer Analysis and Response Team)1026-Apr-13 1026-Apr-13 10
  • 11. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.History• 1989 – “Aids Diskette Case”– 20.000 diskettes (supposed to contain medicalresearch) contained a trojan used forblackmail, where shipped to medical clinics in 30countries– Evidence was collected, and shipped to NewScotland Yard (using Interpol HQ (Lyon))– Jim Bates, a programmer was asked to write aimaging tool (DIBS – Data Image Backup System)26-Apr-13 11
  • 12. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Portuguese Law• n Types of Law– Civil Law– Criminal Law– Commercial Law– Copyright– Intellectual Property Right26-Apr-13 12
  • 13. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Portuguese Law• n Types of Law– Civil Law: Each one of the parties can presentevidence– Criminal Law: State has to investigate and presentthe evidence (Ministério Público)26-Apr-13 13
  • 14. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Portuguese Law26-Apr-13 1426-Apr-13 1426-Apr-13 14
  • 15. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Portuguese Law• Jurisprudence: Previous decisions of courts oncertain interpretations of laws.1526-Apr-13 1526-Apr-13 15
  • 16. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.LegalMindsetLegal vs Technical1626-Apr-13 1626-Apr-13 16
  • 17. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.LegalJudge• It will not decide if IP is good or not to prove anidentity• It will not decide if a port scan can leakinformation• He will decide if any law has been violated• He will decide if someone is responsible for theaction he’s accused1726-Apr-13 1726-Apr-13 17
  • 18. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Branches (Areas)- Computer- Mobile- Network- Software- Video- Audio- Etc.1826-Apr-13 1826-Apr-13 18
  • 19. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Digital Forensics1926-Apr-13 1926-Apr-13 19
  • 20. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Digital Forensics26-Apr-13 2026-Apr-13 2026-Apr-13 20
  • 21. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Why?26-Apr-13 2126-Apr-13 21David Marques 2012 | Todos os direitos reservados..: 21 :.
  • 22. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Why?26-Apr-13 2226-Apr-13 22David Marques 2012 | Todos os direitos reservados..: 22 :.
  • 23. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13Why?23Exponential growth in securityincidents and cybercrime.26-Apr-13 23
  • 24. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.• Digital evidence can be uniqueand determinant for the resolutionof a dispute.• Unique use of digital evidencewithout compromising the integrityof it.26-Apr-13 24Why?
  • 25. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13 25David Marques 2012 | Todos os direitos reservados.Digital Evidence26-Apr-13 25
  • 26. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13 26Digital Evidence
  • 27. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13 27Digital Evidence1 24 3Physical LogicalLogs Backups
  • 28. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13 28Digital EvidenceHashing
  • 29. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.26-Apr-13 29David Marques 2012 | Todos os direitos reservados.Methodology26-Apr-13 29
  • 30. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.Open Source• Helix• DEFT• Sleuth Kit• Autopsy• Tons of others…26-Apr-13 30Tools
  • 31. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.Closed Source• Encase• FTK• X-Ways• Paraben’s• Some others…26-Apr-13 31Tools
  • 32. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.Closed Source (Mobile)• XRY• Cellebrite UFED• Oxygen Forensics• Some others…26-Apr-13 32Tools
  • 33. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.Open Source vs Closed Source• Cost• Command Line vs GUI• Support quality and model• Training plans• Documentation (Manuals, etc…)• Source code is available• Acceptance in courts26-Apr-13 33Tools
  • 34. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.Product Specific vs General26-Apr-13 34Training
  • 35. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.Product Specific• Encase• FTK• Paraben• Cellebrite• Other…26-Apr-13 35Training
  • 36. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.General• SANS (FOR408; FOR508; FOR526;FOR610)• EC Council (CHFI; CIH)26-Apr-13 36Training
  • 37. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.• Cloud Storage• Legal• SSD• Encryption• Anti-Forensics• Standards and Procedures• Accreditation26-Apr-13 37Future
  • 38. DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012David Marques 2012 | Todos os direitos reservados.Q & AThanks!David Marquesdmarques@drc.ptwww.drc.pt26-Apr-13 38David Marques 2012 | Todos os direitos reservados.