Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Electornic evidence collection

3,102 views

Published on

Published in: Technology
  • Be the first to comment

Electornic evidence collection

  1. 1. Mohammad Fakrul Alam Manager, Computer Forensic BDCERT 26th June, 2009
  2. 2. Content • What is Computer/Electronic Forensic • Why Computer/Electronic Forensic • Collection Options • The Five Rules of Evidence • Steps of Computer Forensic • Method of Collection • Source of Evidence • Digital Evidence Types • Volatile Evidence Acquisition • Non-Volatile Evidence Acquisition • Toolkits & Tools
  3. 3. What is Computer Forensic • Finding information that support hypothesis. • Examination of related source of information – Hard Drives – Firewall Logs – Network packets – Portable storage
  4. 4. Why Computer Forensic
  5. 5. Collection Options
  6. 6. The Five Rules of Evidence
  7. 7. What does & doesn’t • Minimize Handling/Corruption of Original Data • Account for Any Changes and Keep Detailed Logs of Your Actions • Comply with the Five Rules of Evidence • Do Not Exceed Your Knowledge • Follow Your Local Security Policy and Obtain Written Permission • Capture as Accurate an Image of the System as Possible • Be Prepared to Testify • Ensure Your Actions are Repeatable • Work Fast • Proceed From Volatile to Persistent Evidence • Don’t Shutdown Before Collecting Evidence • Don’t Run Any Programs on the Affected System
  8. 8. Steps of Computer Forensic
  9. 9. Method of Collection
  10. 10. Source of Evidence • Evidence can reside on the computers, network equipment and on servers. • Various tools are available to extract evidence from these sources.
  11. 11. Evidence on Workstations & Servers • Locations (Disks) – Disk partitions – Master Boot Record (MBR) – Boot sector – File Allocation Tables (FAT) – Volume slack (space between end of file system and end of the partition) – File slack (space allocated for files but not used) – Unallocated space
  12. 12. Evidence on Workstations & Servers • Locations (Memory or RAM) – Registers & Cache – RAM – Swap space (on disk)
  13. 13. Evidence on Servers & Network Equipment • Router systems logs • Firewall logs of successful and unsuccessful attempts • Syslogs in /var/logs for unix systems • wmtp logs (accessed with last command) in unix systems
  14. 14. Digital Evidence Types
  15. 15. Volatile Evidence Acquisition • Process Listings • Service Listings • System Information • Logged on & Registered Users • Network Information • ARP Cache • Auto Start Information • Registry Information • A binary dump of memory
  16. 16. Steps Volatile Evidence Acquisition
  17. 17. Techniques of Volatile Evidence Acquisition • Memory Acquisition Windows • You can image the memory using HELIX GUI interface. • dd can be used to copy the memory of windows 3k/XP/2003 but not Vista/2003 SP1: • dd if=.PhysicalMemory of=C:mem.img conv=noerror,sync • Until the end of memory error displayed “The parameter is incorrect.” Linux • Multiple tools can be used such as • dd • Memdump • e.g.: ./memdump > mem.img • You can use netcat (nc) to send the image over network.
  18. 18. Non Volatile Evidence Acquisition • Physical Volumes vs. Logical Volumes
  19. 19. Hard Drives Acquisition Physical Windows Linux Physical .PhysicalDrive0 .PhysicalDrive1 IDE /dev/hda /dev/hdb . . SATA/Scsi /dev/sda /dev/sdb Logical .C: .D: /dev/sda1 /dev/sda2
  20. 20. Hard Drives Acquisition • Hardware based Acquisition – Remove the hard drive from the machine and use a standalone toolkit to image the entire disk - Mostly suitable for dead system acquisition - Built-in write blocking, and no need for write blockers - More efficient and expensive
  21. 21. Hard Drives Acquisition • Software Based Acquisition – Live System • Using Helix CD with external storage or over network – Dead System • Booting using Helix CD and attach storage “USB” to acquire hard drives • Drive can be disassembled from the case and copied using forensics workstation with write blocker (SW or HW) – Imaging software • dd • dcfldd • HELIX GUI imaging
  22. 22. Tools & Toolkit • dd : Command line tools to copy bit-by-bit • dcfldd : Enhanced version of dd. • Memdump : unix tools to image the momory
  23. 23. Tools & Toolkit • The Sleuth Kit (TSK) – Command line tools for file system analysis – It work on Unix and windows – 24 different tools that support all file system layers except the physical layer – Free and open source • Autopsy – The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit – Very Useful and provide great functionality – Free and open source
  24. 24. Tools & Toolkit • HELIX – A collection of forensics and Incident Response tools – Bootable Linux CD, you can boot dead system and preserve hard drive – You can use it on live system for forensics and IR purposes – It contains tools such as TSK – GUI tools and command line tools
  25. 25. Tools & Toolkit • HELIX
  26. 26. Tools & Toolkit • WFT (Windows Forensic Toolchest) – Memory information – Logins – MAC Time – Event Logins – System Information – File system – Processes – Auto start – Services – Registry – Drivers – Network Information – IE Activity
  27. 27. Conclusion • Open source and free tools are available and can help any investigator to achieve his mission. • Using open source tools will give the investigator better understanding of what really happen during the investigation. • Tools can lie, so it better to use more than one tool to check the results.
  28. 28. Thank You
  29. 29. Question

×