SlideShare a Scribd company logo

644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf

G
Gnanavi2

Ppt

Science
1 of 76
Download to read offline
Digital Forensics MD. Tawhidur Rahman Pial CCNA,CCNA-SEC,CCNP, C|EH,CHFI,CNDA, E|CSA, L|PT, E|NSA, WiMAX+ ,Telecom+, Network+, Security+, Linux+, GSEC Consultant of Cyber Crime & Digital Forensic Certified Cyber Criminal Analyst, ISS, USA Member Scotland Yard IACIS & High Tech Crime, USA
Introduction • Topics to be covered – Defining Computer Forensics – Reasons for gathering evidence – Who uses Computer Forensics – Steps of Computer Forensics – Handling Evidence – Investigation initiation / response – Handling Information – Requirements & Software – Anti-Forensics – Evidence processing guidelines – Methods of hiding Information/data – Methods of discovering information/data
What is Digital Forensics? • Emerging discipline in computer security – “voodoo science” – No standards, few research • Investigation that takes place after an incident has happened • Try to answer questions: Who, what, when, where, why, and how
Definition • Multiple methods of • Discovering data on computer system • Recovering deleted, encrypted, or damaged file information • Monitoring live activity • Detecting violations of corporate policy – Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity
Definition (cont) • What Constitutes Digital Evidence? – Any information being subject to human intervention or not, that can be extracted from a computer. – Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. • Computer Forensics Examples – Recovering thousands of deleted emails – Performing investigation post employment termination – Recovering evidence post formatting hard drive – Performing investigation after multiple users had taken over the system
Reasons For Evidence • Wide range of computer crimes and misuses – Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: • Theft of trade secrets • Fraud • Extortion • Industrial espionage • Position of pornography • SPAM investigations • Virus/Trojan distribution • Homicide investigations • Intellectual property breaches • Unauthorized use of personal information • Forgery • Perjury
Reasons For Evidence (cont) • Computer related crime and violations include a range of activities including: – Business Environment: • Theft of or destruction of intellectual property • Unauthorized activity • Tracking internet browsing habits • Reconstructing Events • Inferring intentions • Selling company bandwidth • Wrongful dismissal claims • Sexual harassment • Software Piracy
Who Uses Computer Forensics? • Criminal Prosecutors – Rely on evidence obtained from a computer to prosecute suspects and use as evidence • Civil Litigations – Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases • Insurance Companies – Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) • Private Corporations – Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
Who Uses Computer Forensics? (cont) • Law Enforcement Officials – Rely on computer forensics to backup search warrants and post-seizure handling • Individual/Private Citizens – Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment
FBI Computer Forensic Services • Content • Comparison again known data • Transaction sequencing • Extraction of data • Recovering deleted data files • Format conversion • Keyword searching • Decrypting passwords • Analyzing and comparing limited source code
Steps to Take in a Computer Forensics Investigation • Obtain authorization to search and seize. • Secure the area, which may be a crime scene. • Document the chain of custody of every item that was seized. • Bag, tag, and safely transport the equipment and e-evidence. • Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence. • Keep the original material in a safe, secured location. • Design your review strategy of the e-evidence, including lists of keywords and search terms. • Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy. • Interpret and draw inferences based on facts gathered from the e-evidence. Check your work. • Describe your analysis and findings in an easy-to-understand and clearly written report. • Give testimony under oath in a deposition or courtroom.
Typical investigation phases 1. Acquisition 2. Recovery 3. Analysis 4. Presentation In a manner that is legally acceptable by court or Law. I A P I A R D I : Identifying A : Acquisition P : Preservation I : Interpretation A : Analysis R : Reporting D : Destroy the evidence
Phase 1: Acquisition • Analogous to crime scene in the “real world” • Goal is to recover as much evidence without altering the crime scene • Investigator should document as much as possible • Maintain Chain of Custody
Acquisition (2) • Determine if incident actually happened • What kind of system is to be investigated? – Can it be shut down? – Does it have to keep operating? • Are there policies governing the handling of the incident? • Is a warrant needed?
Acquisition (3) • Get most fleeting information first – Running processes – Open sockets – Memory – Storage media • Create 1:1 copies of evidence (imaging) • If possible, lock up original system in the evidence locker
Phase 2: Recovery • Goal is to extract data from the acquired evidence • Always work on copies, never the original – Must be able to repeat entire process from scratch • Data, deleted data, “hidden” data
File systems • Get files and directories • Metadata – User IDs – Timestamps (MAC times) – Permissions, … • Some deleted files may be recovered • Slack space
File deletion • Most file systems only delete directory entries but not the data blocks associated with a file. • Unless blocks get reallocated the file may be reconstructed – The earlier the better the chances – Depending on fragmentation, only partial reconstruction may be possible
Slack space • Unallocated blocks – Mark blocks as allocated to fool the file system • Unused space at end of files if it doesn’t end on block boundaries • Unused space in file system data structures
Steganography • Data hidden in other data • Unused or irrelevant locations are used to store information • Most common in images, but may also be used on executable files, meta data, file system slack space
Encrypted data • Depending on encryption method, it might be infeasible to get to the information. • Locating the keys is often a better approach. • A suspect may be compelled to reveal the keys by law.
Recovery (cont.) • Locating hidden or encrypted data is difficult and might even be impossible. • Investigator has to look at other clues: – Steganography software – Crypto software – Command histories
File residue • Even if a file is completely deleted from the disk, it might still have left a trace: – Web cache – Temporary directories – Data blocks resulting from a move – Memory
Phase 3: Analysis • Methodology differs depending on the objectives of the investigation: – Locate contraband material – Reconstruct events that took place – Determine if a system was compromised – Authorship analysis
Contraband material • Locate specific files – Databases of illegal pictures – Stolen property • Determine if existing files are illegal – Picture collections – Music or movie downloads
Locating material • Requires specific knowledge of file system and OS. • Data may be encrypted, hidden, obfuscated • Obfuscation: – Misleading file suffix – Misleading file name – Unusual location
Event reconstruction • Utilize system and external information – Log files – File timestamps – Firewall/IDS information • Establish time line of events
Time issues • Granularity of time keeping – Can’t order events that occur in the same time interval • Multiple systems: – Different clocks – Clock drift • E-mail headers and time zones
The needle in the haystack • Locating files: – Storage capacity approaches the terrabyte magnitude – Potentially millions of files to investigate • Event reconstruction: – Dozens, hundreds of events a second – Only last MAC times are available – Insufficient logging
Compromised system • If possible, compare against known good state – Tripwire – Databases of “good” files • Look for unusual file MACs • Look for open or listening network connections (trojans) • Look for files in unusual locations
Unknown executables • Run them in a constrained environment – Dedicated system – Sandbox – Virtual machine • Might be necessary to disassemble and decompile – May take weeks or months
Authorship analysis • Determine who or what kind of person created file. – Programs (Viruses, Tojans, Sniffers/Loggers) – E-mails (Blackmail, Harassment, Information leaks) • If actual person cannot be determined, just determining the skill level of the author may be important.
Phase 4: Presentation • An investigator that performed the analysis may have to appear in court as an expert witness. • For internal investigations, a report or presentation may be required. • Challenge: present the material in simple terms so that a jury or CEO can understand it.
Live Analysis Versus Static Analysis • Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? • Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often.
Live Analysis Things to record: • System time and date. • User’s logged on to the system. • Open network connections. • Network drives mapped to the system. • Processes that are running. • What is on the Desktop and Clipboard.
Static Analysis Things to look for: • Registry entries. • Hidden files and folders, encrypted files. • Images, emails, IM logs, other files. • Misnamed files. • Deleted files. • Data in unallocated space and Slack space.
Capturing a Drive Image • A write-blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. • Entire drive is imaged, including unallocated space, to a clean drive. • Image must be verified to guarantee integrity. This is done using a hash function.
Capturing a Drive Image • One bit is a 0 or a 1. • One byte is 8 bits. • One KB (Kilo Byte) is 1024 bytes. • One MB (Mega Byte) is 1024 KB. • One GB (Giga Byte) is 1024 MB. • A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). • One TB (Terra Byte) is 1024 GB.
Capturing a Drive Image • Drive may be imaged via a USB or FireWire connection, or over the network. • The size of the drive being imaged affects the time required to perform the capture. • The speed of the connection also affects the time required to image the drive. • A 500 GB drive may require 8 hours or several days to acquire.
Image is Verified via a Hash
Where’s the Data? • Registry. • Files and folders. • Deleted files. • Unallocated space. • Slack space. • System files: HIBERFIL.SYS, INDEX.DAT, PAGEFILE.SYS.
Computer Forensic Requirements • Hardware – Familiarity with all internal and external devices/components of a computer – Thorough understanding of hard drives and settings – Understanding motherboards and the various chipsets used – Power connections – Memory • BIOS – Understanding how the BIOS works – Familiarity with the various settings and limitations of the BIOS
Forensic Tools • Hex editor: Display, search, and modify hexadecimal data. • Forensic analysis software: FTK (Forensic Toolkit) EnCase Autopsy X-Ways Oxygen Forensic
FTK (Forensic ToolKit)
Oxygen Forensic Viewer
Oxygen Forensic Viewer Communication Diagram
Forensic Lab Design
FRED Forensic Workstation Server
Tableau TD3 Forensic Imager
Digital Forensic Analysis Server
Digital Analysis Data Server
FRED Analysis Server
CellDEK Mobile Phone Analysis Device
UFED Cellebrite Mobile Phone Forensic Device
VIAEXTRACT- Android forensic software.
Elcomsoft Password Breaker
Encase Smartphone Examiner
MOBILedit! Forensic
pySIM
AccessData Mobile Phone Examiner (MPE) Plus
Forensic Tools • Network traffic sniffer/analyzer • Imaging software • Hashing software • Log file analyzer • Steganography software
Some Steganography Detection Tools Stegdetect – www.outguess.org Xstegsecret – stegsecret.sourceforge.net Stego Watch – www.wetstonetech.com StegAlyzer – www.sarc-wv.com StegSpy – www.spy-hunter.com Gargoyle Investigator Forensic – www.wetsonetech.com StegMark – www.datamark.com.sg ----- PS: Rather than tools please go manual parsing
Video Forensic Software • Ocean Systems dTective • Video Image Enhancement & Analysis • Cognitech • MotionDSP Ikena • Salient Stills VideoFOCUS • StarWitness • Intergraph Video Analyst • Forevid • Amped FIVE • Kinesense • Paraben (Video Recovery from Mobile Device and Hard Drive) • Videntifier Forensic (Automatic Video Identification) • VideoCleaner FREE
Skills Needed by a Forensic Examiner • Knowledge of Operating Systems. • Knowledge of File Systems. • Must understand networking and TCP/IP. • Must possess necessary software for imaging and analyzing images. • Must possess additional software such as hex editor, log file analyzer, etc. • Lots of patience !!!
Current and Emerging Cyber Forensic Tools of Law Enforcement
Anti-Forensics • Software that limits and/or corrupts evidence that could be collected by an investigator • Performs data hiding and distortion • Exploits limitations of known and used forensic tools • Works both on Windows and LINUX based systems • In place prior to or post system acquisition
Evidence Processing Guidelines • New Technologies Inc. recommends following 16 steps in processing evidence • They offer training on properly handling each step – Step 1: Shut down the computer • Considerations must be given to volatile information • Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) – Step 2: Document the Hardware Configuration of The System • Note everything about the computer configuration prior to re-locating
Evidence Processing Guidelines (cont) – Step 3: Transport the Computer System to A Secure Location • Do not leave the computer unattended unless it is locked in a secure location – Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks – Step 5: Mathematically Authenticate Data on All Storage Devices • Must be able to prove that you did not alter any of the evidence after the computer came into your possession – Step 6: Document the System Date and Time – Step 7: Make a List of Key Search Words – Step 8: Evaluate the Windows Swap File
Evidence Processing Guidelines (cont) – Step 9: Evaluate File Slack • File slack is a data storage area of which most computer users are unaware; a source of significant security leakage. – Step 10: Evaluate Unallocated Space (Erased Files) – Step 11: Search Files, File Slack and Unallocated Space for Key Words – Step 12: Document File Names, Dates and Times – Step 13: Identify File, Program and Storage Anomalies – Step 14: Evaluate Program Functionality – Step 15: Document Your Findings – Step 16: Retain Copies of Software Used
Nothing is safe and secure in digital world, beware of identity theft for privacy concern. You even don't don't who all smelling you
Certification Vendor-Neutral Computer Forensics Certifications  Computer Hacking Forensic Investigator CHFI : This certification from EC-Council  Certified Computer Examiner : The Certified Computer Examiner (CCE®) certification offered by the International Society of Forensic Computer Examiners (ISFCE)  Certified Computer Forensics Examiner (CCFE) : Certification from the Information Assurance Certification Review Board (IACRB)  Certified Digital Forensics Examiner (CDFE) : Certification from Mile2  Certified E-Discovery Specialist (CEDS) : This certification from the Association of Certified E- Discovery Specialists (ACEDS)  CyberSecurity Forensic Analyst (CSFA) : Certification from CyberSecurity Institute  GIAC Certified Forensic Analyst (GIAC) and Certified Forensic Analyst (GCFA) : Certification from The SANS (System Administration, Networking, and Security) Institute  IACIS Certified Forensic Computer Examiner : The IACIS Certified Forensic Computer Examiner (CFCE) certification from the International Association of Computer Investigative Specialists (IACIS)
Cont. Cont. Vendor-Specific Computer Forensics Certifications  AccessData Certified Examiner : AccessData Certified Examiner (ACE) certification from AccessData Group, LLC  AccessData also offers certifications in its Summation litigation product : i. Certified Forensic Investigation Practitioner ii. Certified Mac Forensics Specialist iii. Certified Malware Investigator  EnCase Certified Examiner : EnCase® from Guidance Software  EnCase Certified eDiscovery Practitioner : The EnCase® Certified eDiscovery Practitioner (EnCEP™) D3pak
Some Good Reads 1. XRY http://www.msab.com 2. UFED, UFED Physical Analyzer http://www.cellebrite.com 3. Oxygen Forensic Suit, Oxygen Forensic® SQLite Viewerhttp://www.oxygen- forensic.com/en/ 4. Secure View 3 http://secureview.us 5. Rooting (Android OS) http://en.wikipedia.org/wiki/Rooting_(Android_OS) 6. Android Forensics. Physical Techniques. https://viaforensics.com/…/android- fo…/physical-techniques/… 7. FTK Imager http://www.accessdata.com/support/product-downloads 8. Robert Craig Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action Group (JTAG) http://articles.forensicfocus.com/…/jtag-sch-r530u-that-ha…/ 9. UFS Explorer http://www.ufsexplorer.com/index.php 10. Encase Forensic https://www.guidancesoftware.com 11. Supported Decoders data files and databaseshttp://www.andriller.com/decoders 12. Belkasoft Evidence Center http://forensic.belkasoft.com/en 13. R-Studio http://www.r-studio.com 14. The Sleuth Kit http://www.sleuthkit.org 15. ThumbnailExpert Forensic http://computer-forensics-lab.org/en/news/25/ 16. Android software developmenthttp://en.wikipedia.org/wiki/Android_software_development… 17. http://toolcatalog.nist.gov/populated_taxonomy/index.php
BOOKS TO READ
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf

Recommended

DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.pptTamannaTabassum21
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.pptssuserba01a3
 
CF.ppt
CF.pptCF.ppt
CF.pptKhusThakkar
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
cyber Forensics
cyber Forensicscyber Forensics
cyber ForensicsMuzzammil Wani
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 

Recommended

DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.pptTamannaTabassum21
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.pptssuserba01a3
 
CF.ppt
CF.pptCF.ppt
CF.pptKhusThakkar
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
cyber Forensics
cyber Forensicscyber Forensics
cyber ForensicsMuzzammil Wani
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsHiren Selani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
 
3871778
38717783871778
3871778Christiaan Beek
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...pable2
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.pptharshbj1801
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 
Daniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfDaniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfAlejandro Daricz
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Cause 11 im final
Cause 11 im finalCause 11 im final
Cause 11 im finalcavapyta
 
Cause 11 im final
Cause 11 im finalCause 11 im final
Cause 11 im finalcavapyta
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
Srini
SriniSrini
SriniSameera Amjad
 
PPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfPPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfGnanavi2
 
computerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfcomputerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfGnanavi2
 

More Related Content

Similar to 644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf

Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsHiren Selani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...pable2
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.pptharshbj1801
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 
Cause 11 im final
Cause 11 im finalCause 11 im final
Cause 11 im finalcavapyta
 
Cause 11 im final
Cause 11 im finalCause 11 im final
Cause 11 im finalcavapyta
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 

Similar to 644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf (20)

Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
3871778
38717783871778
3871778
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt164199724-Introduction-To-Digital-Forensics-ppt.ppt
164199724-Introduction-To-Digital-Forensics-ppt.ppt
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data Exfiltration
 
Daniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfDaniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdf
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Cause 11 im final
Cause 11 im finalCause 11 im final
Cause 11 im final
 
Cause 11 im final
Cause 11 im finalCause 11 im final
Cause 11 im final
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Srini
SriniSrini
Srini
 

More from Gnanavi2

PPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfPPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfGnanavi2
 
computerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfcomputerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfGnanavi2
 
computerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfcomputerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfGnanavi2
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfGnanavi2
 
Computer_forensics_ppt.ppt
Computer_forensics_ppt.pptComputer_forensics_ppt.ppt
Computer_forensics_ppt.pptGnanavi2
 

More from Gnanavi2 (6)

PPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfPPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdf
 
computerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfcomputerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdf
 
computerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfcomputerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdf
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
 
Computer_forensics_ppt.ppt
Computer_forensics_ppt.pptComputer_forensics_ppt.ppt
Computer_forensics_ppt.ppt
 

Recently uploaded

‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555kikilily0909
 
(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)
(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)
(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)riyaescorts54
 
Manassas R - Parkside Middle School 🌎🏫
Manassas R - Parkside Middle School 🌎🏫Manassas R - Parkside Middle School 🌎🏫
Manassas R - Parkside Middle School 🌎🏫qfactory1
 
Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |aasikanpl
 
Forest laws, Indian forest laws, why they are important
Forest laws, Indian forest laws, why they are importantForest laws, Indian forest laws, why they are important
Forest laws, Indian forest laws, why they are importantadityabhardwaj282
 
STOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptx
STOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptxSTOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptx
STOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptxMurugaveni B
 
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCRCall Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCRlizamodels9
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxkessiyaTpeter
 
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptxLIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptxmalonesandreagweneth
 
Transposable elements in prokaryotes.ppt
Transposable elements in prokaryotes.pptTransposable elements in prokaryotes.ppt
Transposable elements in prokaryotes.pptArshadWarsi13
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeSatoshi NAKAHIRA
 
Pests of soyabean_Binomics_IdentificationDr.UPR.pdf
Pests of soyabean_Binomics_IdentificationDr.UPR.pdfPests of soyabean_Binomics_IdentificationDr.UPR.pdf
Pests of soyabean_Binomics_IdentificationDr.UPR.pdfPirithiRaju
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
THE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptx
THE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptxTHE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptx
THE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptxNandakishor Bhaurao Deshmukh
 
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.PraveenaKalaiselvan1
 
Environmental Biotechnology Topic:- Microbial Biosensor
Environmental Biotechnology Topic:- Microbial BiosensorEnvironmental Biotechnology Topic:- Microbial Biosensor
Environmental Biotechnology Topic:- Microbial Biosensorsonawaneprad
 
Solution chemistry, Moral and Normal solutions
Solution chemistry, Moral and Normal solutionsSolution chemistry, Moral and Normal solutions
Solution chemistry, Moral and Normal solutionsHajira Mahmood
 
GenBio2 - Lesson 1 - Introduction to Genetics.pptx
GenBio2 - Lesson 1 - Introduction to Genetics.pptxGenBio2 - Lesson 1 - Introduction to Genetics.pptx
GenBio2 - Lesson 1 - Introduction to Genetics.pptxBerniceCayabyab1
 

Recently uploaded (20)

‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555
 
(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)
(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)
(9818099198) Call Girls In Noida Sector 14 (NOIDA ESCORTS)
 
Manassas R - Parkside Middle School 🌎🏫
Manassas R - Parkside Middle School 🌎🏫Manassas R - Parkside Middle School 🌎🏫
Manassas R - Parkside Middle School 🌎🏫
 
Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Lajpat Nagar (Delhi) |
 
Forest laws, Indian forest laws, why they are important
Forest laws, Indian forest laws, why they are importantForest laws, Indian forest laws, why they are important
Forest laws, Indian forest laws, why they are important
 
STOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptx
STOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptxSTOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptx
STOPPED FLOW METHOD & APPLICATION MURUGAVENI B.pptx
 
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCRCall Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
Call Girls In Nihal Vihar Delhi ❤️8860477959 Looking Escorts In 24/7 Delhi NCR
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C P
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
 
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptxLIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
LIGHT-PHENOMENA-BY-CABUALDIONALDOPANOGANCADIENTE-CONDEZA (1).pptx
 
Transposable elements in prokaryotes.ppt
Transposable elements in prokaryotes.pptTransposable elements in prokaryotes.ppt
Transposable elements in prokaryotes.ppt
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real time
 
Pests of soyabean_Binomics_IdentificationDr.UPR.pdf
Pests of soyabean_Binomics_IdentificationDr.UPR.pdfPests of soyabean_Binomics_IdentificationDr.UPR.pdf
Pests of soyabean_Binomics_IdentificationDr.UPR.pdf
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
Hot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Moti Nagar,🔝 9953056974 🔝 escort Service
 
THE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptx
THE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptxTHE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptx
THE ROLE OF PHARMACOGNOSY IN TRADITIONAL AND MODERN SYSTEM OF MEDICINE.pptx
 
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
 
Environmental Biotechnology Topic:- Microbial Biosensor
Environmental Biotechnology Topic:- Microbial BiosensorEnvironmental Biotechnology Topic:- Microbial Biosensor
Environmental Biotechnology Topic:- Microbial Biosensor
 
Solution chemistry, Moral and Normal solutions
Solution chemistry, Moral and Normal solutionsSolution chemistry, Moral and Normal solutions
Solution chemistry, Moral and Normal solutions
 
GenBio2 - Lesson 1 - Introduction to Genetics.pptx
GenBio2 - Lesson 1 - Introduction to Genetics.pptxGenBio2 - Lesson 1 - Introduction to Genetics.pptx
GenBio2 - Lesson 1 - Introduction to Genetics.pptx
 

644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf

  • 1. Digital Forensics MD. Tawhidur Rahman Pial CCNA,CCNA-SEC,CCNP, C|EH,CHFI,CNDA, E|CSA, L|PT, E|NSA, WiMAX+ ,Telecom+, Network+, Security+, Linux+, GSEC Consultant of Cyber Crime & Digital Forensic Certified Cyber Criminal Analyst, ISS, USA Member Scotland Yard IACIS & High Tech Crime, USA
  • 2. Introduction • Topics to be covered – Defining Computer Forensics – Reasons for gathering evidence – Who uses Computer Forensics – Steps of Computer Forensics – Handling Evidence – Investigation initiation / response – Handling Information – Requirements & Software – Anti-Forensics – Evidence processing guidelines – Methods of hiding Information/data – Methods of discovering information/data
  • 3. What is Digital Forensics? • Emerging discipline in computer security – “voodoo science” – No standards, few research • Investigation that takes place after an incident has happened • Try to answer questions: Who, what, when, where, why, and how
  • 4. Definition • Multiple methods of • Discovering data on computer system • Recovering deleted, encrypted, or damaged file information • Monitoring live activity • Detecting violations of corporate policy – Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity
  • 5. Definition (cont) • What Constitutes Digital Evidence? – Any information being subject to human intervention or not, that can be extracted from a computer. – Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. • Computer Forensics Examples – Recovering thousands of deleted emails – Performing investigation post employment termination – Recovering evidence post formatting hard drive – Performing investigation after multiple users had taken over the system
  • 6. Reasons For Evidence • Wide range of computer crimes and misuses – Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: • Theft of trade secrets • Fraud • Extortion • Industrial espionage • Position of pornography • SPAM investigations • Virus/Trojan distribution • Homicide investigations • Intellectual property breaches • Unauthorized use of personal information • Forgery • Perjury
  • 7. Reasons For Evidence (cont) • Computer related crime and violations include a range of activities including: – Business Environment: • Theft of or destruction of intellectual property • Unauthorized activity • Tracking internet browsing habits • Reconstructing Events • Inferring intentions • Selling company bandwidth • Wrongful dismissal claims • Sexual harassment • Software Piracy
  • 8. Who Uses Computer Forensics? • Criminal Prosecutors – Rely on evidence obtained from a computer to prosecute suspects and use as evidence • Civil Litigations – Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases • Insurance Companies – Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) • Private Corporations – Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
  • 9. Who Uses Computer Forensics? (cont) • Law Enforcement Officials – Rely on computer forensics to backup search warrants and post-seizure handling • Individual/Private Citizens – Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment
  • 10. FBI Computer Forensic Services • Content • Comparison again known data • Transaction sequencing • Extraction of data • Recovering deleted data files • Format conversion • Keyword searching • Decrypting passwords • Analyzing and comparing limited source code
  • 11. Steps to Take in a Computer Forensics Investigation • Obtain authorization to search and seize. • Secure the area, which may be a crime scene. • Document the chain of custody of every item that was seized. • Bag, tag, and safely transport the equipment and e-evidence. • Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence. • Keep the original material in a safe, secured location. • Design your review strategy of the e-evidence, including lists of keywords and search terms. • Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy. • Interpret and draw inferences based on facts gathered from the e-evidence. Check your work. • Describe your analysis and findings in an easy-to-understand and clearly written report. • Give testimony under oath in a deposition or courtroom.
  • 12. Typical investigation phases 1. Acquisition 2. Recovery 3. Analysis 4. Presentation In a manner that is legally acceptable by court or Law. I A P I A R D I : Identifying A : Acquisition P : Preservation I : Interpretation A : Analysis R : Reporting D : Destroy the evidence
  • 13. Phase 1: Acquisition • Analogous to crime scene in the “real world” • Goal is to recover as much evidence without altering the crime scene • Investigator should document as much as possible • Maintain Chain of Custody
  • 14. Acquisition (2) • Determine if incident actually happened • What kind of system is to be investigated? – Can it be shut down? – Does it have to keep operating? • Are there policies governing the handling of the incident? • Is a warrant needed?
  • 15. Acquisition (3) • Get most fleeting information first – Running processes – Open sockets – Memory – Storage media • Create 1:1 copies of evidence (imaging) • If possible, lock up original system in the evidence locker
  • 16. Phase 2: Recovery • Goal is to extract data from the acquired evidence • Always work on copies, never the original – Must be able to repeat entire process from scratch • Data, deleted data, “hidden” data
  • 17. File systems • Get files and directories • Metadata – User IDs – Timestamps (MAC times) – Permissions, … • Some deleted files may be recovered • Slack space
  • 18. File deletion • Most file systems only delete directory entries but not the data blocks associated with a file. • Unless blocks get reallocated the file may be reconstructed – The earlier the better the chances – Depending on fragmentation, only partial reconstruction may be possible
  • 19. Slack space • Unallocated blocks – Mark blocks as allocated to fool the file system • Unused space at end of files if it doesn’t end on block boundaries • Unused space in file system data structures
  • 20. Steganography • Data hidden in other data • Unused or irrelevant locations are used to store information • Most common in images, but may also be used on executable files, meta data, file system slack space
  • 21. Encrypted data • Depending on encryption method, it might be infeasible to get to the information. • Locating the keys is often a better approach. • A suspect may be compelled to reveal the keys by law.
  • 22. Recovery (cont.) • Locating hidden or encrypted data is difficult and might even be impossible. • Investigator has to look at other clues: – Steganography software – Crypto software – Command histories
  • 23. File residue • Even if a file is completely deleted from the disk, it might still have left a trace: – Web cache – Temporary directories – Data blocks resulting from a move – Memory
  • 24. Phase 3: Analysis • Methodology differs depending on the objectives of the investigation: – Locate contraband material – Reconstruct events that took place – Determine if a system was compromised – Authorship analysis
  • 25. Contraband material • Locate specific files – Databases of illegal pictures – Stolen property • Determine if existing files are illegal – Picture collections – Music or movie downloads
  • 26. Locating material • Requires specific knowledge of file system and OS. • Data may be encrypted, hidden, obfuscated • Obfuscation: – Misleading file suffix – Misleading file name – Unusual location
  • 27. Event reconstruction • Utilize system and external information – Log files – File timestamps – Firewall/IDS information • Establish time line of events
  • 28. Time issues • Granularity of time keeping – Can’t order events that occur in the same time interval • Multiple systems: – Different clocks – Clock drift • E-mail headers and time zones
  • 29. The needle in the haystack • Locating files: – Storage capacity approaches the terrabyte magnitude – Potentially millions of files to investigate • Event reconstruction: – Dozens, hundreds of events a second – Only last MAC times are available – Insufficient logging
  • 30. Compromised system • If possible, compare against known good state – Tripwire – Databases of “good” files • Look for unusual file MACs • Look for open or listening network connections (trojans) • Look for files in unusual locations
  • 31. Unknown executables • Run them in a constrained environment – Dedicated system – Sandbox – Virtual machine • Might be necessary to disassemble and decompile – May take weeks or months
  • 32. Authorship analysis • Determine who or what kind of person created file. – Programs (Viruses, Tojans, Sniffers/Loggers) – E-mails (Blackmail, Harassment, Information leaks) • If actual person cannot be determined, just determining the skill level of the author may be important.
  • 33. Phase 4: Presentation • An investigator that performed the analysis may have to appear in court as an expert witness. • For internal investigations, a report or presentation may be required. • Challenge: present the material in simple terms so that a jury or CEO can understand it.
  • 34. Live Analysis Versus Static Analysis • Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? • Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often.
  • 35. Live Analysis Things to record: • System time and date. • User’s logged on to the system. • Open network connections. • Network drives mapped to the system. • Processes that are running. • What is on the Desktop and Clipboard.
  • 36. Static Analysis Things to look for: • Registry entries. • Hidden files and folders, encrypted files. • Images, emails, IM logs, other files. • Misnamed files. • Deleted files. • Data in unallocated space and Slack space.
  • 37. Capturing a Drive Image • A write-blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. • Entire drive is imaged, including unallocated space, to a clean drive. • Image must be verified to guarantee integrity. This is done using a hash function.
  • 38. Capturing a Drive Image • One bit is a 0 or a 1. • One byte is 8 bits. • One KB (Kilo Byte) is 1024 bytes. • One MB (Mega Byte) is 1024 KB. • One GB (Giga Byte) is 1024 MB. • A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). • One TB (Terra Byte) is 1024 GB.
  • 39. Capturing a Drive Image • Drive may be imaged via a USB or FireWire connection, or over the network. • The size of the drive being imaged affects the time required to perform the capture. • The speed of the connection also affects the time required to image the drive. • A 500 GB drive may require 8 hours or several days to acquire.
  • 40. Image is Verified via a Hash
  • 41. Where’s the Data? • Registry. • Files and folders. • Deleted files. • Unallocated space. • Slack space. • System files: HIBERFIL.SYS, INDEX.DAT, PAGEFILE.SYS.
  • 42. Computer Forensic Requirements • Hardware – Familiarity with all internal and external devices/components of a computer – Thorough understanding of hard drives and settings – Understanding motherboards and the various chipsets used – Power connections – Memory • BIOS – Understanding how the BIOS works – Familiarity with the various settings and limitations of the BIOS
  • 43. Forensic Tools • Hex editor: Display, search, and modify hexadecimal data. • Forensic analysis software: FTK (Forensic Toolkit) EnCase Autopsy X-Ways Oxygen Forensic
  • 46. Oxygen Forensic Viewer Communication Diagram
  • 59. pySIM
  • 60. AccessData Mobile Phone Examiner (MPE) Plus
  • 61. Forensic Tools • Network traffic sniffer/analyzer • Imaging software • Hashing software • Log file analyzer • Steganography software
  • 62. Some Steganography Detection Tools Stegdetect – www.outguess.org Xstegsecret – stegsecret.sourceforge.net Stego Watch – www.wetstonetech.com StegAlyzer – www.sarc-wv.com StegSpy – www.spy-hunter.com Gargoyle Investigator Forensic – www.wetsonetech.com StegMark – www.datamark.com.sg ----- PS: Rather than tools please go manual parsing
  • 63. Video Forensic Software • Ocean Systems dTective • Video Image Enhancement & Analysis • Cognitech • MotionDSP Ikena • Salient Stills VideoFOCUS • StarWitness • Intergraph Video Analyst • Forevid • Amped FIVE • Kinesense • Paraben (Video Recovery from Mobile Device and Hard Drive) • Videntifier Forensic (Automatic Video Identification) • VideoCleaner FREE
  • 64. Skills Needed by a Forensic Examiner • Knowledge of Operating Systems. • Knowledge of File Systems. • Must understand networking and TCP/IP. • Must possess necessary software for imaging and analyzing images. • Must possess additional software such as hex editor, log file analyzer, etc. • Lots of patience !!!
  • 65. Current and Emerging Cyber Forensic Tools of Law Enforcement
  • 66. Anti-Forensics • Software that limits and/or corrupts evidence that could be collected by an investigator • Performs data hiding and distortion • Exploits limitations of known and used forensic tools • Works both on Windows and LINUX based systems • In place prior to or post system acquisition
  • 67. Evidence Processing Guidelines • New Technologies Inc. recommends following 16 steps in processing evidence • They offer training on properly handling each step – Step 1: Shut down the computer • Considerations must be given to volatile information • Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) – Step 2: Document the Hardware Configuration of The System • Note everything about the computer configuration prior to re-locating
  • 68. Evidence Processing Guidelines (cont) – Step 3: Transport the Computer System to A Secure Location • Do not leave the computer unattended unless it is locked in a secure location – Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks – Step 5: Mathematically Authenticate Data on All Storage Devices • Must be able to prove that you did not alter any of the evidence after the computer came into your possession – Step 6: Document the System Date and Time – Step 7: Make a List of Key Search Words – Step 8: Evaluate the Windows Swap File
  • 69. Evidence Processing Guidelines (cont) – Step 9: Evaluate File Slack • File slack is a data storage area of which most computer users are unaware; a source of significant security leakage. – Step 10: Evaluate Unallocated Space (Erased Files) – Step 11: Search Files, File Slack and Unallocated Space for Key Words – Step 12: Document File Names, Dates and Times – Step 13: Identify File, Program and Storage Anomalies – Step 14: Evaluate Program Functionality – Step 15: Document Your Findings – Step 16: Retain Copies of Software Used
  • 70. Nothing is safe and secure in digital world, beware of identity theft for privacy concern. You even don't don't who all smelling you
  • 71. Certification Vendor-Neutral Computer Forensics Certifications  Computer Hacking Forensic Investigator CHFI : This certification from EC-Council  Certified Computer Examiner : The Certified Computer Examiner (CCE®) certification offered by the International Society of Forensic Computer Examiners (ISFCE)  Certified Computer Forensics Examiner (CCFE) : Certification from the Information Assurance Certification Review Board (IACRB)  Certified Digital Forensics Examiner (CDFE) : Certification from Mile2  Certified E-Discovery Specialist (CEDS) : This certification from the Association of Certified E- Discovery Specialists (ACEDS)  CyberSecurity Forensic Analyst (CSFA) : Certification from CyberSecurity Institute  GIAC Certified Forensic Analyst (GIAC) and Certified Forensic Analyst (GCFA) : Certification from The SANS (System Administration, Networking, and Security) Institute  IACIS Certified Forensic Computer Examiner : The IACIS Certified Forensic Computer Examiner (CFCE) certification from the International Association of Computer Investigative Specialists (IACIS)
  • 72. Cont. Cont. Vendor-Specific Computer Forensics Certifications  AccessData Certified Examiner : AccessData Certified Examiner (ACE) certification from AccessData Group, LLC  AccessData also offers certifications in its Summation litigation product : i. Certified Forensic Investigation Practitioner ii. Certified Mac Forensics Specialist iii. Certified Malware Investigator  EnCase Certified Examiner : EnCase® from Guidance Software  EnCase Certified eDiscovery Practitioner : The EnCase® Certified eDiscovery Practitioner (EnCEP™) D3pak
  • 73. Some Good Reads 1. XRY http://www.msab.com 2. UFED, UFED Physical Analyzer http://www.cellebrite.com 3. Oxygen Forensic Suit, Oxygen Forensic® SQLite Viewerhttp://www.oxygen- forensic.com/en/ 4. Secure View 3 http://secureview.us 5. Rooting (Android OS) http://en.wikipedia.org/wiki/Rooting_(Android_OS) 6. Android Forensics. Physical Techniques. https://viaforensics.com/…/android- fo…/physical-techniques/… 7. FTK Imager http://www.accessdata.com/support/product-downloads 8. Robert Craig Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action Group (JTAG) http://articles.forensicfocus.com/…/jtag-sch-r530u-that-ha…/ 9. UFS Explorer http://www.ufsexplorer.com/index.php 10. Encase Forensic https://www.guidancesoftware.com 11. Supported Decoders data files and databaseshttp://www.andriller.com/decoders 12. Belkasoft Evidence Center http://forensic.belkasoft.com/en 13. R-Studio http://www.r-studio.com 14. The Sleuth Kit http://www.sleuthkit.org 15. ThumbnailExpert Forensic http://computer-forensics-lab.org/en/news/25/ 16. Android software developmenthttp://en.wikipedia.org/wiki/Android_software_development… 17. http://toolcatalog.nist.gov/populated_taxonomy/index.php