SlideShare a Scribd company logo

Computer Forensics Bootcamp

Download as PPTX, PDF
nCircle - a Tripwire Company
nCircle - a Tripwire Company

Even with the best security, every organization will eventually suffer some kind of security breach. When IT professionals suspect something “phishy” is going on with their network, they need to be able to take immediate action to limit damage while preserving critical evidence that will help law enforcement catch the bad guys. Join John Alexander, nCircle’s Product Manager, as he steps you through basic training in computer forensics. This presentation covers: * How to handle evidence in order to preserve the chain of custody * How to thwart the most common techniques cyber criminals use to cover their tracks * When to call law enforcement and how to work with them effectively Download the presentation recording here: http://www.ncircle.com/index.php?s=registration_registernew&src=Computer-Forensics-Bootcamp

TechnologyEducation
1 of 42
© 2013 nCircle. All Rights Reserved. Forensics Bootcamp
© 2013 nCircle. All Rights Reserved. Introduction
© 2013 nCircle. All Rights Reserved. What is Forensics? • Scientific tests or techniques used in the investigation of crimes • The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes • Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.
© 2013 nCircle. All Rights Reserved. What is Computer Forensics? Computer Forensics A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format
© 2013 nCircle. All Rights Reserved. Types of Cyber Crime • Theft of intellectual property • Financial Fraud • Damage of company service networks • Distribution and execution of viruses and worms • Hacker system penetrations • Distribution of child pornography • Use of a computer to commit a traditional crime (emails, data management, files.)
© 2013 nCircle. All Rights Reserved. Legal Issues
© 2013 nCircle. All Rights Reserved. Legal Issues • 4th Amendment – Searches & Seizures • 4th Amendment – Privacy • 5th Amendment – Self Incrimination • Chain-of-Custody
© 2013 nCircle. All Rights Reserved. 4th Amendment • The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy". • Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.
© 2013 nCircle. All Rights Reserved. Chain-of-Custody (aka Chain of Evidence) • Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, a nd disposition of evidence, physical or electronic. • Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.
© 2013 nCircle. All Rights Reserved. Question ? As related to computer forensics, why is the 4th amendment an important consideration? a. Free speech b. Defense against self incrimination c. Search & seizure d. Social rights
© 2013 nCircle. All Rights Reserved. Digital Media
© 2013 nCircle. All Rights Reserved. Two Types of Data • Volatile - RAM • Non-volatile – ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD)) – USB Devices – Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), …. – Floppy disks, ZIP disks – Cameras, mp3 players, tablets, game consoles, GPS units, smart phones, smart watches, …
© 2013 nCircle. All Rights Reserved. Write Blockers • Two types of write blockers: hardware and software • Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form. • Reads Allowed and Writes Prevented! • Another name for a write blocker is a “Forensic Bridge”
© 2013 nCircle. All Rights Reserved. Some Data Hiding Techniques • Slack Space and Unallocated Space • Rootkits • Alternate Data Streams (ADS) • File Signatures • Steganography
© 2013 nCircle. All Rights Reserved. Question ? What function does a Write Blocker perform? a. Allows writes b. Blocks reads c. Prevents Reads d. Prevents writes
© 2013 nCircle. All Rights Reserved. The Forensic Process
© 2013 nCircle. All Rights Reserved. The Forensic Process • Preparation • (Containment) • Collection • Examination • Analysis • Reporting
© 2013 nCircle. All Rights Reserved. The Forensic Process (Preparation) • Training • Policies & Procedures • Equipment (Forensic Kit) – Laptop computer w/ forensic software – Boot disks and CDs of tools (forensically sound) – Digital cameras, pens, notepad – Sterile media, write blockers, cables – Anti-static bags, faraday bags, tags, stickers – Chain-of-custody and other forms
© 2013 nCircle. All Rights Reserved. The Forensic Process (Containment) • Establish immediate control of the crime scene – Limit and track physical access – Limit network / remote access • Detach computers of interest from wireless and physical network cables – Power off computers as necessary
© 2013 nCircle. All Rights Reserved. The Forensic Process (Collection) • Photograph the scene to include monitor screens. Get the system time • Collect volatile data • Image non-volatile data on site? • Shut down the system safely • Unplug the system and tag all cables • Bag and tag all non volatile devices for transport. Collect peripheral devices as necessary.
© 2013 nCircle. All Rights Reserved. The Forensic Process (Collection – Mobile devices) • Photograph main screen • Do not turn device off • Find charger to keep device from losing charge (example seizure kit) • Place in a Faraday bag to prevent remote access
© 2013 nCircle. All Rights Reserved. The Forensic Process (Examination & Analysis) • Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software) • Images must be hashed • Analyze the bit stream image using forensic analysis software, e.g.: EnCase, FTK,… • Prepare a report of findings
© 2013 nCircle. All Rights Reserved. Question ? During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image? a. read blocking b. checksums c. hashing d. transforms
© 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques
© 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques • Searching: – Keyword, email, web, viewers • File Signatures • Slack Space and unallocated space • Data carving • Steganography • Passwords (Dealing with encryption)
© 2013 nCircle. All Rights Reserved. Searching: Keywords • To effectively search through a suspect’s media an investigator needs to add relevant keywords 1) Add keywords 2) Specify keyword search criteria (e.g. what and where tosearch – e.g. slack space) 3) Conduct keyword search
© 2013 nCircle. All Rights Reserved. Searching: email & social media • Most forensic analysis tools have built-in email searching and viewing tools • Tools to view various formats of email – Outlook (.pst) – Outlook Express (.dbx) – Linux/Unix mbox format – Macintosh: Safari – Webmail formats: Yahoo, AOL, Google, Hotmail
© 2013 nCircle. All Rights Reserved. Searching: web artifacts • Most forensic analysis tools have web artifact search and viewing tools • Web artifacts – History – Cached files and images (temporary files) – Cookies
© 2013 nCircle. All Rights Reserved. File Signature Analysis • This type of analysis allows investigators to verify file types • A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll • A file signature analysis looks at the file header in order to determine what type of file it actually is
© 2013 nCircle. All Rights Reserved. Data Carving (1 of 2) • Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.
© 2013 nCircle. All Rights Reserved. Data Carving (2 of 2) • Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.
© 2013 nCircle. All Rights Reserved. Slack Space and Unallocated Space • Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space • Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.
© 2013 nCircle. All Rights Reserved. Concealment cipher = Steganography (example) Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm Saint Olga planting Christianity in Russia
© 2013 nCircle. All Rights Reserved. Steganography • Detection techniques are crude • Usually done by looking for evidence of steganography use, e.g. Steg programs on system • Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)
© 2013 nCircle. All Rights Reserved. Question ? A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called? a. Steganography b. Data Carving c. File signature analysis d. Slack space analysis
© 2013 nCircle. All Rights Reserved. Question ? A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique? a. Data Carving b. Cryptography c. Data Blinking d. Steganography
© 2013 nCircle. All Rights Reserved. Incident Handling & Forensics
© 2013 nCircle. All Rights Reserved. Incident Response Process • Identification – Incident identification – Notifying appropriate personnel • Action – Isolation and Containment – Gathering Evidence – Analysis and Reporting • Closure – Restoration – Lessons Learned
© 2013 nCircle. All Rights Reserved. The Response Team • Cross-functional with a high level of authority – Dedicated – with clearly defined roles & responsibilities – Not just computer security: Management, Info sec, IT/network, legal, public relations • Well Trained – Rehearsals and training appropriate to risk – Trained in Forensics – Forensics tools and equipment • Policies and Procedures – Appropriate to Risk (Risk Management) – Lessons learned / constant refinement
© 2013 nCircle. All Rights Reserved. When to Involve Law Enforcement • Use forensic processes whenever possible • As a general rule: Involve law enforcement when corporate policy or the law says so • You are compelled by law to report certain incidents, e.g. disclosure of credit card info. • Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.
© 2013 nCircle. All Rights Reserved. Make Sneaking Hard • Detection systems -- appropriate with risk • Logging, Logging, logging!!! (Firewall, router, system…) • Monitoring – Intrusion detection systems – File Integrity monitoring systems – Vulnerability and Configuration management systems – Attack Path Analysis • Warning Banners, Expectations of use, Expectations of privacy • Physical Security systems
© 2013 nCircle. All Rights Reserved. Question s? http://connect.ncircle.com Continue the conversation at

Recommended

Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
Tawhidur Rahman
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
OWASP Khartoum
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 

Recommended

Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
Tawhidur Rahman
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
OWASP Khartoum
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
shahhardik27
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Lalit Garg
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
Seccuris Inc.
 
Sujit
SujitSujit
Sujit
Sujit George
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
John Bambenek
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
Zyxware Technologies
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
Kabul Education University
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensik
Agung Subroto
 
File000118
File000118File000118
File000118
Desmond Devendran
 
computer forensics
computer forensics computer forensics
computer forensics
samantha jarrett
 

More Related Content

What's hot

Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
shahhardik27
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
Seccuris Inc.
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensik
Agung Subroto
 

What's hot (20)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
 
Sujit
SujitSujit
Sujit
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensik
 

Viewers also liked

Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sDerzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
grechanik
 
EMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTEMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENT
ROCÍO ROA CALVO
 

Viewers also liked (14)

File000118
File000118File000118
File000118
 
computer forensics
computer forensics computer forensics
computer forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Frances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsFrances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and Mills
 
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sDerzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
 
Pcm
PcmPcm
Pcm
 
Projekt EOD
Projekt EODProjekt EOD
Projekt EOD
 
componentes de una fórmula
componentes de una fórmula componentes de una fórmula
componentes de una fórmula
 
Bluetooth 3 d glasses
Bluetooth 3 d glassesBluetooth 3 d glasses
Bluetooth 3 d glasses
 
EMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTEMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENT
 
Boletim (14)
Boletim (14)Boletim (14)
Boletim (14)
 
Andrew SAP4237
Andrew SAP4237Andrew SAP4237
Andrew SAP4237
 

Similar to Computer Forensics Bootcamp

computer forensics
computer forensicscomputer forensics
computer forensics
Akhil Kumar
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...
pable2
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
Jinalkakadiya
 

Similar to Computer Forensics Bootcamp (20)

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
9780840024220 ppt ch12
9780840024220 ppt ch129780840024220 ppt ch12
9780840024220 ppt ch12
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Digital forensics.abdallah
Digital forensics.abdallahDigital forensics.abdallah
Digital forensics.abdallah
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 

More from nCircle - a Tripwire Company

More from nCircle - a Tripwire Company (9)

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 

Computer Forensics Bootcamp

  • 1. © 2013 nCircle. All Rights Reserved. Forensics Bootcamp
  • 2. © 2013 nCircle. All Rights Reserved. Introduction
  • 3. © 2013 nCircle. All Rights Reserved. What is Forensics? • Scientific tests or techniques used in the investigation of crimes • The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes • Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.
  • 4. © 2013 nCircle. All Rights Reserved. What is Computer Forensics? Computer Forensics A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format
  • 5. © 2013 nCircle. All Rights Reserved. Types of Cyber Crime • Theft of intellectual property • Financial Fraud • Damage of company service networks • Distribution and execution of viruses and worms • Hacker system penetrations • Distribution of child pornography • Use of a computer to commit a traditional crime (emails, data management, files.)
  • 6. © 2013 nCircle. All Rights Reserved. Legal Issues
  • 7. © 2013 nCircle. All Rights Reserved. Legal Issues • 4th Amendment – Searches & Seizures • 4th Amendment – Privacy • 5th Amendment – Self Incrimination • Chain-of-Custody
  • 8. © 2013 nCircle. All Rights Reserved. 4th Amendment • The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy". • Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.
  • 9. © 2013 nCircle. All Rights Reserved. Chain-of-Custody (aka Chain of Evidence) • Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, a nd disposition of evidence, physical or electronic. • Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.
  • 10. © 2013 nCircle. All Rights Reserved. Question ? As related to computer forensics, why is the 4th amendment an important consideration? a. Free speech b. Defense against self incrimination c. Search & seizure d. Social rights
  • 11. © 2013 nCircle. All Rights Reserved. Digital Media
  • 12. © 2013 nCircle. All Rights Reserved. Two Types of Data • Volatile - RAM • Non-volatile – ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD)) – USB Devices – Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), …. – Floppy disks, ZIP disks – Cameras, mp3 players, tablets, game consoles, GPS units, smart phones, smart watches, …
  • 13. © 2013 nCircle. All Rights Reserved. Write Blockers • Two types of write blockers: hardware and software • Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form. • Reads Allowed and Writes Prevented! • Another name for a write blocker is a “Forensic Bridge”
  • 14. © 2013 nCircle. All Rights Reserved. Some Data Hiding Techniques • Slack Space and Unallocated Space • Rootkits • Alternate Data Streams (ADS) • File Signatures • Steganography
  • 15. © 2013 nCircle. All Rights Reserved. Question ? What function does a Write Blocker perform? a. Allows writes b. Blocks reads c. Prevents Reads d. Prevents writes
  • 16. © 2013 nCircle. All Rights Reserved. The Forensic Process
  • 17. © 2013 nCircle. All Rights Reserved. The Forensic Process • Preparation • (Containment) • Collection • Examination • Analysis • Reporting
  • 18. © 2013 nCircle. All Rights Reserved. The Forensic Process (Preparation) • Training • Policies & Procedures • Equipment (Forensic Kit) – Laptop computer w/ forensic software – Boot disks and CDs of tools (forensically sound) – Digital cameras, pens, notepad – Sterile media, write blockers, cables – Anti-static bags, faraday bags, tags, stickers – Chain-of-custody and other forms
  • 19. © 2013 nCircle. All Rights Reserved. The Forensic Process (Containment) • Establish immediate control of the crime scene – Limit and track physical access – Limit network / remote access • Detach computers of interest from wireless and physical network cables – Power off computers as necessary
  • 20. © 2013 nCircle. All Rights Reserved. The Forensic Process (Collection) • Photograph the scene to include monitor screens. Get the system time • Collect volatile data • Image non-volatile data on site? • Shut down the system safely • Unplug the system and tag all cables • Bag and tag all non volatile devices for transport. Collect peripheral devices as necessary.
  • 21. © 2013 nCircle. All Rights Reserved. The Forensic Process (Collection – Mobile devices) • Photograph main screen • Do not turn device off • Find charger to keep device from losing charge (example seizure kit) • Place in a Faraday bag to prevent remote access
  • 22. © 2013 nCircle. All Rights Reserved. The Forensic Process (Examination & Analysis) • Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software) • Images must be hashed • Analyze the bit stream image using forensic analysis software, e.g.: EnCase, FTK,… • Prepare a report of findings
  • 23. © 2013 nCircle. All Rights Reserved. Question ? During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image? a. read blocking b. checksums c. hashing d. transforms
  • 24. © 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques
  • 25. © 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques • Searching: – Keyword, email, web, viewers • File Signatures • Slack Space and unallocated space • Data carving • Steganography • Passwords (Dealing with encryption)
  • 26. © 2013 nCircle. All Rights Reserved. Searching: Keywords • To effectively search through a suspect’s media an investigator needs to add relevant keywords 1) Add keywords 2) Specify keyword search criteria (e.g. what and where tosearch – e.g. slack space) 3) Conduct keyword search
  • 27. © 2013 nCircle. All Rights Reserved. Searching: email & social media • Most forensic analysis tools have built-in email searching and viewing tools • Tools to view various formats of email – Outlook (.pst) – Outlook Express (.dbx) – Linux/Unix mbox format – Macintosh: Safari – Webmail formats: Yahoo, AOL, Google, Hotmail
  • 28. © 2013 nCircle. All Rights Reserved. Searching: web artifacts • Most forensic analysis tools have web artifact search and viewing tools • Web artifacts – History – Cached files and images (temporary files) – Cookies
  • 29. © 2013 nCircle. All Rights Reserved. File Signature Analysis • This type of analysis allows investigators to verify file types • A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll • A file signature analysis looks at the file header in order to determine what type of file it actually is
  • 30. © 2013 nCircle. All Rights Reserved. Data Carving (1 of 2) • Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.
  • 31. © 2013 nCircle. All Rights Reserved. Data Carving (2 of 2) • Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.
  • 32. © 2013 nCircle. All Rights Reserved. Slack Space and Unallocated Space • Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space • Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.
  • 33. © 2013 nCircle. All Rights Reserved. Concealment cipher = Steganography (example) Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm Saint Olga planting Christianity in Russia
  • 34. © 2013 nCircle. All Rights Reserved. Steganography • Detection techniques are crude • Usually done by looking for evidence of steganography use, e.g. Steg programs on system • Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)
  • 35. © 2013 nCircle. All Rights Reserved. Question ? A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called? a. Steganography b. Data Carving c. File signature analysis d. Slack space analysis
  • 36. © 2013 nCircle. All Rights Reserved. Question ? A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique? a. Data Carving b. Cryptography c. Data Blinking d. Steganography
  • 37. © 2013 nCircle. All Rights Reserved. Incident Handling & Forensics
  • 38. © 2013 nCircle. All Rights Reserved. Incident Response Process • Identification – Incident identification – Notifying appropriate personnel • Action – Isolation and Containment – Gathering Evidence – Analysis and Reporting • Closure – Restoration – Lessons Learned
  • 39. © 2013 nCircle. All Rights Reserved. The Response Team • Cross-functional with a high level of authority – Dedicated – with clearly defined roles & responsibilities – Not just computer security: Management, Info sec, IT/network, legal, public relations • Well Trained – Rehearsals and training appropriate to risk – Trained in Forensics – Forensics tools and equipment • Policies and Procedures – Appropriate to Risk (Risk Management) – Lessons learned / constant refinement
  • 40. © 2013 nCircle. All Rights Reserved. When to Involve Law Enforcement • Use forensic processes whenever possible • As a general rule: Involve law enforcement when corporate policy or the law says so • You are compelled by law to report certain incidents, e.g. disclosure of credit card info. • Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.
  • 41. © 2013 nCircle. All Rights Reserved. Make Sneaking Hard • Detection systems -- appropriate with risk • Logging, Logging, logging!!! (Firewall, router, system…) • Monitoring – Intrusion detection systems – File Integrity monitoring systems – Vulnerability and Configuration management systems – Attack Path Analysis • Warning Banners, Expectations of use, Expectations of privacy • Physical Security systems
  • 42. © 2013 nCircle. All Rights Reserved. Question s? http://connect.ncircle.com Continue the conversation at