SlideShare a Scribd company logo

Computer Forensics

Download as PPT, PDF
A
Alchemist095

Cyber forensics involves the secure collection and examination of digital evidence from a variety of sources without altering the original data. This includes networks, small devices, storage media, and code. The process consists of acquiring evidence, authenticating any copies made, and analyzing the data without modification. Key principles are documenting all actions, creating forensic copies to preserve the original, and hashing copies to verify their integrity. The goal is to identify relevant evidence through examination while maintaining evidentiary standards for court.

Education
1 of 30
1 COMPUTER FORENSICS ISC541 (LECTURE 7) 02-10-2018
2 2 Cyber Forensics
3 3 • Includes: • Networks (Network Forensics) • Small Scale Digital Devices • Storage Media (Computer forensics) • Code Analysis Cyber Forensics
4 4 Cyber Forensic Activities Cyber forensics activities commonly include: the secure collection of computer data the identification of suspect data the examination of suspect data to determine details such as origin and content the presentation of computer-based information to courts of law the application of a country's laws to computer practice.
5 5 The 3 As The basic methodology consists of the 3 As: –Acquire the evidence without altering or damaging the original –Authenticate the image –Analyze the data without modifying it
6 6 Context of Cyber Forensics •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Cyber Forensics
7 A Brief Timeline 1970’s 1980’s 1990’s 2000 200820032001 CyberCrime Legislation LEInvestigative Units InternationalLE Meeting 1stInternational ConferenceonCE IOCEFormed RCFLinUSA COEConvention onCyberCrime DFRWS ASCLD/LAB- DEUSA ISO17025 IOCE& SWGDE AAFS Subsection? Journals Conferences
8 8 Crime Scenes Physical Crime Scenes vs. Cyber/Digital Crime Scenes Overlapping principals The basics of criminalistics are constant across both physical and cyber/digital Locard’s Principle applies – “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived”
9 9 Digital Crime Scene Digital Evidence – Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003) Digital Crime Scene – The electronic environment where digital evidence can potentially exist (Rogers, 2005) – Primary & Secondary Digital Scene(s) as well
10 10 Forensic Principles Digital/ Electronic evidence is extremely volatile! Once the evidence is contaminated it cannot be de- contaminated! The courts acceptance is based on the best evidence principle – With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle.
11 11 Cyber Forensic Principles ● The 6 Principles are: 1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
12 12 Process/Phases Identification Collection Bag & Tag Preservation Examination Analysis Presentation/Report
13 13 Identification The first step is identifying evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple possible crime scenes
14 14 Devices Identification
15 15 Identification Context of the investigation is very important Do not operate in a vacuum! Do not overlook non-electronic sources of evidence Manuals, papers, printouts, etc.
16 16 Collection Care must be taken to minimize contamination Collect or seize the system(s) Create forensic image Live or Static? Do you own the system What does your policy say?
17 17
18 18 Collection: Documentation
19 19 Collection: Documentation ●Take detailed photos and notes of the computer / monitor – If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE
20 20 Collection: Documentation Make sure to take photos and notes of all connections to the computer/other devices
21 21 ● Rule of Thumb: make 2 copies and don’t work from the original (if possible) ● A file copy does not recover all data areas of the device for examination ● Working from a duplicate image – Preserves the original evidence – Prevents inadvertent alteration of original evidence during examination – Allows recreation of the duplicate image if necessary Collection: Imaging
22 22 Collection: Imaging ●Digital evidence can be duplicated with no degradation from copy to copy – This is not the case with most other forms of evidence
23 23 Collection: Imaging Forensic Copies (Bitstream) Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.) Often the “smoking gun” is found in the residual data. Imaging from a disk (drive) to a file is becoming the norm Multiple cases stored on same media No risk of data leakage from underlying media Remember avoid working for original Use a write blocker even when examining a copy!
24 24 Imaging: Authenticity & Integrity ●How do we demonstrate that the image is a true unaltered copy of the original? -Hashing (MD5, SHA 256) ●A mathematical algorithm that produces a unique value (128 Bit, 512 Bit) – Can be performed on various types of data (files, partitions, physical drive) ●The value can be used to demonstrate the integrity of your data – Changes made to data will result in a different value ●The same process can be used to demonstrate the image has not changed from time-1 to time-n
25 25 Examination Higher level look at the file system representation of the data on the media Verify integrity of image – MD5, SHA1 etc. Recover deleted files & folders Determine keyword list – What are you searching for Determine time lines – What is the timezone setting of the suspect system – What time frame is of importance – Graphical representation is very useful
26 26 Examination Examine directory tree – What looks out of place – Stego tools installed – Evidence Scrubbers Perform keyword searches – Indexed – Slack & unallocated space Search for relevant evidence types • Hash sets can be useful • Graphics • Spreadsheets • Hacking tools • Etc. Look for the obvious first When is enough enough??
27 Issues lack of certification for tools Lack of standards lack of certification for professionals lack of understanding by Judiciary lack of curriculum accreditation Rapid changes in technology! Immature Scientific Discipline 27
28 QUestions??? 28
29 Reference cyberforensics@mac.com http://www.cyberforensics.purdue.edu 29
30 Summary

Recommended

Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...AltheimPrivacy
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
Ambuj Kumar
 

Recommended

Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...AltheimPrivacy
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
Ambuj Kumar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
Ledjit
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
gagan deep
 
Digital forensics
Digital forensics Digital forensics
Digital forensics Adriana Backman
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
ArthyR3
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
Muzzammil Wani
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
OkviNugroho1
 

More Related Content

What's hot

Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
Ledjit
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
gagan deep
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
ArthyR3
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 

What's hot (20)

Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 

Similar to Computer Forensics

Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
Muzzammil Wani
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
OkviNugroho1
 
Network Forensics Basic lecture for Everyone
Network Forensics Basic lecture for EveryoneNetwork Forensics Basic lecture for Everyone
Network Forensics Basic lecture for Everyone
BurhanKhan774154
 
CS426_forensics_tools to analyse and deve
CS426_forensics_tools to analyse and deveCS426_forensics_tools to analyse and deve
CS426_forensics_tools to analyse and deve
vikashagarwal874473
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
PrabithGupta1
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
Faiz430036
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
whbwi21Basri
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh t
Manesh T
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
Chandan Sah
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
computer forensics by amritanshu kaushik
computer forensics by amritanshu kaushikcomputer forensics by amritanshu kaushik
computer forensics by amritanshu kaushik
amritanshu4u
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
One97 Communications Limited
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
Damir Delija
 

Similar to Computer Forensics (20)

Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
 
Network Forensics Basic lecture for Everyone
Network Forensics Basic lecture for EveryoneNetwork Forensics Basic lecture for Everyone
Network Forensics Basic lecture for Everyone
 
CS426_forensics_tools to analyse and deve
CS426_forensics_tools to analyse and deveCS426_forensics_tools to analyse and deve
CS426_forensics_tools to analyse and deve
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh t
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
computer forensics by amritanshu kaushik
computer forensics by amritanshu kaushikcomputer forensics by amritanshu kaushik
computer forensics by amritanshu kaushik
 
File000117
File000117File000117
File000117
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 

Recently uploaded

Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 

Recently uploaded (20)

Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 

Computer Forensics

  • 3. 3 3 • Includes: • Networks (Network Forensics) • Small Scale Digital Devices • Storage Media (Computer forensics) • Code Analysis Cyber Forensics
  • 4. 4 4 Cyber Forensic Activities Cyber forensics activities commonly include: the secure collection of computer data the identification of suspect data the examination of suspect data to determine details such as origin and content the presentation of computer-based information to courts of law the application of a country's laws to computer practice.
  • 5. 5 5 The 3 As The basic methodology consists of the 3 As: –Acquire the evidence without altering or damaging the original –Authenticate the image –Analyze the data without modifying it
  • 6. 6 6 Context of Cyber Forensics •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Cyber Forensics
  • 7. 7 A Brief Timeline 1970’s 1980’s 1990’s 2000 200820032001 CyberCrime Legislation LEInvestigative Units InternationalLE Meeting 1stInternational ConferenceonCE IOCEFormed RCFLinUSA COEConvention onCyberCrime DFRWS ASCLD/LAB- DEUSA ISO17025 IOCE& SWGDE AAFS Subsection? Journals Conferences
  • 8. 8 8 Crime Scenes Physical Crime Scenes vs. Cyber/Digital Crime Scenes Overlapping principals The basics of criminalistics are constant across both physical and cyber/digital Locard’s Principle applies – “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived”
  • 9. 9 9 Digital Crime Scene Digital Evidence – Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003) Digital Crime Scene – The electronic environment where digital evidence can potentially exist (Rogers, 2005) – Primary & Secondary Digital Scene(s) as well
  • 10. 10 10 Forensic Principles Digital/ Electronic evidence is extremely volatile! Once the evidence is contaminated it cannot be de- contaminated! The courts acceptance is based on the best evidence principle – With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle.
  • 11. 11 11 Cyber Forensic Principles ● The 6 Principles are: 1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
  • 13. 13 13 Identification The first step is identifying evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple possible crime scenes
  • 15. 15 15 Identification Context of the investigation is very important Do not operate in a vacuum! Do not overlook non-electronic sources of evidence Manuals, papers, printouts, etc.
  • 16. 16 16 Collection Care must be taken to minimize contamination Collect or seize the system(s) Create forensic image Live or Static? Do you own the system What does your policy say?
  • 17. 17 17
  • 19. 19 19 Collection: Documentation ●Take detailed photos and notes of the computer / monitor – If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE
  • 20. 20 20 Collection: Documentation Make sure to take photos and notes of all connections to the computer/other devices
  • 21. 21 21 ● Rule of Thumb: make 2 copies and don’t work from the original (if possible) ● A file copy does not recover all data areas of the device for examination ● Working from a duplicate image – Preserves the original evidence – Prevents inadvertent alteration of original evidence during examination – Allows recreation of the duplicate image if necessary Collection: Imaging
  • 22. 22 22 Collection: Imaging ●Digital evidence can be duplicated with no degradation from copy to copy – This is not the case with most other forms of evidence
  • 23. 23 23 Collection: Imaging Forensic Copies (Bitstream) Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.) Often the “smoking gun” is found in the residual data. Imaging from a disk (drive) to a file is becoming the norm Multiple cases stored on same media No risk of data leakage from underlying media Remember avoid working for original Use a write blocker even when examining a copy!
  • 24. 24 24 Imaging: Authenticity & Integrity ●How do we demonstrate that the image is a true unaltered copy of the original? -Hashing (MD5, SHA 256) ●A mathematical algorithm that produces a unique value (128 Bit, 512 Bit) – Can be performed on various types of data (files, partitions, physical drive) ●The value can be used to demonstrate the integrity of your data – Changes made to data will result in a different value ●The same process can be used to demonstrate the image has not changed from time-1 to time-n
  • 25. 25 25 Examination Higher level look at the file system representation of the data on the media Verify integrity of image – MD5, SHA1 etc. Recover deleted files & folders Determine keyword list – What are you searching for Determine time lines – What is the timezone setting of the suspect system – What time frame is of importance – Graphical representation is very useful
  • 26. 26 26 Examination Examine directory tree – What looks out of place – Stego tools installed – Evidence Scrubbers Perform keyword searches – Indexed – Slack & unallocated space Search for relevant evidence types • Hash sets can be useful • Graphics • Spreadsheets • Hacking tools • Etc. Look for the obvious first When is enough enough??
  • 27. 27 Issues lack of certification for tools Lack of standards lack of certification for professionals lack of understanding by Judiciary lack of curriculum accreditation Rapid changes in technology! Immature Scientific Discipline 27

Editor's Notes

  1. Application of laws very NB. Discuss this.
  2. Why are these so importnat
  3. Never do anything that might inadvertently cause something to be written to the suspect’s original media.
  4. Whether analyzed on site or taken to the lab, it is essential to protect the integrity of the data. A duplicate image, also known as a bit-copy, image, or clone, is an exact, bit-for-bit copy of the source media. A duplicate image of a physical device will be a true, digital copy of the entire physical device, including partition tables, reserved areas, partitions and unused areas of the device. A duplicate image of a logical drive will be a bit-for-bit copy of the original logical drive, including Boot Record, FATs, Root Directory, Data Area, and Partition Slack.
  5. Developed in 1994, MD5 is a one-way hash algorithm that takes any length of data and produces a 128 bit value, that is a “fingerprint” or “message digest”. This value is “non-reversible”; it is “computationally infeasible” to determine the data based on the value. This means someone cannot figure out your data based on its MD5 value. Here is an example of a MD5 output for the data area:   Processing Data Area: sectors 3246-1648013 MD5 Checksum for: Data Area = 945df74c54de310690e17487d6203876   The actual value is 945df74c54de310690e17487d6203876 A mathematical algorithm was applied to the "Data area" to produce the value (to learn the mathematical details about the algorithm, check out RFC 1321 at http://www.cis.ohio-state.edu/rfc/rfc1321.txt.) Every time an MD5 hash is performed on the data area, it should result in the exact same value. If a different value is obtained, then the data area has been altered.  Source: www.enteract.com/~lspitz/md5.html Definitions Hash — A hash value (or simply hash) is a number generated from a string of data. The hash is substantially smaller than the data itself, and is generated by a formula in such a way that it is extremely unlikely that some other data will produce the same hash value. One-way hash function — An algorithm that turns data into a fixed string of digits, usually for security or data management purposes. The "one way" means that it's nearly impossible to derive the original data from the string. Message Digest (MD) — The representation of data in the form of a single string of digits, created using a formula called a one-way hash function. Algorithm — A formula or set of steps for solving a particular problem. To be an algorithm, a set of rules must be unambiguous and have a clear stopping point.