DATA64-Live and Non-Live Forensics

679 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
679
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DATA64-Live and Non-Live Forensics

  1. 1. Live and Non-live Forensics Applied Cyber Forensics By- Catalyst
  2. 2. Digital Evidence  Searching  Examining  Collecting  Preserving
  3. 3. Live Forensics  What is Live Forensics ???  What Do we Need live Forensics ???  Evidence may be on the RAM [Main Memory] File is in Unencrypted form when suspect using it. Paging file Could be Lost.
  4. 4. Conducting a Live Forensic  Three Steps Retrieval of Volatile Data Forensic Imaging of a Live System Evidence Retrieval Using Portable Tools
  5. 5. Retrieval of Volatile Data Volatile Evidence retrieval Tool. [vertool.exe] Portable [Run from the USB] Creates Folder named Reports. Reports contains 12 Text Files.
  6. 6. • Arp.txt • Boot_configuration.txt • Driver_list.txt • Event_triggers.txt • Exe_ports.txt • File_associations.txt • Gp_settings.txt • Mac.txt • network_config.txt • Process_list.txt • Stats.txt • System_info.txt
  7. 7. Forensic Imaging of a Live System  WinHex tools is used.  Allows copying sectors from a disk into an uncompressed, unsplit, raw, header-less image file.  To copy Main Memory Mantech Physical Dump Utility is Used.
  8. 8. Evidence Retrieval Using Portable Tools  CDROM or USB  For Quick Evidence Analysis  Adaptor Watch IP addresses Hardware Address WINS Servers DNS Servers MTU Value Number of bytes Received or Sent Current Transfer Speed TCP/UDP/ICMP Statistics
  9. 9. Adaptor Watch
  10. 10. • CurrPorts ,CurrProcess • Clipboardic • MyUnistaller, InsideClipboard • MyLastSearch , NetResView • MacMatch , MacAddressView • OpenedFilesView , RecentFileView Other Live Forensic TOols
  11. 11. Browser Forensic Tools  ChromeCacheView  ChromePass  IEcacheView  IEHistoryView  IECookiesView  IE PassView  MozillaCacheView  MozillaHistoryView  MozillaCookiesView  FavoritesView
  12. 12. DATA Recovery software  FDRS [Free Data Recovery Software]  Disk Digger  Wireless Key View  Dialupass  MessenPass  Network Password Recovery  VNCPassView  Mail PassView  Encryption Analyzer
  13. 13. Non-Live Forensics  What Is Non-Live Forensics ???  Winhex is mainly Used.  Cloning and Imaging Sector Wise Including Slack spaces  Image created by Winhex should be mathematically authenticated using a suitable hash function. [MD5 , SHA-256 ]  We can Also Split and Concatenate the Image for ease of Storage .
  14. 14. Analyzing for Digital Forensics  First Process is to boot the Evidence image Copy.  Live View The investigator should first attempt to “boot” the image using it.  Virtual Machine environment .
  15. 15. Analyzing for Digital Forensics  X-way Forensics  It can Automatically Create Reports.  .xfc File Extention  Modus Operandi   1. The “Disk drive “ of a computer is imaged. 2. The hash value of this image is computed. 3. This image is split into parts so that they can be stored on CDs for easy archival. 4. The parts are later concatenated for analysis. The hash value of the concatenated parts is also computed. 5. The image is then analyzed to recover exe files. 6. Search for Suspected file . 7. The free space is gathered. 8. The slack space is gathered. 9. The text in the slack space is recovered.
  16. 16. Analyzing Active Data  Active Data ??  Opened data !  Active data can be password protected or Encrypted.  Methods for password recovery Dictionary Attack Brute Force Attack  Latent Data  • deleted files  • memory dumps  • slack space,  • swap files,  • temporary files,  • printer spool files,  • metadata
  17. 17. THANKYOU

×