Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Computer Forensics Bootcamp


Published on

Even with the best security, every organization will eventually suffer some kind of security breach. When IT professionals suspect something “phishy” is going on with their network, they need to be able to take immediate action to limit damage while preserving critical evidence that will help law enforcement catch the bad guys. Join John Alexander, nCircle’s Product Manager, as he steps you through basic training in computer forensics.

This presentation covers:

* How to handle evidence in order to preserve the chain of custody
* How to thwart the most common techniques cyber criminals use to cover their tracks
* When to call law enforcement and how to work with them effectively

Download the presentation recording here:

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Computer Forensics Bootcamp

  1. 1. © 2013 nCircle. All Rights Reserved.Forensics Bootcamp
  2. 2. © 2013 nCircle. All Rights Reserved.Introduction
  3. 3. © 2013 nCircle. All Rights Reserved.What is Forensics?• Scientific tests or techniques used inthe investigation of crimes• The use of scientific methods and techniques,such as genetic fingerprinting, to solve crimes• Forensic science (often shortened to forensics)is the application of a broad spectrum ofsciences to answer questions of interest to alegal system. This may be in relation to a crimeor a civil action.
  4. 4. © 2013 nCircle. All Rights Reserved.What is Computer Forensics?Computer ForensicsA methodical series of techniques andprocedures for gathering evidence, fromcomputing equipment and various storagedevices and digital media, that can bepresented in a court of law in a coherent andmeaningful format
  5. 5. © 2013 nCircle. All Rights Reserved.Types of Cyber Crime• Theft of intellectual property• Financial Fraud• Damage of company service networks• Distribution and execution of viruses andworms• Hacker system penetrations• Distribution of child pornography• Use of a computer to commit a traditionalcrime (emails, data management, files.)
  6. 6. © 2013 nCircle. All Rights Reserved.Legal Issues
  7. 7. © 2013 nCircle. All Rights Reserved.Legal Issues• 4th Amendment – Searches & Seizures• 4th Amendment – Privacy• 5th Amendment – Self Incrimination• Chain-of-Custody
  8. 8. © 2013 nCircle. All Rights Reserved.4th Amendment• The Fourth Amendment (AmendmentIV) to the United States Constitution is thepart of the Bill of Rights which guardsagainst unreasonable searches andseizures when the searched party has a"reasonable expectation of privacy".• Search warrants need probable cause andneed to describe the place to be searched,and the persons or items to be seized.
  9. 9. © 2013 nCircle. All Rights Reserved.Chain-of-Custody(aka Chain of Evidence)• Chain of Custody (CoC) refers to thechronological documentation or papertrail, showing theseizure, custody, control, transfer, analysis, and disposition of evidence, physical orelectronic.• Because evidence can be used in court toconvict persons of crimes, it must be handledin a scrupulously careful manner to avoidlater allegations of tampering or misconduct.
  10. 10. © 2013 nCircle. All Rights Reserved.Question ?As related to computer forensics, why is the4th amendment an importantconsideration?a. Free speechb. Defense against self incriminationc. Search & seizured. Social rights
  11. 11. © 2013 nCircle. All Rights Reserved.Digital Media
  12. 12. © 2013 nCircle. All Rights Reserved.Two Types of Data• Volatile - RAM• Non-volatile– ROM, PEOM, EEPROM– Hard Drives (to include Solid State Drives (SSD))– USB Devices– Flash cards– Optical Media – CDs, DVDs, Blue-ray (BD), ….– Floppy disks, ZIP disks– Cameras, mp3 players, tablets, gameconsoles, GPS units, smart phones, smartwatches, …
  13. 13. © 2013 nCircle. All Rights Reserved.Write Blockers• Two types of write blockers:hardware and software• Prevention of data “spoilation” = the compromiseof data integrity by intentionally or inadvertentlyaltering the data from its “original” form.• Reads Allowed and Writes Prevented!• Another name for a write blocker is a “ForensicBridge”
  14. 14. © 2013 nCircle. All Rights Reserved.Some Data Hiding Techniques• Slack Space and Unallocated Space• Rootkits• Alternate Data Streams (ADS)• File Signatures• Steganography
  15. 15. © 2013 nCircle. All Rights Reserved.Question ?What function does aWrite Blocker perform?a. Allows writesb. Blocks readsc. Prevents Readsd. Prevents writes
  16. 16. © 2013 nCircle. All Rights Reserved.The Forensic Process
  17. 17. © 2013 nCircle. All Rights Reserved.The Forensic Process• Preparation• (Containment)• Collection• Examination• Analysis• Reporting
  18. 18. © 2013 nCircle. All Rights Reserved.The Forensic Process(Preparation)• Training• Policies & Procedures• Equipment (Forensic Kit)– Laptop computer w/ forensic software– Boot disks and CDs of tools (forensicallysound)– Digital cameras, pens, notepad– Sterile media, write blockers, cables– Anti-static bags, faraday bags, tags, stickers– Chain-of-custody and other forms
  19. 19. © 2013 nCircle. All Rights Reserved.The Forensic Process(Containment)• Establish immediate controlof the crime scene– Limit and track physical access– Limit network / remote access• Detach computers of interest from wireless andphysical network cables– Power off computers as necessary
  20. 20. © 2013 nCircle. All Rights Reserved.The Forensic Process(Collection)• Photograph the scene to include monitorscreens. Get the system time• Collect volatile data• Image non-volatile data on site?• Shut down the system safely• Unplug the system and tag all cables• Bag and tag all non volatile devices for transport.Collect peripheral devices as necessary.
  21. 21. © 2013 nCircle. All Rights Reserved.The Forensic Process(Collection – Mobile devices)• Photograph main screen• Do not turn device off• Find charger to keep device from losingcharge (example seizure kit)• Place in a Faraday bag to prevent remoteaccess
  22. 22. © 2013 nCircle. All Rights Reserved.The Forensic Process(Examination & Analysis)• Image the non-volatile media (i.e. makeexact bit-stream copies of the media usingimaging hardware or software)• Images must be hashed• Analyze the bit stream image usingforensic analysis software, e.g.:EnCase, FTK,…• Prepare a report of findings
  23. 23. © 2013 nCircle. All Rights Reserved.Question ?During the forensic process exact “bitstream” images are made of non-volatilemedia. Part of this process uses atechnique called _______ to verify theintegrity of the image?a. read blockingb. checksumsc. hashingd. transforms
  24. 24. © 2013 nCircle. All Rights Reserved.Forensic AnalysisTechniques
  25. 25. © 2013 nCircle. All Rights Reserved.Forensic AnalysisTechniques• Searching:– Keyword, email, web, viewers• File Signatures• Slack Space and unallocated space• Data carving• Steganography• Passwords (Dealing with encryption)
  26. 26. © 2013 nCircle. All Rights Reserved.Searching: Keywords• To effectively search througha suspect’s media an investigatorneeds to add relevant keywords1) Add keywords2) Specify keyword search criteria (e.g. whatand where tosearch – e.g. slack space)3) Conduct keyword search
  27. 27. © 2013 nCircle. All Rights Reserved.Searching: email & social media• Most forensic analysis tools have built-inemail searching and viewing tools• Tools to view various formats of email– Outlook (.pst)– Outlook Express (.dbx)– Linux/Unix mbox format– Macintosh: Safari– Webmail formats:Yahoo, AOL, Google, Hotmail
  28. 28. © 2013 nCircle. All Rights Reserved.Searching: web artifacts• Most forensic analysis toolshave web artifact search and viewing tools• Web artifacts– History– Cached files and images (temporary files)– Cookies
  29. 29. © 2013 nCircle. All Rights Reserved.File Signature Analysis• This type of analysis allows investigators toverify file types• A savvy suspect can change file extension inorder to attempt to avoid detection. Example:Changing the .doc extension on a file to .dll• A file signature analysis looks at the file headerin order to determine what type of file it actuallyis
  30. 30. © 2013 nCircle. All Rights Reserved.Data Carving (1 of 2)• Data Carving is a technique used in thefield of Computer Forensics when datacan not be identified or extracted frommedia by “normal” means due to the factthat the desired data no longer has filesystem allocation information available toidentify the sectors or clusters that belongto the file or data.
  31. 31. © 2013 nCircle. All Rights Reserved.Data Carving (2 of 2)• Currently the most popular method of DataCarving involves the search through rawdata for the file signature(s) of the filetypes you wish to find and carve out.
  32. 32. © 2013 nCircle. All Rights Reserved.Slack Space and Unallocated Space• Most forensic analysis tools (e.g. EnCase)have the ability to look at (view) andsearch (keyword search) slack space andunallocated space• Viewing of slack space and unallocatedspace is done by a hex/ASCII viewer.Tools like EnCase and FTK have this typeof viewer built in.
  33. 33. © 2013 nCircle. All Rights Reserved.Concealment cipher = Steganography (example)Source: Olga planting Christianity in Russia
  34. 34. © 2013 nCircle. All Rights Reserved.Steganography• Detection techniques are crude• Usually done by looking forevidence of steganography use,e.g. Steg programs on system• Advanced analysis includesSteg detection programs(that typically use statisticalanalysis techniques)
  35. 35. © 2013 nCircle. All Rights Reserved.Question ?A suspect changes a file extension of his MSword file from .doc to .dll to attempt to hidehis file. The method used to detect thistype of activity is called?a. Steganographyb. Data Carvingc. File signature analysisd. Slack space analysis
  36. 36. © 2013 nCircle. All Rights Reserved.Question ?A criminal hides the contents of aspreadsheet with the details of his illicitfinancial activities in a JPEG image. Thisis an example of which technique?a. Data Carvingb. Cryptographyc. Data Blinkingd. Steganography
  37. 37. © 2013 nCircle. All Rights Reserved.Incident Handling &Forensics
  38. 38. © 2013 nCircle. All Rights Reserved.Incident Response Process• Identification– Incident identification– Notifying appropriate personnel• Action– Isolation and Containment– Gathering Evidence– Analysis and Reporting• Closure– Restoration– Lessons Learned
  39. 39. © 2013 nCircle. All Rights Reserved.The Response Team• Cross-functional with a high level of authority– Dedicated – with clearly defined roles & responsibilities– Not just computer security: Management, Info sec,IT/network, legal, public relations• Well Trained– Rehearsals and training appropriate to risk– Trained in Forensics– Forensics tools and equipment• Policies and Procedures– Appropriate to Risk (Risk Management)– Lessons learned / constant refinement
  40. 40. © 2013 nCircle. All Rights Reserved.When to Involve Law Enforcement• Use forensic processes wheneverpossible• As a general rule: Involve lawenforcement when corporate policy orthe law says so• You are compelled by law to reportcertain incidents, e.g. disclosure ofcredit card info.• Establish and ongoing relationshipwith corporate legal and appropriatelaw enforcement agencies, e.g.Infragard.
  41. 41. © 2013 nCircle. All Rights Reserved.Make Sneaking Hard• Detection systems -- appropriate with risk• Logging, Logging, logging!!!(Firewall, router, system…)• Monitoring– Intrusion detection systems– File Integrity monitoring systems– Vulnerability and Configuration management systems– Attack Path Analysis• Warning Banners, Expectations of use, Expectations of privacy• Physical Security systems
  42. 42. © 2013 nCircle. All Rights Reserved.Questions?http://connect.ncircle.comContinue the conversation at