Computer forensic

sComputer Forensic Workshop - 2013
Computer Forensic Investigation
Procedure, tools, and practice
Ahmad Zaid Zam Zami
damhadiaz@gmail.com

About the speaker

Bachelor's degree in Electronic Engineering

Digital forensic analyst

GCFA, CHFI, CEH, ENSA, ECIH, CEI

Founder Indonesia Digital Forensic Community

Case involved :
Corporate espionage, data leak, banking fraud,
cyber attack,etc

Agenda

Digital forensic introduction

Digital evidence

Computer forensic Procedure

Evidence acquisition

Data organization

Demo

Introduction

Today, many business and personal transactions are
conducted electronically

Business professionals regularly negotiate deals by e-mail

People store their personal address books and calendars
on desktop computers or tablet.

People regularly use the Internet for
business and pleasure

Cyber Crime

Any illegal act involving a computer and a network

The computer may have been used in the commission of a crime
or it may be the target

Computer viruses, denial-of-service attacks, malware

Fraud, identity theft, phishing, spam, cyber warfare

Introduction
“A methodical series of techniques and procedures for gathering
evidence, from computing equipment and various storage devices
and digital media, that can be presented in a court of law
in a coherent and meaningful format” - DR. H.B. Wolfe

Introduction

The collection, preservation, analysis and
presentation of digital evidence

Scientific procedure

Develop and test hypotheses that answer questions
about incidents that occurred

Admissible in a court of law

Why is computer forensic important ?

Help reconstruct past event or activity

Extend the target of information security to the
wider threat from cybercrime

Show evidence of policy violation or illegal activity

Ensure the overall integrity of network infrastructure

Digital evidence
Two basic type of evidence :

Persistent evidence
the data that is stored on a local hard drive and is preserved
when the computer is turned off

Volatile evidence
any data that is stored in memory, or exists in transit,
that will be lost when the computer loses power
or is turned off

Persistent evidence

Documents (word, slide, sheet, pdf)

Images

Chat log

Browser history

Registry

Audio / Video

Application

Email

SMS / MMS

Phone book

Call log

Volatile evidence

Memory

Network status and connection

Process running

Time information

Procedure

Preparation

Preliminary investigation

Site investigation


Preservation

Analysis

Report

Preparation

Media is freshly prepared

Forensic workstation is scanned for any malware

Validate all software licenses

Toolkits

Forms
- Computer worksheet forms
- Hard drive worksheet form

Preparation

Establish file directories

Essential forms :
- Letter of authorization
- Chain of custody
- Non-Disclosure Agreement

Letter of authorization

Chain of custody

Evidence worksheet

Preliminary investigation

Who ?
Profile the target user – are they computer savvy?

What ?
What kind of evidence could be associated with this
case? Images? Documents? Spreadsheets?

When?
How long has it been since the digital activity?

Where?
How do you plan on procuring the digital evidence?

Site investigation

Take picture of the scene

Asset tag

Inventory and describe all hardware

Identify every process or network information

Ensure chain of custody form is properly
completed

Order of Volatility
● Memory
● Network status and connections
● Process running
● Hard disk


Bit-stream imaging (court-certified)

Write blocking device

Static prevention wrist strap

Record initial configuration

Record all activity


Physical imaging
- Grab entire drive (MBR)
- Considered best evidence
- Break out the partitions using dd

Logical imaging
- File system partition only
- Useful in obtaining backup of RAID drive


Three evidence acquisition method
- Hardware
- Live CD
- Live

Resultant file will be an image file in all three cases

Hardware acquisition

Situation : Removed hard drive containing evidence
1. Attach drive adapter
2. Plug into acquisition workstation
3. Image attached drive to a image file

Evidence will be in static state

Volatile evidence not available

Live CD acquisition

Situation : Boot into Forensic Live CD

System will be rebooted

Loss of volatile evidence

Hard drive not removed

Image system to attached drive
or file share

Live acquisition

Situation : Live System Acquisition

Snapshot of system

System stays power on

Capability to gather volatile evidence

Evidence will be changing while imaging

Image system to a file on attached drive or file shares

Write blocker

Prevent any accidental writes to source data

Hardware based
Adapter based placed on hard drive

Software based
Software will not allow writes to system
http://www.cftt.nist.gov/software_write_block.htm

Preservation

Create cryptographic hash

Create bit-image copies

Compare the hash results

Lock original disk in a limited container

Analysis of data

Only work on the forensic copy

Stay within your scope of work

Analysis step
- Timeline analysis
- Media analysis
- String or byte search
- Data recovery

Questions ?

Computer forensic

More Related Content

What's hot

Viewers also liked

Similar to Computer forensic

In this document

Computer forensic