Introduction to Forensics and Steganography by Pardhasaradhi C
Upcoming SlideShare
Loading in...5

Introduction to Forensics and Steganography by Pardhasaradhi C



Introduction to Forensics and Steganography by Pardhasaradhi C @ null Pune Meet, July, 2010

Introduction to Forensics and Steganography by Pardhasaradhi C @ null Pune Meet, July, 2010



Total Views
Views on SlideShare
Embed Views



4 Embeds 49 36 11 1
http://localhost 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Introduction to Forensics and Steganography by Pardhasaradhi C Introduction to Forensics and Steganography by Pardhasaradhi C Presentation Transcript

  • n|u
    • Process
    • Rules
    • Software's
    • Hardware
    • Steganography
    • Some important windows files
    • Reporting
    • Sites
    Contents :
  • n|u
    • Computer Forensics :
    • It is the application of computer investigation and analysis techniques to gather evidence
    • It is also called as cyber forensics
    • Goal :
    • The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
  • n|u
    • Preparation
    • Search and seizure
    • Acquisition and Authentication
    • Case storage and Archival
    • Analysis and Reporting
    • Stages in digital investigation process
  • n|u
    • Rules of computer forensics :
    • Rule 1 :
    Never mishandle Evidence
    • Rule 2 :
    Never trust the subject operating system
    • Chain of custody
    • Asset tags
    • Crime scene details
    Ex : Ex :
    • Avoid Live forensics
    • Use drive encryption
    • Check hash value with the image
  • n|u
    • Rule 3 :
    Never work on original evidence
    • Rule 4 :
    Document Every thing Ex :
    • Create a bit stream copy
    • Do not access the file system during imaging
    • Document the errors while imaging If any
    • If any errors arise while imaging take another copy
  • n|u
    • Clone Vs. image :
    To copy or replicate the entire contents of a hard disk drive by creating an image of the hard disk drive. Hard disk drives are often cloned for batch installation on other computers, particularly those on a network, or for use as backups.
    • Clone :
    • Image :
    Some of the image types are dd,E01,smart,ad1,ISO,NRG, Images are locked format ,these are easy to carry EX: Symantec ghost Clone is used to execute the images
  • n|u
    • Access data
    • MAC times
    • Modified
    • Accessed
    • Created
    • FTK imager
    • Password recovery toolkit
    • Registry viewer
    • Forensic toolkit
    • Software Forensic Hub
    • Stego suite
    • Mount image pro
    • Ultimate forensics Tool kit
    • Elcomsoft
    • Helix
    • DD for Linux
  • n|u
    • Devices used for forensics
    • Shadow device :
    • write blocker
    • As an investigative tool, boot the suspect client and connect to their network
    • Allows read commands to pass but by blocks write commands,
    • Hardware Forensic Hub :
    • Faraday bag
    • The product was designed for E items which would isolate it from the networks
  • n|u
    • Wde
    • Drive wiper
    Ex: True crypt
    • whole disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Full Disk Encryption prevents unauthorized access to data storage
    • Wipe all data off of two drives at up to 8 GB per minute
    • Automatically unlocks and wipes Host Protected Areas
    • Cut your drive wiping time in half
    • Very light weight - less than a pound, plus the laptop style power supply
    • Simple, fast, portable data destruction
  • n|u Steganography is the process of hiding of a secret message within an ordinary message and extracting it at its destination
    • Steganography
    • Alternate Data Streams
    • (NTFS) New Technology File System allows for Alternate Data Streams
    • One file can be a link to multiple Alternate Data Streams of files of any size.
  • n|u
  • n|u
    • Importance of windows files
    • Sam
    SYSTEM32COFIG User names User information like last logon count ,last login time.
    • Ntldr
    NTLDR will display the versions of operating systems in a boot menu and waits a specified number of seconds before loading the first in the list
    • System
    This file will help us to know details regarding the USB connected and exact time stamps for drive operations done
    • index
    This file will store all the internet related data cookies, Recent history
  • n|u
    • Making a report for forensic case
    • Executive summary
    • Detailed activity log
    • Proof of process
    • Forensic image processing
    • Restoration and verification of images
    • Document evidences discovered during
    • analysis
  • n|u
    • File slack
    • Terminology used
    • Data carving
    • Data carving or File Carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing,
    • Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
    • The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack"
    • Cluster
    • Storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors which are used to allocate the data storage area
    • Sites:
      • Access data- -- ace
      • LADS -
      • Elcom soft –
      • Helix - /
      • Stego suite –
      • I2analyst notebook /computer-forensics/
  • n|u THANK YOU