Digital Forensics

3,093 views

Published on

A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,093
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
191
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Digital Forensics

  1. 1. Digital Forensics <br />Evidence <br />
  2. 2. Road Map<br />Basic Digital Forensics<br />Traditional Digital Forensics<br />Live Digital Forensics <br />Anti-Digital Forensics <br />Questions<br />
  3. 3. Basic Forensics<br />Registry <br />Thumbs.db<br />Index.dat <br />Commands<br />
  4. 4. Registry <br /><ul><li>Last Logon</li></ul>HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon<br />Security Center<br /><ul><li>HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center </li></ul>Recent Documents<br /><ul><li>HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.doc </li></ul>Typed URLs<br /><ul><li>hkcusoftwaremicrosoftinternet explorer ypedurls</li></li></ul><li>
  5. 5. Thumbs.DB<br />Pictures opened in Windows OS<br />Filmstrip<br />Thumbnails <br />Thumbs.DB Viewer<br />
  6. 6. Index.DAT<br />Contains all of the Web sites <br />Every URL<br />Every Web page<br />All email sent or received through Outlook or Outlook Express<br />All internet temp files<br />All pictures viewed <br />
  7. 7. Commands<br />Dir: Lists all files and directories in the directory that you are currently in.<br />Ls: List the contents of your home directory by adding a tilde after the ls command.<br />Ps: Displays the currently-running processes.<br />Fdisk: A utility that provides disk partitioning functions, and information. <br />
  8. 8. Traditional Forensics<br />Hardware Write Block/Software Write Block<br />Cell Phones<br />Digital Forensics Programs <br />Hex Editor<br />FTK<br />EnCase<br />ProDiscover<br />
  9. 9. Hardware Write Block<br />
  10. 10. Hardware Write BlockHard Drive Connected <br />
  11. 11. Hardware Write Block Image in process<br />
  12. 12. Destination Drive<br />
  13. 13. Safe Block XP<br />
  14. 14. Software Write Block<br />Registry Edit USB Block<br />HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies<br />Write protect<br />Disable WriteProtect dword:00000001<br />Enable WriteProtect dword:00000000<br />
  15. 15. Cell Phone <br />
  16. 16. USB Drive<br />
  17. 17. Hex Editor<br />
  18. 18. FTK<br />
  19. 19. EnCase<br />
  20. 20. EnCase Continued<br />
  21. 21. ProDiscover<br />
  22. 22. Live Digital Forensics <br />ProDiscover IR<br />Helix<br />Sleuth Kit & Autopsy <br />Caine<br />FTK/EnCase making them live?<br />Both newer offerings have live capabilities<br />
  23. 23. ProDiscoverIR<br />
  24. 24. Live environment warnings <br />
  25. 25. Helix<br />
  26. 26. Helix Continued <br />
  27. 27. Sleuth Kit & Autopsy <br />
  28. 28. Caine<br />
  29. 29. FTK/EnCase Live?<br />Older versions no. <br />EnCase 4.6 no.<br />FTK 1.8 no. <br />New versions yes <br />EnCase 6 supports network and live digital forensics.<br />FTK 3 supports live digital forensics<br />
  30. 30. Problems <br />Firewalls/Routers/Switches<br />Proxies<br />IP packets<br />TTL issues<br />IDS<br />
  31. 31. Anti-Digital Forensics <br />Steganography<br />Encryption<br />Data Wiping<br />Metadata Spoilage<br />Alternative Data Streams<br />Index.Dat<br />Thumbs.db<br /> Death of digital forensics<br />
  32. 32. Steganography<br />Detection<br />WetStone Technologies' Gargoyle<br />Niels Provos' Stegdetect <br />Hiding<br />StegoMagic<br />wbStego<br />HIP (Hide In Picture)<br />
  33. 33. StegoMagic<br />
  34. 34. wbStego<br />
  35. 35. HIP<br />
  36. 36. Encryption<br />File encryption<br />Full disc-encryption<br />
  37. 37. Data Wiping<br />M-Sweep Pro Data Eliminator <br />DBAN<br />DOD 5220.22M<br />File Shredder Beyond DOD<br />
  38. 38. M-Sweep Pro Data Eliminator <br />
  39. 39. DBAN<br />
  40. 40. File Shredder<br />
  41. 41. Metadata spoilage <br />Metaspolit<br />TimeStomp<br />Slack<br />Metachanger<br />
  42. 42. Metasploit<br />
  43. 43. Timestomp<br />
  44. 44. MetaChanger<br />
  45. 45. Alternative data streams<br />Data fork Resource fork old Macintosh Hierarchical File System<br />Impossible to protect your system against ADS.<br />Cannot be disabled<br />No way to limit this capability <br />redirect [>] and colon [:] to fork one file into another.<br />C: est> type c:windows otepad.exe > ads.txt:hidden.exe<br />
  46. 46. Alternate Data Streams scan engine<br />
  47. 47. Locations of Index.DAT files VISTA<br />Users<Username>AppDataRoamingMicrosoftWindowsCookiesindex.datUsers<Username>AppDataRoamingMicrosoftWindowsCookieslowindex.datUsers<Username>AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5index.datC:Users<UserName>AppDataLocalMicrosoftWindowsHistoryContent.IE5index.dat<br />
  48. 48. Index.DAT Analyzer <br />
  49. 49. Thumbs.DB Viewer<br />
  50. 50. Death of Digital Forensics<br />SSDs are much like memory<br />Smallest part written too is a sector<br />Erases data in a block <br />Anything changes physical placement of data<br />Logical placement stays the same. <br />Black boxes from a system's point of view<br />Property<br />
  51. 51. Conclusion<br />We can see the live digital forensics is best used for starting an investigation. <br />Traditional Digital forensics is best for collecting the data <br />And knowing the techniques of Anti-digital forensics can help the investigator find data that he/she might not other wise be able to find. <br />
  52. 52. Questions<br />

×