Computer forensic


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Computer forensic

  1. 1. sComputer Forensic Workshop - 2013Computer Forensic InvestigationProcedure, tools, and practiceAhmad Zaid Zam
  2. 2. About the speakersComputer Forensic Workshop - 2013Bachelors degree in Electronic EngineeringDigital forensic analystGCFA, CHFI, CEH, ENSA, ECIH, CEIFounder Indonesia Digital Forensic CommunityCase involved :Corporate espionage, data leak, banking fraud,cyber attack,etc
  3. 3. AgendasComputer Forensic Workshop - 2013Digital forensic introductionDigital evidenceComputer forensic ProcedureEvidence acquisitionData organizationDemo
  4. 4. IntroductionsComputer Forensic Workshop - 2013Today, many business and personal transactions areconducted electronicallyBusiness professionals regularly negotiate deals by e-mailPeople store their personal address books and calendarson desktop computers or tablet.People regularly use the Internet forbusiness and pleasure
  5. 5. Cyber CrimesComputer Forensic Workshop - 2013Any illegal act involving a computer and a networkThe computer may have been used in the commission of a crimeor it may be the targetComputer viruses, denial-of-service attacks, malwareFraud, identity theft, phishing, spam, cyber warfare
  6. 6. IntroductionsComputer Forensic Workshop - 2013“A methodical series of techniques and procedures for gatheringevidence, from computing equipment and various storage devicesand digital media, that can be presented in a court of lawin a coherent and meaningful format” - DR. H.B. Wolfe
  7. 7. IntroductionsComputer Forensic Workshop - 2013The collection, preservation, analysis andpresentation of digital evidenceScientific procedureDevelop and test hypotheses that answer questionsabout incidents that occurredAdmissible in a court of law
  8. 8. Why is computer forensic important ?sComputer Forensic Workshop - 2013Help reconstruct past event or activityExtend the target of information security to thewider threat from cybercrimeShow evidence of policy violation or illegal activityEnsure the overall integrity of network infrastructure
  9. 9. Digital evidencesComputer Forensic Workshop - 2013Two basic type of evidence :Persistent evidencethe data that is stored on a local hard drive and is preservedwhen the computer is turned offVolatile evidenceany data that is stored in memory, or exists in transit,that will be lost when the computer loses poweror is turned off
  10. 10. Persistent evidencesComputer Forensic Workshop - 2013Documents (word, slide, sheet, pdf)ImagesChat logBrowser historyRegistryAudio / VideoApplicationEmailSMS / MMSPhone bookCall log
  11. 11. Volatile evidencesComputer Forensic Workshop - 2013MemoryNetwork status and connectionProcess runningTime information
  12. 12. ProceduresComputer Forensic Workshop - 2013PreparationPreliminary investigationSite investigationEvidence acquisitionPreservationAnalysisReport
  13. 13. PreparationsComputer Forensic Workshop - 2013Media is freshly preparedForensic workstation is scanned for any malwareValidate all software licensesToolkitsForms- Computer worksheet forms- Hard drive worksheet form
  14. 14. PreparationsComputer Forensic Workshop - 2013Establish file directoriesEssential forms :- Letter of authorization- Chain of custody- Non-Disclosure Agreement
  15. 15. Letter of authorizationsComputer Forensic Workshop - 2013
  16. 16. Chain of custodysComputer Forensic Workshop - 2013
  17. 17. Evidence worksheetsComputer Forensic Workshop - 2013
  18. 18. Preliminary investigationsComputer Forensic Workshop - 2013Who ?Profile the target user – are they computer savvy?What ?What kind of evidence could be associated with thiscase? Images? Documents? Spreadsheets?When?How long has it been since the digital activity?Where?How do you plan on procuring the digital evidence?
  19. 19. Site investigationsComputer Forensic Workshop - 2013Take picture of the sceneAsset tagInventory and describe all hardwareIdentify every process or network informationEnsure chain of custody form is properlycompleted
  20. 20. Order of VolatilitysComputer Forensic Workshop - 2013● Memory● Network status and connections● Process running● Hard disk
  21. 21. Evidence acquisitionsComputer Forensic Workshop - 2013Bit-stream imaging (court-certified)Write blocking deviceStatic prevention wrist strapRecord initial configurationRecord all activity
  22. 22. Evidence acquisitionsComputer Forensic Workshop - 2013Physical imaging- Grab entire drive (MBR)- Considered best evidence- Break out the partitions using ddLogical imaging- File system partition only- Useful in obtaining backup of RAID drive
  23. 23. Evidence acquisitionsComputer Forensic Workshop - 2013Three evidence acquisition method- Hardware- Live CD- LiveResultant file will be an image file in all three cases
  24. 24. Hardware acquisitionsComputer Forensic Workshop - 2013Situation : Removed hard drive containing evidence1. Attach drive adapter2. Plug into acquisition workstation3. Image attached drive to a image fileEvidence will be in static stateVolatile evidence not available
  25. 25. Live CD acquisitionsComputer Forensic Workshop - 2013Situation : Boot into Forensic Live CDSystem will be rebootedLoss of volatile evidenceHard drive not removedImage system to attached driveor file share
  26. 26. Live acquisitionsComputer Forensic Workshop - 2013Situation : Live System AcquisitionSnapshot of systemSystem stays power onCapability to gather volatile evidenceEvidence will be changing while imagingImage system to a file on attached drive or file shares
  27. 27. Write blockersComputer Forensic Workshop - 2013Prevent any accidental writes to source dataHardware basedAdapter based placed on hard driveSoftware basedSoftware will not allow writes to system
  28. 28. PreservationsComputer Forensic Workshop - 2013Create cryptographic hashCreate bit-image copiesCompare the hash resultsLock original disk in a limited container
  29. 29. Analysis of datasComputer Forensic Workshop - 2013Only work on the forensic copyStay within your scope of workAnalysis step- Timeline analysis- Media analysis- String or byte search- Data recovery
  30. 30. Questions ?sComputer Forensic Workshop - 2013