Chapter 3 cmp forensic

2,447 views
2,352 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,447
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
226
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Mathematical authentication of digital evidence is achieved by using suitable hash functions. The MD5 hash algorithm that at one time was considered suitable. MD5 was prescribed as suitable by Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000.MD5 was subsequently proven weak by mathematicians. In fact, Asian School of Cyber Laws had filed a public interest litigation in the Bombay High Court on the same issue.Subsequently, the Information Technology (Certifying Authorities) Amendment Rules, 20091 amendedthe Rule 6 mentioned above and MD5 was replaced by SHA-2.It is advised that in Digital Forensics and Investigations, mathematical authentication of digital evidence must be done using either SHA-1 or SHA-2. MD5 must not be used as such evidence may be unacceptable in a court of law.
  • Chapter 3 cmp forensic

    1. 1. Computer Forensics
    2. 2. Computer Forensics
    3. 3. Computer ForensicsA process of applying scientific and analyticaltechniques to computer Operating Systemsand File Structures to determining thepotential Legal Evidence.
    4. 4. Computer Forensics It is the practice of lawfully establishing evidenceand facts.This is science involving legal evidence that is foundin digital storage mediums and in computers. Subdivisions: - Disk forensics Network forensics Mobile forensics
    5. 5. Role of Computer forensic investigator  Evidence Collection and Chain of Custody  Who Who handled the evidence?  What  What procedures were performed on the evidence?  When  When was the evidence collected and/or transferred to another party?  Where  Where was the evidence collected and stored?  How  How was the evidence collected and stored?  Why  For what purpose was the evidence collected?
    6. 6. Forensics process Acquire data to be examined Photographs Make an image Review of logical file structure Review of unallocated space and file slack Recover deleted data (If any) Report Expert testimony
    7. 7. Importance of Evidence"Evidence" is anything the judge allows a jury toconsider in reaching a verdict.This can include the testimony ofwitnesses, photographs of the scene and "demonstrativeevidence" such as charts or sample equipment.
    8. 8. Source of Evidence Slack, Free, Swap, Recycle Bin Event Logs Registry Application files, temp files E-mail Browser history and cache
    9. 9. Types of ForensicsLive Forensics Non - Live Forensics Post Acquisition Analysis Technologies
    10. 10. Live Forensics Non - Live Forensics•Recovery of volatile data •Imaging•Gathering system information •Cloning•Gathering USB device history•System Explorer•Imaging and Cloning Post Acquisition Analysis •Mathematical authentication of data (Hash) •Virtualization •Malware analysis •Detection of obscene content •Image ballistics •Use of spyware (keyloggers) in investigations •Digital Evidence Analysis
    11. 11. Forensic Imaging & Cloning
    12. 12. Select source medium
    13. 13. Select source medium
    14. 14. Select destination for the image file
    15. 15. Post Acquisition Analysis
    16. 16. Mathematical Authentication of Data
    17. 17. Mathematical Authentication of Data
    18. 18. Select the algorithm•The Information Technology (Certifying Authorities) Amendment Rules, 2009amended Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000•It is advised that mathematical authentication of digital evidence must be done usingeither SHA-1 or SHA-2.•MD5 must not be used as such evidence may be unacceptable in a court of law.
    19. 19. Mathematical authentication of digital evidence achieved by using SHA-2.
    20. 20. Mathematical authentication of dataInput SHA1 Hash DigestApple 476432a3e85a0aa21c23f5abd2975a89b6820d63apple d0be2dc421be4fcd0172e5afceea3970e2f3d940Apple 476432a3e85a0aa21c23f5abd2975a89b6820d63a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
    21. 21. Mathematical Authentication of Data www.crypo.com
    22. 22. Virtualization
    23. 23. Life Cycle of Computer Evidence
    24. 24. Evidence Life Cycle Management Document Management Electronic Discovery Services Create Capture Preserve Collect Process Review Produce Enterprise Document CreationDestroy Evidence Preservation Obligation Repositorie Repository Document Production s Request
    25. 25. Evidence Rule Admissible Reliable Authentic Complete (no tunnel vision) Believable
    26. 26. Types of Evidence Direct Evidence Real Evidence Documentary Evidence Demonstrative Evidence
    27. 27. Computer Evidence Processing Guidelines Pull the Plug Document the Hardware Configuration of theSystem Transport the Computer System to a Secure Location (Forensics lab) Make Bit Stream Backups of Hard Disks and Floppy Disks
    28. 28. Computer Evidence Processing Guidelines  Mathematically Authenticate Data on all storage devices (Hash)  Document the System Date and Time  Make a List of Key Search Words  Evaluate the Windows Swap File  Evaluate File Slack
    29. 29. Computer Evidence Processing Guidelines  Evaluate Unallocated Space (Erased Files)  Search Files, File Slack and Unallocated Space for Key Words  Document File Names, Dates and Times  Identify File, Program and Storage
    30. 30. Computer Evidence Processing Guidelines  Evaluate Program Functionality  Document Your Findings  Retain Copies of Software Used
    31. 31. Incidence ResponseComputer security Incident
    32. 32. Why forensics? Confirms or dispels whether an incident occurred Promotes accumulation of accurate information Establishes controls for proper retrieval and handling of evidence Protects privacy rights established by law and policy Minimizes disruption to business and network operations
    33. 33. Why forensics? Allows for criminal or civil action against perpetrators Provides accurate reports and useful recommendations Provides rapid detection and containment Minimizes exposure and compromise of proprietary data
    34. 34. Why forensics? Protects your organization’s reputation and assets Educates senior management Promotes rapid detection and/or prevention of such incidents in the future (via lessons learned, policy changes, and so on)
    35. 35. Cyber Crime Investigation Lifecycle Incident Expert Witness Awareness Testimony Preliminary Analysis Consultation Prevention Deposition/ Technologies Affidavit Improved Processes Image New Security PoliciesAcquisition/ Improved Configurations Recovery Preliminary/ Containment Detailed Final Report Analysis Presentation

    ×