• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
DATA64-Live and Non-Live Forensics
 

DATA64-Live and Non-Live Forensics

on

  • 72 views

 

Statistics

Views

Total Views
72
Views on SlideShare
72
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    DATA64-Live and Non-Live Forensics DATA64-Live and Non-Live Forensics Presentation Transcript

    • Live and Non-live Forensics Applied Cyber Forensics By- Catalyst
    • Digital Evidence  Searching  Examining  Collecting  Preserving
    • Live Forensics  What is Live Forensics ???  What Do we Need live Forensics ???  Evidence may be on the RAM [Main Memory] File is in Unencrypted form when suspect using it. Paging file Could be Lost.
    • Conducting a Live Forensic  Three Steps Retrieval of Volatile Data Forensic Imaging of a Live System Evidence Retrieval Using Portable Tools
    • Retrieval of Volatile Data Volatile Evidence retrieval Tool. [vertool.exe] Portable [Run from the USB] Creates Folder named Reports. Reports contains 12 Text Files.
    • • Arp.txt • Boot_configuration.txt • Driver_list.txt • Event_triggers.txt • Exe_ports.txt • File_associations.txt • Gp_settings.txt • Mac.txt • network_config.txt • Process_list.txt • Stats.txt • System_info.txt
    • Forensic Imaging of a Live System  WinHex tools is used.  Allows copying sectors from a disk into an uncompressed, unsplit, raw, header-less image file.  To copy Main Memory Mantech Physical Dump Utility is Used.
    • Evidence Retrieval Using Portable Tools  CDROM or USB  For Quick Evidence Analysis  Adaptor Watch IP addresses Hardware Address WINS Servers DNS Servers MTU Value Number of bytes Received or Sent Current Transfer Speed TCP/UDP/ICMP Statistics
    • Adaptor Watch
    • • CurrPorts ,CurrProcess • Clipboardic • MyUnistaller, InsideClipboard • MyLastSearch , NetResView • MacMatch , MacAddressView • OpenedFilesView , RecentFileView Other Live Forensic TOols
    • Browser Forensic Tools  ChromeCacheView  ChromePass  IEcacheView  IEHistoryView  IECookiesView  IE PassView  MozillaCacheView  MozillaHistoryView  MozillaCookiesView  FavoritesView
    • DATA Recovery software  FDRS [Free Data Recovery Software]  Disk Digger  Wireless Key View  Dialupass  MessenPass  Network Password Recovery  VNCPassView  Mail PassView  Encryption Analyzer
    • Non-Live Forensics  What Is Non-Live Forensics ???  Winhex is mainly Used.  Cloning and Imaging Sector Wise Including Slack spaces  Image created by Winhex should be mathematically authenticated using a suitable hash function. [MD5 , SHA-256 ]  We can Also Split and Concatenate the Image for ease of Storage .
    • Analyzing for Digital Forensics  First Process is to boot the Evidence image Copy.  Live View The investigator should first attempt to “boot” the image using it.  Virtual Machine environment .
    • Analyzing for Digital Forensics  X-way Forensics  It can Automatically Create Reports.  .xfc File Extention  Modus Operandi   1. The “Disk drive “ of a computer is imaged. 2. The hash value of this image is computed. 3. This image is split into parts so that they can be stored on CDs for easy archival. 4. The parts are later concatenated for analysis. The hash value of the concatenated parts is also computed. 5. The image is then analyzed to recover exe files. 6. Search for Suspected file . 7. The free space is gathered. 8. The slack space is gathered. 9. The text in the slack space is recovered.
    • Analyzing Active Data  Active Data ??  Opened data !  Active data can be password protected or Encrypted.  Methods for password recovery Dictionary Attack Brute Force Attack  Latent Data  • deleted files  • memory dumps  • slack space,  • swap files,  • temporary files,  • printer spool files,  • metadata
    • THANKYOU