First Responders Course- Session 1 - Digital and Other Evidence [2004]


Published on

The first session I ran on a two day course for potential first responders across a large financial services client.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

First Responders Course- Session 1 - Digital and Other Evidence [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Investigation Theory Digital Evidence Order of Volatility Disks File Systems File Data Deleted Data Associated Evidence Summary
  3. 3.  Three major types of evidence can be found Inculpatory Evidence: That which supports a theory Exculpatory Evidence: That which contradicts a theory Traces of tampering: That which does not support any theory, but shows that data was wiped or modified We want to find all three types of evidence to get the whole picture
  4. 4.  The data on a system can be broken into two categories: static and volatile. Volatile data will cease to exist after the system is powered off. Examples of this include memory contents, a list of running processes, a list of open network ports, and a list of users that are currently logged on. Static data will continue to exist after the system is powered off. Examples of this include hard disk contents, BIOS settings, and other hard coded values (such as MAC addresses).
  5. 5.  Register State Memory Network Process INCREASING VOLATILITY Disk Floppy Disks (FDs) CDROM
  6. 6.  A byte is 8 bits (11111110 = 254) A disk can be thought of as a long stream of bytes The bytes are organized into 512-byte chunks called sectorsThe disk is divided into partitions (or slices)For Intel/DOS-based systems, the partition table describes thepartition layout (in the Master Boot Record)
  7. 7.  File Systems manage data storage Organized into files Files can be spread around all over a disk in data units File system maintains data about a file such as;  Name  Where the data units are  When it was last accessed Provide an addressing scheme that is easy for humans to understand Examples: FAT, EXT2FS, FFS, NTFS, EXT3FS
  8. 8.  Data about files is useful as it can tell us;  Which system account accessed a file last  When that happened  When the file was last written to  When a file was created. By looking at files when we investigate a system we may destroy this sort of evidence
  9. 9.  File deletion theory is the same across file system types There are five major actions:  Mark the data describing the file as unallocated  Mark the data unit itself unallocated  Remove the file name so the ‘dir’ or ‘ls’ command does not show it  Delete the link between the file name and the data about the file  Delete the links between the data about a file and data units The first three are required, the last two are not
  10. 10.  Deleted data is not removed but the bit of the disk that holds it may be reused for different data Just a matter of time and how much data a system need to write to disk We need to get that deleted data before it is overwritten Therefore we need to do as little as possible on a system that may overwrite the data while we are investigating.
  11. 11.  Digital Evidence at best can only tell you which computer account did what when. When only one person has access to the account details then it is easy to identify a culprit. However, sometime we need to look into the real world for other associated evidence such as:  CCTV  Building Entry Logs  Statements from Witnesses
  12. 12.  We don’t want to prove someone guilty. We want the truth so don’t ignore sources exculpatory evidence. Be aware of what effect our investigation actions are going to have on the evidence. Use Forensically sound tools to avoid damaging evidence. Take copies of data early to avoid overwriting valuable deleted data. Look for non-digital sources of evidence that can support the investigation.