Introduction to Forensics and Steganography by Pardhasaradhi C

3,325 views
3,234 views

Published on

Introduction to Forensics and Steganography by Pardhasaradhi C @ null Pune Meet, July, 2010

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,325
On SlideShare
0
From Embeds
0
Number of Embeds
51
Actions
Shares
0
Downloads
105
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Introduction to Forensics and Steganography by Pardhasaradhi C

  1. 1. n|u Pardhasaradhi.ch
  2. 2. <ul><li>COMPUTER FORENSICS </li></ul><ul><li>Process </li></ul><ul><li>Rules </li></ul><ul><li>Software's </li></ul><ul><li>Hardware </li></ul><ul><li>Steganography </li></ul><ul><li>Some important windows files </li></ul><ul><li>Reporting </li></ul><ul><li>Sites </li></ul>Contents :
  3. 3. n|u <ul><li>Computer Forensics : </li></ul><ul><li>It is the application of computer investigation and analysis techniques to gather evidence </li></ul><ul><li>It is also called as cyber forensics </li></ul><ul><li>Goal : </li></ul><ul><li>The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. </li></ul>Pardhasaradhi.ch
  4. 4. n|u <ul><li>Preparation </li></ul><ul><li>Search and seizure </li></ul><ul><li>Acquisition and Authentication </li></ul><ul><li>Case storage and Archival </li></ul><ul><li>Analysis and Reporting </li></ul><ul><li>Stages in digital investigation process </li></ul>Pardhasaradhi.ch
  5. 5. n|u <ul><li>Rules of computer forensics : </li></ul><ul><li>Rule 1 : </li></ul>Never mishandle Evidence <ul><li>Rule 2 : </li></ul>Never trust the subject operating system <ul><li>Chain of custody </li></ul><ul><li>Asset tags </li></ul><ul><li>Crime scene details </li></ul>Ex : Ex : <ul><li>Avoid Live forensics </li></ul><ul><li>Use drive encryption </li></ul><ul><li>Check hash value with the image </li></ul>Pardhasaradhi.ch
  6. 6. n|u <ul><li>Rule 3 : </li></ul>Never work on original evidence <ul><li>Rule 4 : </li></ul>Document Every thing Ex : <ul><li>Create a bit stream copy </li></ul><ul><li>Do not access the file system during imaging </li></ul><ul><li>Document the errors while imaging If any </li></ul><ul><li>If any errors arise while imaging take another copy </li></ul>Pardhasaradhi.ch
  7. 7. n|u <ul><li>Clone Vs. image : </li></ul>To copy or replicate the entire contents of a hard disk drive by creating an image of the hard disk drive. Hard disk drives are often cloned for batch installation on other computers, particularly those on a network, or for use as backups. <ul><li>Clone : </li></ul><ul><li>Image : </li></ul>Some of the image types are dd,E01,smart,ad1,ISO,NRG, Images are locked format ,these are easy to carry EX: Symantec ghost Clone is used to execute the images Pardhasaradhi.ch
  8. 8. n|u <ul><li>Access data </li></ul><ul><li>MAC times </li></ul><ul><li>Modified </li></ul><ul><li>Accessed </li></ul><ul><li>Created </li></ul><ul><li>FTK imager </li></ul><ul><li>Password recovery toolkit </li></ul><ul><li>Registry viewer </li></ul><ul><li>Forensic toolkit </li></ul><ul><li>Software Forensic Hub </li></ul>Pardhasaradhi.ch
  9. 9. <ul><li>Stego suite </li></ul><ul><li>Mount image pro </li></ul><ul><li>Ultimate forensics Tool kit </li></ul><ul><li>Elcomsoft </li></ul><ul><li>Helix </li></ul><ul><li>DD for Linux </li></ul>
  10. 10. n|u <ul><li>Devices used for forensics </li></ul><ul><li>Shadow device : </li></ul><ul><li>write blocker </li></ul><ul><li>As an investigative tool, boot the suspect client and connect to their network </li></ul><ul><li>Allows read commands to pass but by blocks write commands, </li></ul><ul><li>Hardware Forensic Hub : </li></ul><ul><li>Faraday bag </li></ul><ul><li>The product was designed for E items which would isolate it from the networks </li></ul>Pardhasaradhi.ch
  11. 11. n|u <ul><li>Wde </li></ul><ul><li>Drive wiper </li></ul>Ex: True crypt <ul><li>whole disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Full Disk Encryption prevents unauthorized access to data storage </li></ul><ul><li>Wipe all data off of two drives at up to 8 GB per minute </li></ul><ul><li>Automatically unlocks and wipes Host Protected Areas </li></ul><ul><li>Cut your drive wiping time in half </li></ul><ul><li>Very light weight - less than a pound, plus the laptop style power supply </li></ul><ul><li>Simple, fast, portable data destruction </li></ul>Pardhasaradhi.ch
  12. 12. n|u Steganography is the process of hiding of a secret message within an ordinary message and extracting it at its destination <ul><li>Steganography </li></ul>Pardhasaradhi.ch <ul><li>Alternate Data Streams </li></ul><ul><li>(NTFS) New Technology File System allows for Alternate Data Streams </li></ul><ul><li>One file can be a link to multiple Alternate Data Streams of files of any size. </li></ul>
  13. 13. n|u Pardhasaradhi.ch
  14. 14. n|u <ul><li>Importance of windows files </li></ul>Pardhasaradhi.ch <ul><li>Sam </li></ul>SYSTEM32COFIG User names User information like last logon count ,last login time. <ul><li>Ntldr </li></ul>NTLDR will display the versions of operating systems in a boot menu and waits a specified number of seconds before loading the first in the list <ul><li>System </li></ul>This file will help us to know details regarding the USB connected and exact time stamps for drive operations done <ul><li>index </li></ul>This file will store all the internet related data cookies, Recent history
  15. 15. n|u <ul><li>Making a report for forensic case </li></ul><ul><li>Executive summary </li></ul><ul><li>Detailed activity log </li></ul><ul><li>Proof of process </li></ul><ul><li>Forensic image processing </li></ul><ul><li>Restoration and verification of images </li></ul><ul><li>Document evidences discovered during </li></ul><ul><li>analysis </li></ul>Pardhasaradhi.ch
  16. 16. n|u <ul><li>File slack </li></ul><ul><li>Terminology used </li></ul><ul><li>Data carving </li></ul><ul><li>Data carving or File Carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, </li></ul><ul><li>Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten. </li></ul><ul><li>The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called &quot;file slack&quot; </li></ul>Pardhasaradhi.ch <ul><li>Cluster </li></ul><ul><li>Storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors which are used to allocate the data storage area </li></ul>
  17. 17. <ul><li>Sites: </li></ul><ul><ul><li>Access data- www.accessdata.com -- ace </li></ul></ul><ul><ul><li>LADS - www.heysoft.de </li></ul></ul><ul><ul><li>Elcom soft – www.elcomsoft.com </li></ul></ul><ul><ul><li>Helix - www.e-fense.com/helix / </li></ul></ul><ul><ul><li>Stego suite – www.logon-int.com/product.asp </li></ul></ul><ul><ul><li>I2analyst notebook </li></ul></ul>www.Forensicfocus.com www.computerforensics1.com www.forensics.nl www.blogs.sans.org /computer-forensics/
  18. 18. n|u THANK YOU Pardhasaradhi.ch

×