SlideShare a Scribd company logo

Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011

Download as PPT, PDF
John Bambenek
John Bambenek

This was a CLE course on digital forensics given to the Chicago Bar Association on May 25, 2011 by John Bambenek.

Technology
1 of 23
Cybercrime and Computer Forensics Seminar Chicago Bar Association Mar 25th , 2011 John C. A. Bambenek Chief Forensic Examiner, Bambenek Consulting jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312-725-HACK (4225)
Agenda  Types of Actionable Computer Crime  Incident Response versus Forensics  Laws Related to Computer Forensics  Chain of Custody and Data Acquisition  Hard drive Forensics  Registry Examination  Memory Forensics  Network Forensics  Log / Server Forensics  File Metadata
Types of Actionable Computer Crime  Identity Theft  Electronic Fraud (ACH or Credit Card)  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling  Trade Secret Theft  National Security Issues
Obstacles to Cybercrime Prosecution  Relatively new are in the law / law not caught up with technology  International in scope / non-extradition treaty countries  Limited resources & skillsets within law enforcement  Near constant level of criminal activity  Organized crime involvement and sophisticated business models  Security tool development lags criminal tool development
Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
Laws Relating to Forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
Legal Issues Relating to Forensics  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted
What kinds of evidence can be collected?  Physical drives  System memory  Network transmissions  System/Server Logs  Other sources?
Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Cryptographic hashing  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
Hashing  Hashing uses an encryption algorithm to generate a pseudo-random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Chicago Bar Association.” vs “Chicago Bar Association!”  MD5:  03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38  SHA1:  7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a
Hard drive data acquisition  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
Hard drive basics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
Hard drive basics  So you have a drive image, now what?  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
MAC times  MAC times stand for “modified”, “accessed”, “changed” and may also include a creation time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm Jan 11th , you’d look for any file with a MAC time near that same time).
Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
Memory Forensics  Must be done on a “live” machine, memory disappears without power*  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
Network forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
Log forensics  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
E-mail Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IP Address of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
E-mail headers Return-path: <kthompson@davismcgrath.com> Envelope-to: jcb@bambenekconsulting.com Delivery-date: Tue, 15 Mar 2011 12:13:56 -0500 Received: from mailhost.davismcgrath.com ([12.233.219.123]) by thebox.pentex-net.com with esmtp (Exim 4.69) (envelope-from <kthompson@davismcgrath.com>) id 1PzXoi-0000mf-Fw for jcb@bambenekconsulting.com; Tue, 15 Mar 2011 12:13:56 -0500 Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com (Rockliffe SMTPRA 9.3.1) with ESMTP id <B0002606529@mailhost.davismcgrath.com> for <jcb@bambenekconsulting.com>; Tue, 15 Mar 2011 12:16:42 -0500 From: "Kevin A. Thompson" <kthompson@davismcgrath.com> To: <jcb@bambenekconsulting.com> References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com> <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> In-Reply-To: <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> Subject: RE: CBA - CLE/Seminar? Date: Tue, 15 Mar 2011 12:16:39 -0500 Message-ID: <020b01cbe334$bf146320$3d3d2960$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAA Content-Language: en-us
File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google
Questions? John Bambenek jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312 – 725 – HACK (4225)

Recommended

Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
John Bambenek
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Cyber Crimes & Cyber Forensics
Cyber Crimes & Cyber ForensicsCyber Crimes & Cyber Forensics
Cyber Crimes & Cyber Forensics
jahanzebmunawar
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 

Recommended

Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
John Bambenek
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Cyber Crimes & Cyber Forensics
Cyber Crimes & Cyber ForensicsCyber Crimes & Cyber Forensics
Cyber Crimes & Cyber Forensics
jahanzebmunawar
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Ramesh Ogania
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Pankaj Choudhary
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensicshahhardik27
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
alrawes
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
00heights
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Lalit Garg
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next Frontier
The Lorenzi Group
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic Commerce
Upekha Vandebona
 

More Related Content

What's hot

Computer forensics
Computer forensicsComputer forensics
Computer forensics
Ramesh Ogania
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Pankaj Choudhary
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensicshahhardik27
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
alrawes
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
00heights
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Lalit Garg
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 

What's hot (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 

Viewers also liked

Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next Frontier
The Lorenzi Group
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic Commerce
Upekha Vandebona
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
OWASP Khartoum
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
Somya Johri
 
Master of Ceremony Script
Master of Ceremony ScriptMaster of Ceremony Script
Master of Ceremony Script
Bella Meraki
 
Emcee Script
Emcee ScriptEmcee Script
Emcee Script
Sini.sinta Kita
 

Viewers also liked (7)

Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next Frontier
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic Commerce
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Master of Ceremony Script
Master of Ceremony ScriptMaster of Ceremony Script
Master of Ceremony Script
 
Emcee Script
Emcee ScriptEmcee Script
Emcee Script
 

Similar to Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011

Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
Vipin George
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Oldsun
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
Phil Huggins FBCS CITP
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registryaradhanalaw
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
libinp
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
MaximaSheffield592
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Ict lecture11b,12,13
Ict lecture11b,12,13 Ict lecture11b,12,13
Ict lecture11b,12,13
AttaullahRahimoon
 

Similar to Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011 (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Razorback slides-1.1
Razorback slides-1.1Razorback slides-1.1
Razorback slides-1.1
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Ict lecture11b,12,13
Ict lecture11b,12,13 Ict lecture11b,12,13
Ict lecture11b,12,13
 

More from John Bambenek

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
John Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
John Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
John Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
John Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
John Bambenek
 

More from John Bambenek (18)

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Recently uploaded

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 

Recently uploaded (20)

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 

Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011

  • 1. Cybercrime and Computer Forensics Seminar Chicago Bar Association Mar 25th , 2011 John C. A. Bambenek Chief Forensic Examiner, Bambenek Consulting jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312-725-HACK (4225)
  • 2. Agenda  Types of Actionable Computer Crime  Incident Response versus Forensics  Laws Related to Computer Forensics  Chain of Custody and Data Acquisition  Hard drive Forensics  Registry Examination  Memory Forensics  Network Forensics  Log / Server Forensics  File Metadata
  • 3. Types of Actionable Computer Crime  Identity Theft  Electronic Fraud (ACH or Credit Card)  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling  Trade Secret Theft  National Security Issues
  • 4. Obstacles to Cybercrime Prosecution  Relatively new are in the law / law not caught up with technology  International in scope / non-extradition treaty countries  Limited resources & skillsets within law enforcement  Near constant level of criminal activity  Organized crime involvement and sophisticated business models  Security tool development lags criminal tool development
  • 5. Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
  • 6. Laws Relating to Forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
  • 7. Legal Issues Relating to Forensics  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted
  • 8. What kinds of evidence can be collected?  Physical drives  System memory  Network transmissions  System/Server Logs  Other sources?
  • 9. Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Cryptographic hashing  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
  • 10. Hashing  Hashing uses an encryption algorithm to generate a pseudo-random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Chicago Bar Association.” vs “Chicago Bar Association!”  MD5:  03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38  SHA1:  7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a
  • 11. Hard drive data acquisition  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
  • 12. Hard drive basics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
  • 13. Hard drive basics  So you have a drive image, now what?  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
  • 14. MAC times  MAC times stand for “modified”, “accessed”, “changed” and may also include a creation time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm Jan 11th , you’d look for any file with a MAC time near that same time).
  • 15. Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
  • 16. Memory Forensics  Must be done on a “live” machine, memory disappears without power*  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
  • 17. Network forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
  • 18. Log forensics  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
  • 19. E-mail Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IP Address of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
  • 20. E-mail headers Return-path: <kthompson@davismcgrath.com> Envelope-to: jcb@bambenekconsulting.com Delivery-date: Tue, 15 Mar 2011 12:13:56 -0500 Received: from mailhost.davismcgrath.com ([12.233.219.123]) by thebox.pentex-net.com with esmtp (Exim 4.69) (envelope-from <kthompson@davismcgrath.com>) id 1PzXoi-0000mf-Fw for jcb@bambenekconsulting.com; Tue, 15 Mar 2011 12:13:56 -0500 Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com (Rockliffe SMTPRA 9.3.1) with ESMTP id <B0002606529@mailhost.davismcgrath.com> for <jcb@bambenekconsulting.com>; Tue, 15 Mar 2011 12:16:42 -0500 From: "Kevin A. Thompson" <kthompson@davismcgrath.com> To: <jcb@bambenekconsulting.com> References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com> <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> In-Reply-To: <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com> Subject: RE: CBA - CLE/Seminar? Date: Tue, 15 Mar 2011 12:16:39 -0500 Message-ID: <020b01cbe334$bf146320$3d3d2960$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAA Content-Language: en-us
  • 21. File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
  • 22. Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google