Conducting Digital Forensics against Crime and Fraud

C O N D U C T I N G
Image: cyberkov.com
D I G I T A L F O R E N S I C S
A G A I N S T C R I M E A N D F R A U D

September 2016Digital Forensics
3
Image: @henningkrause

Workshop Agenda
Day #1
Introducing Digital Forensics
 Concept and Definition
 Objectives and Goals
 Why Important?
 Trends and Challenges
 Types, Phases and Activities
 Various Tools
4
Image: gutbuilder

Workshop Agenda (cont’d)
5
Day #2
Implementing Digital Forensics
 Sample Cases
 Types in Details
 Phases and Activities in Details
 Tools in Details
 Demonstration

Workshop Agenda (cont’d)
6
Day #3
Digital Forensics Workshop
 Case Studies
 Preventive Actions
 Policies and Procedures
 Standards and Frameworks
 Regulations

Introducing Digital Forensics
Image: forensics.com.sg

Concept and Definition
Image: paololatella.com

Concept and Definition
9
Digital (Oxford Dictionary)
 (of signals or data) expressed as series of the
digits 0 and 1, typically represented by values of
a physical quantity such as voltage or magnetic
polarization. Often contrasted with analogue.
 Involving or relating to the use of computer
technology: the digital revolution.
Forensics (Oxford Dictionary)
 Scientific tests or techniques used in connection
with the detection of crime.

Concepts and Definitions (cont’d)
10
Therefore Digital Forensics is…
“Discipline that combines elements of law
and computer science to collect and
analyze data from computer systems,
networks, wireless communications and
storage devices in a way that is admissible
as evidence in a court of law.”

Digital Evidence
11
 Information and data of value to an
investigation that is stored on,
received, or transmitted by an
electronic device.
 Is acquired when data or electronic
devices are seized and secured for
examination.

Digital Evidence (cont’d)
12
Traits of Digital Evidence
May be found in
Storage devices like hard disc, CD, DVD, memory
card, USB drive, mobile phones, SIM card and online
resource like mail servers and cloud servers.
Can be hidden in
Password protected files, Encrypted files,
Steganography files, Formatted hard disc, HPA (Host
Protected Area) or DCO (Device Configuration
Overlay) of the hard drives.
Can relate to
Online fraud, Organized crime, Identity theft, Data theft,
Unauthorized access, Malicious files (Virus attack), Data
alteration, Cyber defamation, Cyber pornography,
Online gambling, Sale of illegal items etc.

13

14

15

Objectives and Goals
Image: nexus5.com

Objectives
17
Where is the evidence?
How do I investigate? How to prove the crime?
What is the evidence?

Objectives (cont’d)
18
Most common is to support or
refute a hypothesis before
criminal or civil (as part of the
electronic discovery process)
courts.
Known as identifying direct
evidence of a crime or fraud.

 Help to protect from and solve cases:
 Theft of intellectual property
• Any act that allows access to patient, trade
secrets, customer data, and any confidential
information.
 Financial Fraud
• Anything that uses fraudulent solicitation of
victims information to conduct fraudulent
transactions.
In Practical
19

In Practical (cont’d)
 Hacker system penetration
• Taking advantage of vulnerabilities of
systems or software using tools such as
rootkits and sniffers.
 Distribution and execution of viruses,
malware and worms
• These are the most common forms of
cyber crime and often cost the most
damage.
20

Goals
21
Could be utilized to
 Attribute evidence to specific suspects
 Confirm alibis or statements
 Determine intent
 Identify sources (for example, in copyright
cases)
 Authenticate documents

Why Important?
Image: wallpapers-kid.com

Because of (Cyber) Crime
Definition of Crime
“An event, which subjects the doer to
legal punishment or any offence
against morality, social order or any
unjust or shameful act” ~ Oxford
Dictionary
September 2016
23
Digital Forensics

What is Crime? (cont’d)
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On Purpose
Crime != Illegal against Law + Unintentional + Good Motive
(s)
Crime != Illegal against Law + Unintentional + Bad Motive (s)
Crime != Illegal against Law + On Purpose + Good Motive
(s)
September 2016
24
Digital Forensics

What is Crime? (cont’d)
And so CRIMES are NOT to be MEASURED by the
ISSUE of EVENTS, but by BAD INTENSION of a
PERSON or ENTITY.
September 2016
25
Digital Forensics

Defining Cyber Crime
 It’s an unlawful act wherein the computer is either a
tool or a target or both.
 Acts that are punishable by Information Technology
Act.
 Happened in and or through cyber space – a virtual
space that has become as important as real space for
economy, business, educations, politics, and
communities.
September 2016
26
Digital Forensics

Defining Cyber Crime (cont’d)
 Former descriptions were "computer crime", "computer-
related crime" or "crime by computer“.
 With the pervasion of digital technology, some new terms
like "high-technology" or "information-age" crime were
added to the definition. Also, Internet brought other new
terms, like "cybercrime" and "net" crime.
 Other forms include "digital", "electronic", "virtual" , "IT",
"high-tech" and technology-enabled" crime.
September 2016
27
Digital Forensics

Fraud
Oxford Dictionary
 Wrongful or criminal deception intended to result in
financial or personal gain.
or
 A person or thing intended to deceive others, typically by
unjustifiably claiming or being credited with
accomplishments or qualities.
Association of Certified Fraud Examiner (ACFE)
 Any crime for gain that uses deception as its principal
modus operandi.
28

Fraud (cont’d)
Black’s Law Dictionary
 A knowing misrepresentation of the truth or
concealment of a material fact to induce another
to act to his or her detriment.
or
 Any intentional or deliberate act to deprive
another of property or money by guile, deception,
or other unfair means.
29

Fraud vs Lying
 Fraud usually involves lying for a specific gain
that causes someone loss while lying does not
always include hurt.
 Example, if we take our car to an unscrupulous
mechanic, he may tell us he makes $1,000 a year. If this
is a lie, it does not hurt us.
 However, if our car does not need repairs but the
mechanic says our car needs $500 in body work,
he/she has committed fraud because truth is twisted
and causes financial loss for us.
30

Types of Fraud
 Internal Fraud
When employee,
manager, or executive
commits fraud against
his or her employer.
 External Fraud
Vendors, customers,
suppliers, integrators,
consultants, and other
third parties (known or
unknown).
September 2016
31
Image courtesy of: City Caucus
Digital Forensics

September 2016
32
Courtesy of ACFE Digital Forensics

Fraud Motives
Donald Cressey hypothesis
September 2016
33
Courtesy of ACFE Digital Forensics

Trends and Challenges
Image: wallpapers-kid.com

September 2016
35
Source: IBM [1] UNODC Comprehensive Study on Cybercrime, 2013
Digital Forensics

September 2016
36
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies
Digital Forensics

September 2016
37
Source: IBM [6] ESG: http://bit.ly/1xzTmUW Digital Forensics

Notable Cyber Attacks
38
In 2015 FBI unveils from the most frequent one:
 Viruses
 Employee abuse of internet privileges
 Unauthorized access by insiders
 Denial of Service
 System penetration from the outside
 Theft of proprietary information
 Sabotage of data/networks
 Proving/scanning systems
 Financial fraud

Notable Cyber Attacks (cont’d)
39
 Manipulate data
integrity
 Installed a sniffer
 Stole password
files
 Trojan logons
 IP spoofing

Common Cyber Attacks
 Unauthorized access
 Theft of information
 Email bombing
 Data diddling
 Salami attacks
 Denial of Service
September 2016
40
Image courtesy of accidentalcreative.com
Digital Forensics

Common Cyber Attacks (cont’d)
 Virus and worm attacks
 Logic bombs
 Trojan attacks
 Internet time thefts
 Web jacking
 Theft of computer system
 Physically damaging a
computer system
September 2016
41
Image courtesy of indiatimes.com
Digital Forensics

Cyber Criminals: Who They Are?
 Kids (age group below 17)
 Disgruntled employees
 Organized hacktivists
 Professional hackers
(corporate espionage)
either white or black hats
 Cyber Terrorist (political
motive)
September 2016
42
Image courtesy of Travaux
Digital Forensics

Common Challenges
43

Rise of Anti-Forensics
44
A set of techniques used as countermeasures to forensic
analysis:
 Ex. Full-Disk Encryption
 Truecrypt on Linux, Windows and OSX
 Filevault 2 on OSX
 BitLocker Windows
 File Eraser
 AbsoluteShield File Shredder
 Heidi Eraser
 Permanent Eraser

Rise of Anti-Forensics (cont’d)
45
Natively provided by software principal/vendor

Dealing with Steganography
46

Types, Phases and Activities
Image: buyamer.com

Type of Digital Forensics
48

Type of Digital Forensics (cont’d)
49
 Disk Forensic
◆ Flash, HDD, USB Device
 Network Forensic
◆ monitoring and analyzing network traffic
 Memory Forensic
◆ analysis of system dump
 Mobile Forensic
◆ acquire deleted or undeleted data
 Cloud Forensic
◆ forensic network analysis on Cloud computing architecture

Type of Digital Forensics (cont’d)
50
Mobile Forensics
Source: RSA AP
Conference 2013

Phases and Activities
51
 Phase 1: Identification of
storage media for potential evidence
 Phase 2: Acquisition of the storage
media
 Phase 3: Examine and Analyze of the
acquired media
 Phase 4: Documentation & Reporting

Phases and Activities (cont’d)
52

Various Tools
Image: buyamer.com

Type of Tools
54
 Commercial/Proprietary Tools
Software applications designed with a commercial
objective. The source code & the internal working
of the software application is privileged and
concealed from the user.
 Open Source Free Tools
Software applications available for usage at no cost.
The source code & the internal working of the
software application is known to the user. Further
more, user has the liberty of altering the source code
as per the requirements.

Acquisition Tools
55
Proprietary Tools
EnCase Forensic -
Guidance Software
www.guidancesoftware.com/encase-forensic.htm‎
FTK – AccessData www.accessdata.com/products/digital-forensics/ftk‎
WinHex - X-Ways
Software Technology AG
www.x-ways.net/winhex/‎
Forensics Apprentice www.registryforensics.com/
BlackLight www.blackbagtech.com/blacklight-1.html
Cellebrite - Mobile
Forensics and Data
transfer solutions
www.cellebrite.com/‎
Paraben – Handheld
Digital Forensics
http://www.paraben.com/handheld-forensics.html
Open Source Tools
Digital Forensics Framework www.digital-forensic.org
CAINE www.caine-live.net/
DEFT www.deftlinux.net/

Examination and Analysis Tools
56
Proprietary Tools
EnCase Forensic -
Guidance Software
www.guidancesoftware.com/encase-
forensic.htm‎
FTK – AccessData www.accessdata.com/products/digital-
forensics/ftk‎
WinHex - X-Ways
Software Technology
AG
www.x-ways.net/winhex/‎
Forensics Apprentice www.registryforensics.com/
BlackLight www.blackbagtech.com/blacklight-1.html
Cellebrite - Mobile
Forensics and Data
transfer solutions
www.cellebrite.com/‎
Paraben – Handheld
Digital Forensics
http://www.paraben.com/handheld-
forensics.html
Open Source Tools
Digital Forensics
Framework
www.digital-forensic.org
CAINE www.caine-live.net/
DEFT www.deftlinux.net/
SAFT Mobile
Forensics
www.signalsec.com/saft/
Analyzing digital
information
Identifying & examining
malicious files
Recovering deleted,
fragmented, corrupted data
Analyzing
Online Activities
Analyzing mobiles

Examination and Analysis Tools (cont’d)
57
Analyzing RAM
Free Tools
CMAT http://sourceforge.net/projects/cmat
Volafox https://www.volatilesystems.com/default/volatility
Volatile https://www.volatilesystems.com/default/volatility
Proprietary Tools
Second Look http://secondlookforensics.com/
Windows Scope http://windowsscope.com/
Memoryze http://www.mandiant.com/resources/download/memoryze/
Network Forensics : capturing / analyzing network packets
Free Tools
WireShark http://www.wireshark.org/
NetworkMinor http://networkminer.en.malavida.com/
Proprietary Tools
NetIntercept
http://www.securitywizardry.com/index.php/product
s/forensic-solutions/network-forensic-tools/niksun-
netintercept.html
Registry analysis
Free Tools
Registry Decoder http://www.digitalforensicssolutions.com/registrydecoder/
Proprietary Tools
Registry Recon http://arsenalrecon.com/apps/
Identifying traces of
network / computer intrusion

Examination and Analysis Tools (cont’d)
58
Password cracking
Free Tools
John the Ripper www.openwall.com/john
Cracking Passwords
for Windows, PDF,
Word RAR , ZIP &
Excel
http://pcsupport.about.com/od/toolsofthetrade/tp
/password-cracker-recovery.htm
Proprietary Tools
Password Recovery www.elcomsoft.com/products.html‎
Passware http://www.lostpassword.com/
Detecting Pornography
Free Tools
Redlight Porn
Scanner
http://dfcsc.uri.edu/research/redLightTrial
[NIJ Funded Project:
http://www.nij.gov/topics/technology/software-tools.htm]
Proprietary Tools
SurfRecon http://www.surfrecon.com/products/home-edition.php
Employing techniques to
crack file & system passwords

Implementing Digital Forensics

Common Cases
Image: turk-internet.com

Common Cases
61

Indonesia Facts
Security Threat and Symantec says
 36,6 million cyber attacks (35% from outside, the rests from inside
the country) from 2012 to 2014.
 497 cyber crime cases from 2012 to April 2015 with 389 are
foreigners and 108 local citizens.
 Fake bank account, money laundering, artificial LC document,
camouflage posting.
 Accounted for 4.1% of the world cyber crimes.
 The highest percentage of PC infected by malware across the globe.
Government CSRIT says
 60% of government domains encountered web defacements and
36% infected by malware
September 2016
62
Digital Forensics

Indonesia Facts (cont’d)
 According to Norton latest Cyber
Crime report, global consumer cyber
crime cost over than USD 150bn
annually.
 Yet the figures for Indonesia are
unknown.
 Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
 From Ministry of Communication and
IT’s total budget of USD 500m, 1%
allocated for Cyber Security.
September 2016
63
Digital Forensics

Global Cases
64

Cyber Crime-as-a-Service
Marketplace
 Continues to mature over the past two years.
 Enables more fraudsters to cash in without needing to
understand the chain of fraud, how to phish or spam, or
IT infrastructure requirements.
 Becomes fiercely competitive.
 Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
 Generalized increase in quality of malware produced.
 Enables much larger pool of bad actors with no
technical knowledge to profit from.
September 2016
65
Digital Forensics

Marketplace (cont’d)
 Many types of attack are simple and low
cost.
 Phishing attacks: 500,000 email
addresses cost $30.
 Hosting a phishing site can be more or less
free.
 Thousands of credit cards can be stolen in
return for around $100. September 2016
66
Digital Forensics

Marketplace (cont’d)
September 2016
67
Image courtesy of EMC Digital Forensics

Mobile Encounters Larger Attack Surface
 In 2015 1.5 billion units are shipped.[1]
 Vast majority of mobile malware is still focused on Android platform due to
open platform and popularity with 79%, iOS of 15% and 5% the rests [2]
 Banking Trojans, used with SMS sniffers, are increasing
A user is persuaded through social engineering to download mobile
malware from their PC.
Scenario
During online banking session, a screen pop up inviting user to
download a mobile app (masquerading as a security feature), which
is actually SMS sniffer.
When the user's bank detects unusual activity, such as high-value
wire transfer, and sends an out-of-band one-time password to user's
mobile that must be entered to authorize the transaction, the criminal
can intercept it and complete the transfer to their own account.
September 2016
68
[1] IDC Worldwide Smart Phone 2015-2019 Forecast and Analysis
[2] IDC Worldwide Quarterly Mobile Phone Tracker
Digital Forensics

Mobile-Only Attack Vectors
September 2016
69
Image courtesy of EMC Digital Forensics

Ransomware Continues
 In mobile devices, such as Police Locker
capitalizing typical user behavior during
installation.
 Gain privileges needed to lock the device.
 Give instruction to pay a ransom to unlock their
files (or to 'pay a fine' because the phone
supposedly contains 'illegal content').
 Ransoms generally have to be paid via an online
payment system, such as Bitcoin, or prepaid cash
cards (untraceable and non-reversible).
September 2016
70
Digital Forensics

Larger Retail and Financial Attacks
 Shift from attacks on individuals to mass attacks on
retailers and financial institutions.
 Banking botnets becoming more resilient and harder to
take down.
 Utilized deep web and untraceable peer-to-peer
networks, (TOR and I2P), to increase resilience and
anonymity, and hide their infrastructure from law
enforcement agencies.
 Private botnets – written specifically for individual gang
(harder to trace and analyze).
 Point of Sale (POS) malware used and RAM scrapers.
September 2016
71
Digital Forensics

September 2016
72
Image courtesy of EMC
Digital Forensics

Larger Retail and Financial Attacks (cont’d)
 Transferring cash from a bank's
system to criminals' own accounts.
 ATM attacks: directly cashing out an
ATM.
 Ransom requests: extorting money
based on locking private information
about a bank's customers.
September 2016
73
Digital Forensics

Phases and Activities in Details
Image: desktopwallpaperhd.com

Phases and Activities
75
 Phase 1: Identification of
storage media for potential evidence
 Phase 2: Acquisition of the storage
media
 Phase 3: Examine and Analyze of the
acquired media
 Phase 4: Documentation & Reporting

Phases and Activities (cont’d)
76
Analyzing
digital information
Identifying traces of
network / computer intrusion
Identifying & examining
malicious files.
Employing techniques to
crack file & system passwords.
Detecting
steganography
Recovering deleted,
fragmented & corrupted data
Maintaining evidence
custody procedures
Courtroom PresentationAnalyzing Online Activities

Activities Involved
77
 Identifying 5W 1H
 Identifying and Understanding the Scenario
 Identifying the Approach
 Identifying Techniques and Tools
 Acquiring Data and Information Needed
 Analyzing Data and Information
 Identifying Evidence
 Drawing the Conclusion (based on facts)

5W1H
78
• What was hacked, compromised, stolen, accessed,
looked at etc.
• By whom (caution: attribution is hard!)
• When
• How
• Impact (technical and business)
• Likely motives
• Capabilities
• Remediation steps
• Future mitigation to avoid repeats
• Liability

Collecting Evidence
79

Scenarios
80
Internal such as Employees or Contractors:
• Employee accessed inappropriate but not illegal internet
material
• Employee accessed internal data they were not authorised to
• Employee committed an internally focused financial crime
• Employee disclosed intellectual property to an unauthorised
third party
• Employee is soon to depart and stole intellectual property for
personal benefit
• Employee used work resources
for personal enterprise
• Other disciplinary issue…

Scenarios (cont’d)
81
External:
• Malicious phishing/spear phishing e-mails sent into an
organization
• Malicious code present on a system
• Credentials compromised
• Host, System, Network was compromised
• Data was stolen/exfiltrated (taken out)
• Data was changed
• Data was added
• Theft/fraud
• Mobile devices tampered with (evil maid)

Scenarios (cont’d)
82
This sounds scary scale right?
But it happens every day
In most organizations of a moderate size you’d
expect at least one such incident a day/week
(you pick) if you could detect them all.

Approach
83
We normally start with a suspicion
or indicator of compromise
Knowing there is something to be found versus
aimlessly looking for something that might not be
there leads to a more focused approach

Approach (cont’d)
84
• Doing bit by bit copies of multi terabyte
systems are slow and challenging in a lot of
cases.
• We don’t need to in a lot of cases as we
know where we want to look to confirm
suspicions (generally).
• We are interested a lot of the time in rich
data sources rather than looking for one
elusive deleted file
• Attacks/threat actors are often sloppy

Tools in Details
Image: wallpapersafari.com

 It is basically the acquisition of data.
 Recording and labeling the data of the
computers.
 Two ways of collecting data:
Volatile
Non-volatile
 Data is also collected from other sources like
offline and online.
Data Collection
86

 Data required power to maintain
 Examples
 RAM
 Page Files
 Swap
 Caches
 Tools are:
 Belkasoft Live RAM Capturer
 Memory DD
 MANDIANT Memoryze
Volatile Data
87

 Presented in permanent storage of the computing
device.
 Copying this type of data is known as forensic imaging.
 Data is collected from storage devices like hard disk,
CD, DVD, etc.
 Data should be preserved without any modifications or
alteration.
 Tools: EnCase, ProDiscover, Winhex, Seluth kit and FTK.
Non-volatile Data
88

Order of Volatility
89

 File system assessment through NTFS.
 Windows registry assessment:
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_LOCAL_MACHINE
 Database forensic assessment: DDL, DCL, DML transactions in
the database is assessed.
 Network forensic assessment: Browsing data, mails, IP address
are assessed.
Data Examination
90

Don’t Forget Hashing
91
 After a clone/image is made.
 After complete analysis of disk/image, do calculate
the hash.
 Need to prove in the court the evidence has not
been tampered.
 Tools for calculating hashes:
 Winhex
 Sleuthkit
 ENCase

In Windows Environment
 Ipconfig is used for the collection of subject
system details.
 Netusers and qusers can identify logged in user
information
 Doskey or history for collecting command
history
 Netfile is used to identify the services and
drivers
Typical Tools
93

etc..
Typical Tools (cont’d)
95

SANS Investigative Forensic Toolkit (SIFT)
Linux based VM with a huge collection of
tools for acquisition and analysis
http://digital-forensics.sans.org/community/downloads
96
Open Source and Free Tools

The Sleuth Kit & Autopsy
http://www.sleuthkit.org/ September 2016Digital Forensics
97
Open Source and Free Tools (cont’d)

FTK Imager
http://accessdata.com/product-download
98

National Software Reference Library
Known good hashes for software so
they can be excluded from analysis
http://www.nsrl.nist.gov/
99

Volatility
De-facto open source memory
forensics tool
Windows, Mac and Linux support
http://www.volatilityfoundation.org/
100

Mandiant Redline
https://www.mandiant.com/resources/download/redline
101

NetworkMiner
http://www.netresec.com/?page=NetworkMiner
102

WireShark
https://www.wireshark.org/
103

Cuckoo Sandbox
http://www.cuckoosandbox.org/about.html
104

Yara
http://plusvic.github.io/yara/ September 2016Digital Forensics
105

RegRipper
https://regripper.wordpress.com/
106

Microsoft Sysinternals
Some highlights
• Process Explorer
• Process Monitor
https://technet.microsoft.com/en-gb/sysinternals/bb545021.aspx
108

Bulk Extractor
https://github.com/simsong/bulk_extractor
109

Log2timeline/Plaso
http://plaso.kiddaland.net/usage/log2timeline
110

Memory Forensics
111

What is memory forensics?
In short the reconstruction from typically a physical RAM
dump a representation of the system that was running at
the time that can be queried and otherwise interrogated as
part of a forensics exercise.
It allows us to capture transient or ephemeral aspects
such as some aspects of screen layout or connections and
other non persisting malware / exploits
112

How does it work?
 Dump physical contiguous RAM
 OR get hibernation file
Then:
1. Parse the physical image for key structures for OS
version
2. Rebuild kernel and user space virtual memory layout
3. Overlay OS concepts
Sounds easy.. It isn’t look at the Volatility source
113

What tool?
VOLATILITY
Python but binary distributions available
Open source
Plugin architecture (we wrote one – it was easy)
Awesome
114

FTK
115

EnCase
116

EnCase (cont’d)
117

ProDiscover
118

Live Digital Forensics
 ProDiscover IR
 Helix
 Sleuth Kit & Autopsy
 Caine
 FTK/EnCase making them live?
 Both newer offerings have live capabilities
119

ProDiscoverIR
120

Helix
121

Helix (cont’d)
122

wbStego
123

HIP
124

M-Sweep Pro Data Eliminator
125

DBAN
126

File Shredder
127

Metasploit
128

Timestomp
129

MetaChanger
130

Demonstration
Image: note2forum.com

Basic Forensics
 Registry
 Thumbs.db
 Index.dat
 Commands
132

Registry
• Last Logon
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinLogon
 Security Center
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity
Center
 Recent Documents
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplo
rerRecentDocs.doc
 Typed URLs
• hkcusoftwaremicrosoftinternet explorertypedurls
133

September 2016Digital Forensics134

Thumbs.DB
 Pictures opened in Windows OS
 Filmstrip
 Thumbnails
 Thumbs.DB Viewer
135

Index.DAT
 Contains all of the Web sites
 Every URL
 Every Web page
 All email sent or received through Outlook or
Outlook Express
 All internet temp files
 All pictures viewed
136

Commands
 Dir: Lists all files and directories in the directory that
you are currently in.
 Ls: List the contents of your home directory by
adding a tilde after the ls command.
 Ps: Displays the currently-running processes.
 Fdisk: A utility that provides disk partitioning
functions, and information.
137

Locations of Index.DAT files
 Users<Username>AppDataRoamingMicrosof
tWindowsCookiesindex.dat
Users<Username>AppDataRoamingMicrosof
tWindowsCookieslowindex.dat
Users<Username>AppDataLocalMicrosoftWi
ndowsTemporary Internet
FilesContent.IE5index.dat
C:Users<UserName>AppDataLocalMicrosoft
WindowsHistoryContent.IE5index.dat
138

Index.DAT Analyzer
139

Thumbs.DB Viewer
140

Safe Block XP
141

Software Write Block
 Registry Edit USB Block
 HKEY_LOCAL_MACHINESYSTEMCurrentControlSe
tControlStorageDevicePolicies
 Write protect
 Disable WriteProtect dword:00000001
 Enable WriteProtect dword:00000000
142

Hex Editor
143

Steganography
 Detection
 WetStone Technologies' Gargoyle
 Niels Provos' Stegdetect
 Hiding
 StegoMagic
 wbStego
 HIP (Hide In Picture)
144

StegoMagic
145

Digital Forensics Workshop
Image: note2forum.com

Case Studies
Image: systemadministratorblog.com

• A financial institution contacted an audit and
investigation firm for conducting yearly Financial and
Accounting Audit.
• It is alleged that the company charged customer
‘hidden fees’ to customers accounts.
• The problem one party faced included going through
over 10 million transaction records to find evidence to
calculate the amount to be paid by the company.
Case Study
148

 The firm utilizing IT General Controls and Application
Controls to test several key controls related to the
Financial and Accounting systems.
 Upon conducting Application Controls to test key
controls, the firm found amount of fees charged by
the institution to their customers.
 Data and information are obtained and treated as
proof of evidence on suspected abnormal activities.
 The finding is communicated to the institution’s
management.
Case Study (cont’d)
149

Organization’s Prerequisites
 Dedicated I(T) Security Personnel
 IT Security Risk Management
 Security Incidents Plan (Policies and Procedures)
 Security Incidents Logs or Documentations
 Security Incidents Review Activity
 User Access Rights Policies and Procedures
 User Access Rights Documentation
 User Access Rights Review Activity
 Anti Virus and Firewall
September 2016
151
Digital Forensics

Organization’s Prerequisites (cont’d)
 Intrusion Prevention Systems
 Intrusion Detection Systems
 Physical Security
 Data Security
 Information Security
 Software/Application Security
 Database Security
 Vulnerability Assessment
 Penetration Testing
September 2016
152
Digital Forensics

How to Prevent?
 Information Security Strategic Plan (including Cyber
Security domain).
 Information Security Policies, Procedures, Guidelines,
Framework and Standards.
 IT/Information Security personnel (the higher the better)
who reports directly to organizational leadership.
 Regular monitoring and controlling activities through
measurement and review process.
 Understanding past security and planning for future
security events.
 Governance, Risk, Legal and Compliance (no longer
Ops-focused).
September 2016
153
Digital Forensics

CCSO on the Rise?
September 2016
154
Image courtesy of Mark E. S. Bernard
Digital Forensics

How to Do?
A flexible organization with a centralized core
 Security Oversight
 Information Risk
 (Cyber) Security Risk
 Security Architecture and Engineering
 Security Operations
September 2016
155
Digital Forensics

Organization Culture
 What do your executives expect from security?
 If not GRLC, then focus on operations
 Build trust and demonstrate value
 Reporting Inside or Outside IT?
 Centralized or Decentralized?
September 2016
156
Digital Forensics

Controls to Enforce Policies
 Log access to data, information and transaction by
unique identifier” as it requires log management or
SIEM.
 Limit access to specific data to specific individuals as
it required unique system username and password.
 Sensitive data shall not be emailed outside the
organization with DLP or email encryption system.
September 2016
157
Digital Forensics

Deploy and Test Controls
 A phased approach
– DLP
– Email Encryption
 Test not only if the solution works technically
but also that it does not impose too great a
burden on employees or processes.
September 2016
158
Digital Forensics

Educate, Educate, Educate
 Our security stakeholders: employees,
executives, partners, suppliers, vendors
 What are our policies?
 How to comply?
 Consequences of failure to comply
September 2016
159
Digital Forensics

Monitoring and Controlling
 Assessment
 Review
 Audit
 Monitor change control
 New vendor relationships
 Marketing initiatives
 Employee terminations
September 2016
160
Digital Forensics

NIST’s Policies and Procedures
162
 Organizations should ensure their policies contain
clear statements addressing all major forensic
considerations:
 Contacting law enforcement
 Performing monitoring
 Conducting regular reviews of forensic policies and
procedures
 Organizations should create and maintain
procedures and guidelines for performing forensic
tasks, based on organization’s policies and all
applicable laws and regulations.

NIST’s Policies and Procedures (cont’d)
163
 Organizations should ensure their policies and
procedures support reasonable and
appropriate use of forensic tools.
 Policies and procedures should clearly explain
what forensic actions should and should not be
performed under various circumstances, as well
as describing the necessary safeguards for
sensitive information recorded by forensic tools
(passwords, personal data, and e-mails).

NIST’s Policies and Procedures (cont’d)
164
 Legal advisors should carefully review all forensic
policy and high-level procedures.
 Organizations should ensure their IT professionals
are prepared to participate in forensic activities.
 Incident handlers and other first responders to
incidents, should understand their roles and
responsibilities for forensics, receive training and
education on forensics-related policies and
procedures.

Standards and Frameworks
September 2016
166
Digital Forensics

Standards and Frameworks (cont’d)
According to Information Systems Security
Certification Consortium (ISC2) CBK, the
principles are:
A. Support the business
 Focus on the business functions and processes
 Deliver quality and value to stakeholders
 Comply to law and regulation requirements
 Provide timely and accurate information
 Evaluate existing and future information
threats
 Improve information security continuously
September 2016
167
Digital Forensics

B. Secure the organization
 Adopt a risk-based approach
 Protect classified information
 Focus on critical business processes
 Develop systems securely
C. Promote information security
 Attain responsible behavior
 Act in professional and ethical manner
 Foster information security positive culture
September 2016
168
Digital Forensics
Standards and Frameworks (cont’d)

ISACA Framework on Information Security
September 2016
169
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed Credit: ISACA
Digital Forensics

NIST Cybersecurity Framework
 Critical Infrastructure
- Vital infrastructure - private and public operators
- Lack of availability would have “debilitating
impact” on the nation’s security, economy, public
health, safety…
 Executive Order 13636; February 12, 2013
 Threat information sharing
 NIST: Baseline Framework to reduce cyber risk
 “Standards, methodologies, procedures and processes that
align policy, business, and technological approaches…”
September 2016
170
Digital Forensics

Controls Catalog
September 2016
171
Digital Forensics

Framework Core: Example
September 2016
172
Credit: NIST
Digital Forensics

ISO 27001 Standards
September 2016
173
Digital Forensics

ISO 27001 Standards (cont’d)
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
Risk Assessment
Security Policy
Asset Management
Physical/Environmental Security
Access Control
And many others
September 2016
174
Digital Forensics

Numerous Regulations
 Telecommunication Act No. 36/1999 focused on
Telecommunications Infrastructure briefly; Not internet
in particular.
 Information and Transaction Electronic Act No.
11/2008 for legal enforcements against cyber crime.
 Copyright Act No. 19/2002.
 Pornography Act No. 44/2008.
 Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.
September 2016
176
Digital Forensics

Future of Digital Forensics
177

Future of Digital Forensics
178
Data Centric Analysis –>
Conduct Centric Analysis
Forensic Tools –> Forensic
Services

Future of Digital Forensics (cont’d)
179
Conduct Centric Analysis
 Multi-source Evidence Acquisition
 Relationship Analysis
 Intuitive Analysis
 Automatic Analysis Based on the
Profile

180
Forensic Services
 Parallel/Distributed Platform for
Large Data Handling
 Adapting Fast Changing Device/Tools
 User Mobility & Connectivity

181
Forensic as a Service

182

183

184

Image: w-dog.net
Thank You!
185

Conducting Digital Forensics against Crime and Fraud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Conducting Digital Forensics against Crime and Fraud

Similar to Conducting Digital Forensics against Crime and Fraud (20)

More from Goutama Bachtiar

More from Goutama Bachtiar (19)

Recently uploaded

Recently uploaded (20)

Conducting Digital Forensics against Crime and Fraud