Electornic evidence collection

2,558 views
2,296 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,558
On SlideShare
0
From Embeds
0
Number of Embeds
104
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Electornic evidence collection

  1. 1. Mohammad Fakrul Alam Manager, Computer Forensic BDCERT 26th June, 2009
  2. 2. Content • What is Computer/Electronic Forensic • Why Computer/Electronic Forensic • Collection Options • The Five Rules of Evidence • Steps of Computer Forensic • Method of Collection • Source of Evidence • Digital Evidence Types • Volatile Evidence Acquisition • Non-Volatile Evidence Acquisition • Toolkits & Tools
  3. 3. What is Computer Forensic • Finding information that support hypothesis. • Examination of related source of information – Hard Drives – Firewall Logs – Network packets – Portable storage
  4. 4. Why Computer Forensic
  5. 5. Collection Options
  6. 6. The Five Rules of Evidence
  7. 7. What does & doesn’t • Minimize Handling/Corruption of Original Data • Account for Any Changes and Keep Detailed Logs of Your Actions • Comply with the Five Rules of Evidence • Do Not Exceed Your Knowledge • Follow Your Local Security Policy and Obtain Written Permission • Capture as Accurate an Image of the System as Possible • Be Prepared to Testify • Ensure Your Actions are Repeatable • Work Fast • Proceed From Volatile to Persistent Evidence • Don’t Shutdown Before Collecting Evidence • Don’t Run Any Programs on the Affected System
  8. 8. Steps of Computer Forensic
  9. 9. Method of Collection
  10. 10. Source of Evidence • Evidence can reside on the computers, network equipment and on servers. • Various tools are available to extract evidence from these sources.
  11. 11. Evidence on Workstations & Servers • Locations (Disks) – Disk partitions – Master Boot Record (MBR) – Boot sector – File Allocation Tables (FAT) – Volume slack (space between end of file system and end of the partition) – File slack (space allocated for files but not used) – Unallocated space
  12. 12. Evidence on Workstations & Servers • Locations (Memory or RAM) – Registers & Cache – RAM – Swap space (on disk)
  13. 13. Evidence on Servers & Network Equipment • Router systems logs • Firewall logs of successful and unsuccessful attempts • Syslogs in /var/logs for unix systems • wmtp logs (accessed with last command) in unix systems
  14. 14. Digital Evidence Types
  15. 15. Volatile Evidence Acquisition • Process Listings • Service Listings • System Information • Logged on & Registered Users • Network Information • ARP Cache • Auto Start Information • Registry Information • A binary dump of memory
  16. 16. Steps Volatile Evidence Acquisition
  17. 17. Techniques of Volatile Evidence Acquisition • Memory Acquisition Windows • You can image the memory using HELIX GUI interface. • dd can be used to copy the memory of windows 3k/XP/2003 but not Vista/2003 SP1: • dd if=.PhysicalMemory of=C:mem.img conv=noerror,sync • Until the end of memory error displayed “The parameter is incorrect.” Linux • Multiple tools can be used such as • dd • Memdump • e.g.: ./memdump > mem.img • You can use netcat (nc) to send the image over network.
  18. 18. Non Volatile Evidence Acquisition • Physical Volumes vs. Logical Volumes
  19. 19. Hard Drives Acquisition Physical Windows Linux Physical .PhysicalDrive0 .PhysicalDrive1 IDE /dev/hda /dev/hdb . . SATA/Scsi /dev/sda /dev/sdb Logical .C: .D: /dev/sda1 /dev/sda2
  20. 20. Hard Drives Acquisition • Hardware based Acquisition – Remove the hard drive from the machine and use a standalone toolkit to image the entire disk - Mostly suitable for dead system acquisition - Built-in write blocking, and no need for write blockers - More efficient and expensive
  21. 21. Hard Drives Acquisition • Software Based Acquisition – Live System • Using Helix CD with external storage or over network – Dead System • Booting using Helix CD and attach storage “USB” to acquire hard drives • Drive can be disassembled from the case and copied using forensics workstation with write blocker (SW or HW) – Imaging software • dd • dcfldd • HELIX GUI imaging
  22. 22. Tools & Toolkit • dd : Command line tools to copy bit-by-bit • dcfldd : Enhanced version of dd. • Memdump : unix tools to image the momory
  23. 23. Tools & Toolkit • The Sleuth Kit (TSK) – Command line tools for file system analysis – It work on Unix and windows – 24 different tools that support all file system layers except the physical layer – Free and open source • Autopsy – The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit – Very Useful and provide great functionality – Free and open source
  24. 24. Tools & Toolkit • HELIX – A collection of forensics and Incident Response tools – Bootable Linux CD, you can boot dead system and preserve hard drive – You can use it on live system for forensics and IR purposes – It contains tools such as TSK – GUI tools and command line tools
  25. 25. Tools & Toolkit • HELIX
  26. 26. Tools & Toolkit • WFT (Windows Forensic Toolchest) – Memory information – Logins – MAC Time – Event Logins – System Information – File system – Processes – Auto start – Services – Registry – Drivers – Network Information – IE Activity
  27. 27. Conclusion • Open source and free tools are available and can help any investigator to achieve his mission. • Using open source tools will give the investigator better understanding of what really happen during the investigation. • Tools can lie, so it better to use more than one tool to check the results.
  28. 28. Thank You
  29. 29. Question

×