2. Content
• What is Computer/Electronic Forensic
• Why Computer/Electronic Forensic
• Collection Options
• The Five Rules of Evidence
• Steps of Computer Forensic
• Method of Collection
• Source of Evidence
• Digital Evidence Types
• Volatile Evidence Acquisition
• Non-Volatile Evidence Acquisition
• Toolkits & Tools
3. What is Computer Forensic
• Finding information that support hypothesis.
• Examination of related source of information
– Hard Drives
– Firewall Logs
– Network packets
– Portable storage
7. What does & doesn’t
• Minimize Handling/Corruption of Original Data
• Account for Any Changes and Keep Detailed Logs of Your
Actions
• Comply with the Five Rules of Evidence
• Do Not Exceed Your Knowledge
• Follow Your Local Security Policy and Obtain Written
Permission
• Capture as Accurate an Image of the System as Possible
• Be Prepared to Testify
• Ensure Your Actions are Repeatable
• Work Fast
• Proceed From Volatile to Persistent Evidence
• Don’t Shutdown Before Collecting Evidence
• Don’t Run Any Programs on the Affected System
10. Source of Evidence
• Evidence can reside on the computers,
network equipment and on servers.
• Various tools are available to extract
evidence from these sources.
11. Evidence on Workstations & Servers
• Locations (Disks)
– Disk partitions
– Master Boot Record (MBR)
– Boot sector
– File Allocation Tables (FAT)
– Volume slack (space between end of file
system and end of the partition)
– File slack (space allocated for files but not
used)
– Unallocated space
12. Evidence on Workstations & Servers
• Locations (Memory or RAM)
– Registers & Cache
– RAM
– Swap space (on disk)
13. Evidence on Servers & Network Equipment
• Router systems logs
• Firewall logs of successful and
unsuccessful attempts
• Syslogs in /var/logs for unix systems
• wmtp logs (accessed with last command)
in unix systems
15. Volatile Evidence Acquisition
• Process Listings
• Service Listings
• System Information
• Logged on & Registered Users
• Network Information
• ARP Cache
• Auto Start Information
• Registry Information
• A binary dump of memory
17. Techniques of Volatile Evidence Acquisition
• Memory Acquisition
Windows
• You can image the memory using HELIX GUI interface.
• dd can be used to copy the memory of windows 3k/XP/2003
but not Vista/2003 SP1:
• dd if=.PhysicalMemory of=C:mem.img conv=noerror,sync
• Until the end of memory error displayed “The parameter is
incorrect.”
Linux
• Multiple tools can be used such as
• dd
• Memdump
• e.g.: ./memdump > mem.img
• You can use netcat (nc) to send the image over network.
19. Hard Drives Acquisition
Physical Windows Linux
Physical .PhysicalDrive0
.PhysicalDrive1
IDE
/dev/hda
/dev/hdb
.
.
SATA/Scsi
/dev/sda
/dev/sdb
Logical .C:
.D:
/dev/sda1
/dev/sda2
20. Hard Drives Acquisition
• Hardware based Acquisition
– Remove the hard drive from the machine and
use a standalone toolkit to image the entire
disk
- Mostly suitable for dead
system acquisition
- Built-in write blocking, and
no need for write blockers
- More efficient and
expensive
21. Hard Drives Acquisition
• Software Based Acquisition
– Live System
• Using Helix CD with external storage or over network
– Dead System
• Booting using Helix CD and attach storage “USB” to
acquire hard drives
• Drive can be disassembled from the case and copied
using forensics workstation with write blocker (SW or
HW)
– Imaging software
• dd
• dcfldd
• HELIX GUI imaging
22. Tools & Toolkit
• dd : Command line tools to copy bit-by-bit
• dcfldd : Enhanced version of dd.
• Memdump : unix tools to image the
momory
23. Tools & Toolkit
• The Sleuth Kit (TSK)
– Command line tools for file system analysis
– It work on Unix and windows
– 24 different tools that support all file system layers
except the physical layer
– Free and open source
• Autopsy
– The Autopsy Forensic Browser is a graphical interface
to the command line digital investigation tools in The
Sleuth Kit
– Very Useful and provide great functionality
– Free and open source
24. Tools & Toolkit
• HELIX
– A collection of forensics and Incident Response
tools
– Bootable Linux CD, you can boot dead system
and preserve hard drive
– You can use it on live system for forensics and
IR purposes
– It contains tools such as TSK
– GUI tools and command line tools
26. Tools & Toolkit
• WFT (Windows Forensic Toolchest)
– Memory information
– Logins
– MAC Time
– Event Logins
– System Information
– File system
– Processes
– Auto start
– Services
– Registry
– Drivers
– Network Information
– IE Activity
27. Conclusion
• Open source and free tools are available and
can help any investigator to achieve his mission.
• Using open source tools will give the investigator
better understanding of what really happen
during the investigation.
• Tools can lie, so it better to use more than one
tool to check the results.