SlideShare a Scribd company logo

cyberforensicsv2-191113184409.pptx

Download as PPTX, PDF
P
PrasannaKumarpanda2

yes

Internet
1 of 43
Overview of Cyber Forensics GAYATRI VIDYA PARISHAD COLLEGE FOR DEGREE AND P.G COURSES(A) RUSHIKONDA-530045 VISAKHAPATNAM By Prasanna kumar panda MCA-4Th Sem
Contents 1. Primer: Cyber Forensics Glossary 2. States of Data 3. Network Forensics 4. Event Log Analysis and Sources 5. Anti-Forensics Detection 6. Timeline Analysis © Yansi Keim
PRIMER © Yansi Keim
What is Cybersecurity? ▶ What? Cybersecurity tends to focus on how malicious actors use electronic assets (Internet, WAN, LAN, routers, printers, network appliances) to attack information. ▶ Why? To prevent individuals, organizations, financial institutions and universities from cyber attacks including kill chains, zero-day attacks, ransomware, malware etc. ▶ How? Running the assets safely with security implementations of databases, networks, hardware, firewalls and encryption. © Yansi Keim
What is Cyber Forensics? ▶ What? The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. ▶ How? Through the digital forensics investigation process including: Identification, Preservation, Analysis, and Presentation (IPAP). ▶ Why? Used in criminal investigations to identify what happened, how it happened, when it happened and the people involved. © Yansi Keim
Relationship between Cybersecurity and Cyber Forensics ▶ Cybersecurity aims to protect electronic assets from breaches; whereas, cyber forensics explains how a policy became violated and who was responsible for it. 6 Cybersecurity Cyber Forensics Fig. 1 Feedback cycle of Cybersecurity and Cyber Forensics © Yansi Keim
Edmond Locard’s Principle 7 Locard’s Principle - Perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence; thus, every Cyber Fraud or Cyber Crime will have evidence. Example: 10 people decide to go hunting and all shoot at the same deer at the same time. The group takes the deer’s life; however there is only 1 entry wound. Which hunter killed the deer? © Yansi Keim
Digital Forensics Investigation Process Model 8 Identification Presentation Analysis Examination Preservation Collection At crime scene In lab © Yansi Keim
Stage 1: Identification 9 In this stage, potential sources of relevant evidence and/or information (devices) as well as key custodians and location of data are identified. • determine the scope of the incident • assess the case, • nature of case : internal, civil or criminal • characteristics of case © Yansi Keim
Stage 2: Collection Collecting digital information that may be relevant to the investigation. Collection may involve removing the electronic device(s) from the crime or incident scene and then taking photos, imaging, copying or printing out its (their) content. *Important Note*: As collection begins, those persons doing the collecting should keep the Chain of Custody in mind. 10 © Yansi Keim
Step 2: Collection: Chain of Custody (CoC) The CoC is a printed or electronic document in which the acquisition, custody and transfers of any piece of evidence are recorded. It must include all basic information regarding: 1. Acquisition: Who, when, where and how. Who acquired the evidence, when and where the evidence was acquired, and what method was used. 2. Custody: Who, where, how and how long. Who had possession of the evidence, where it was kept, what method was used to store it, and how long it was kept. 3. Processing: What was done to the evidence (cloning, analysis, etc.) 4. Transfer: Transfer of the evidence from one possessor to another, recorded along with the signature of the new keeper. 5. Final Fate: Destruction, secure deletion of evidence, return of evidence to owner, etc. 11 © Yansi Keim
Collecting Evidence: What is the most important thing? ▶ Document, document, document ▶ Lawfully capture evidence ▶ Make cryptographically verifiable copies ▶ Setup secure storage of collected evidence ▶ Establish chain of custody ▶ Analyze copies only ▶ Use legally obtained, reputable tools ▶ Document every step 12 © Yansi Keim
Stage 3: Preservation The process of preserving relevant electronically stored information (ESI) by protecting the crime or incident scene, capturing visual images of the scene and documenting all relevant information about the evidence and how it was acquired. It’s an important step because information may be lost upon lack of care on volatile electronic devices. 13 © Yansi Keim
Stage 4: Examination The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. *Important Note* Before dealing with the data, it’s imperative to know Types of Data which is discussed in later slides. 14 © Yansi Keim
Stage 5: Analysis An in-depth systematic search of evidence relating to the incident being investigated. The outputs of examination are data objects found in the collected information; this may include system- and user-generated files. Note: Timeline Analysis aims to draw conclusions based on the evidence found. 15 © Yansi Keim
Stage 6: Presentation Begins with reports based on proven techniques and methodologies. Also includes the aspect that other competent forensic examiners should be able to duplicate and reproduce the same results. 16 © Yansi Keim
States of Data © Yansi Keim
Data at Rest, in Use, & in Transit © Yansi Keim
Forensically Analyzing Data at Rest: Disk Imaging 19 It is defined as the processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. This copy does not just include files which are visible to the operating system but every bit of data, every sector, partition, files, folders, master boot records, deleted files and un-allocated spaces. The image is an identical copy of all the drive structures and contents. Note: Imaging is not Copy and Paste | Tool: EnCase Forensics © Yansi Keim
Disk cloning: Analyzing Data at Rest Disk cloning creates a copy of the original drive and includes all the information that will enable the duplicate (cloned) drive to boot the operating system, accessing all the files as if it were the original. The Disk Cloning process creates what is known as a 'one-to-one' copy. This duplicate is fully functional and in the event that it is swapped to replace the original drive, will work just like the original. The computer, when booted using the cloned drive, has its operations and data, identical to the original drive. 20 © Yansi Keim
Forensically Analyzing Data in Use : Techniques ▶ Cross-drive analysis ▶ Correlation of information found on multiple hard drives. ▶ Techniques: • multi-drive correlation • creation of timelines ▶ Application: identifying social networks and performing anomaly detection ▶ Live Analysis ▶ Examination of computers’ operating systems using custom forensics to extract evidence in real time. ▶ Techniques: • Acquisition of RAM (Ram dump) and capture PageFile • Crash Dump • VM Snapshot ▶ Application: Identifying and quantifying the threat, collecting artifacts – running processes, suspicious mutexes, prefetch files, registry keys, open network connections, system accounts 21 © Yansi Keim
Network Forensics Data in Transit © Yansi Keim
Network Forensics ▶ What? Process of collecting and analyzing raw network data and tracking network traffic . ▶ Why? Intruders leave a trail behind; thus, this trail leaves a data record for the incident responder(s). It’s also important for daily security operations workflow. ▶ How? Through alerts, network log analysis, threat hunting and intelligence, SIEM. © Yansi Keim
Network based Evidence: Methods of acquisition 1. Ethernet ▶ Eavesdropping via sniffers ▶Popular packet analyzers: Wireshark (Win/Linux/MacOS), TCPdump (Unix), Tshark, Netflow 2. Sysinternals ▶ RegMon shows registry data in real time ▶ Process explorer shows what is loaded ▶ Handle shows open files and processes using them ▶ Filemon shows file system activity 24 © Yansi Keim
Network based Evidence: Methods of acquisition 3. PsTools (SysInternals) ▶ PsExec - execute processes remotely ▶ PsFile - shows files opened remotely ▶ PsGetSid - display the SID of a computer or a user ▶ PsInfo - list information about a system ▶ PsPing - measure network performance ▶ PsKill - kill processes by name or process ID ▶ PsList - list detailed information about processes 25 © Yansi Keim
Network based Evidence : Methods of acquisition 4. Intrusion Detection System ▶ Host based IDS ▶ Network based IDS 5. Intrusion Prevention System ▶ Host based IPS ▶ Network based IPS 6. Honey Pots ▶ Low Interaction ▶ High Interaction 7. Firewalls 26 Fig. Types of Firewalls © Yansi Keim
Network based Evidence: Logs…where can you find them? ▶ Most network traffic leaves an audit trail. ▶ Routers, firewalls, servers, maintain logs ▶ DHCP log ▶ Firewalls offer logging. ▶ IDS can capture part of an attack ▶ Host-based sensors detect alteration of libraries ▶ Login attempts are logged ▶ Note: Chain of Custody: captured files need to be authenticated 27 © Yansi Keim
Event Log Analysis and Sources © Yansi Keim
Event Log Analysis What? On any OS platform (Windows/Linux/MacOS) event logs contains a lot of useful information about the system and its users. How? Through log manager and analyzer tools all the event data can be captured automatically. Why? Event logs can provide investigators with details about applications, login timestamps for users and system events of interest. © Yansi Keim
Event Viewer in Windows 30 © Yansi Keim
Event Log Sources ▶ Malware © Yansi Keim ▶ Web-Based Attacks ▶ Phishing ▶ Spam ▶ Denial of Service ▶ DDoS (Distributed) Attacks ▶ Ransomware ▶ Web Application ▶ Botnet ▶ Insider Threat 31
System Auditing ▶ Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. ▶ Auditing helps in to track what programs ran on the investigated computers. ▶ Windows security auditing lets you enable process tracking and monitor process creation and process termination. ▶ To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). ▶ You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking. 32 © Yansi Keim
Threat Hunting Threat Hunting – A focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks. It’s a method of searching though networks and datasets to find APTs that evade existing security defense. (SANS) Note: It’s not a set of tools. It requires human intervention on every step. 33 © Yansi Keim
Types of Threat Hunting ▶ Statistical Anomaly – Threats can be detected by taking note of abnormal behavior in a system or network. You may notice this intuitively, but it is better to have a performance “baseline” for comparison. ▶ Open Source Intelligence (OSINT) – Monitoring media sources: social media, e-mail, gossip around the “water cooler” ▶ Situational Awareness – You’re monitoring specific assets, performing risk assessments, and finding threats. 34 © Yansi Keim
Threat Hunting Cycle 35 Threat Hunting Loop Purpose CREATE Hypotheses INVESTIGAT E Via Tools and Techniques UNCOVER New Patterns and TTPs INFORM & ENRICH Analytics https://virtualizationandstorage.files.wor dpress.com/2018/08/framework-for- threat-hunting-whitepaper.pdf © Yansi Keim
Anti-Forensic Detection RECOVERING DELETED FILES © Yansi Keim
Source : File Systems and Hard Drives 37 ▶ Traditional hard drives store data as sector which is 512 bytes while Modern hard drives use what is called Advanced Format, which is 4096 byte sectors. ▶ However, file systems look at clusters, not sectors. A cluster can be from 1 to 128 sectors. ▶ To recover data, you must know which OS and File System is active on suspect machine. © Yansi Keim
Anti-Forensics Detection: Disk Data and Recovery Tools ▶ What all can be recovered? ▶ Known files ▶ Deleted files ▶ Slack Space ▶ Unallocated Space ▶ Compressed File and Sectors 38 Available Tools ▶ Hex Editor, ▶ Encase Forensics, ▶ Volatility ▶ Autopsy (Open Source) © Yansi Keim
Timeline Analysis © Yansi Keim
Timeline Analysis ▶ Used in cybercrime investigation to answer questions like ▶ When a computer was used? ▶ What events occurred before or after an event? ▶ Any potential tool extracts timestamps and clusters similar events from the seized device. The places to find these timestamps are: ▶ Files on the disk ▶ Web or Internet Artefacts ▶ Tool specific data ▶ Tool used: Maltego and Autopsy 40 © Yansi Keim
41 Fig. Timeline like this communicates order of events to judge and other parties Src : Digital Archaeology, The Art and Science of Digital Forensics by Michael W. Graves © Yansi Keim
Identifying Preparators (Machines/Users) ▶ Check for live systems in NMAP, Kali Linux ▶ Connect Scan ▶ Half-open Scan ▶ XMAS Scan ▶ FIN Scan ▶ ACK Scan ▶ Null Scan ▶ Idle Scan 42 ▶ Banner Grabbing ▶ OS Version Check ▶ Services Running on the OS and their version ▶ Check for open ports ▶ Vulnerability Scanning ▶ Tool: Nessus, Accunetix © Yansi Keim
” “Thank You

Recommended

cyberforensicsv2-191113184409.pptx
cyberforensicsv2-191113184409.pptxcyberforensicsv2-191113184409.pptx
cyberforensicsv2-191113184409.pptxPrabithGupta1
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxVaishnaviBorse8
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
cyber forensics
cyber forensicscyber forensics
cyber forensicsAmbuj Kumar
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsAlchemist095
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditingSweta Kumari Barnwal
 

Recommended

cyberforensicsv2-191113184409.pptx
cyberforensicsv2-191113184409.pptxcyberforensicsv2-191113184409.pptx
cyberforensicsv2-191113184409.pptxPrabithGupta1
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxVaishnaviBorse8
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
cyber forensics
cyber forensicscyber forensics
cyber forensicsAmbuj Kumar
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsAlchemist095
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditingSweta Kumari Barnwal
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Latest presentation
Latest presentationLatest presentation
Latest presentationAdetunji Adeoje
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
EDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaEDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaDavid Kearney
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfGnanavi2
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
GDPR & Forensics Readiness -English
GDPR & Forensics Readiness -EnglishGDPR & Forensics Readiness -English
GDPR & Forensics Readiness -EnglishStudio Fiorenzi Security & Forensics
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptxAhmedRobaid1
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPace IT at Edmonds Community College
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSMLG College of Learning, Inc
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
180 184
180 184180 184
180 184Editor IJARCET
 
neuralinterfacing-130331081952-phpapp01.pdf
neuralinterfacing-130331081952-phpapp01.pdfneuralinterfacing-130331081952-phpapp01.pdf
neuralinterfacing-130331081952-phpapp01.pdfPrasannaKumarpanda2
 
seminarpptfogcomp-170420185314.pptx
seminarpptfogcomp-170420185314.pptxseminarpptfogcomp-170420185314.pptx
seminarpptfogcomp-170420185314.pptxPrasannaKumarpanda2
 

More Related Content

Similar to cyberforensicsv2-191113184409.pptx

Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
EDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaEDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaDavid Kearney
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfGnanavi2
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 

Similar to cyberforensicsv2-191113184409.pptx (20)

Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
EDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-iltaEDRM Foundational e-Discovery Practices-ilta
EDRM Foundational e-Discovery Practices-ilta
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh t
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
GDPR & Forensics Readiness -English
GDPR & Forensics Readiness -EnglishGDPR & Forensics Readiness -English
GDPR & Forensics Readiness -English
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic Procedures
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
180 184
180 184180 184
180 184
 

More from PrasannaKumarpanda2

neuralinterfacing-130331081952-phpapp01.pdf
neuralinterfacing-130331081952-phpapp01.pdfneuralinterfacing-130331081952-phpapp01.pdf
neuralinterfacing-130331081952-phpapp01.pdfPrasannaKumarpanda2
 
seminarpptfogcomp-170420185314.pptx
seminarpptfogcomp-170420185314.pptxseminarpptfogcomp-170420185314.pptx
seminarpptfogcomp-170420185314.pptxPrasannaKumarpanda2
 
sky-xpranav-140418121657-phpapp01.pptx
sky-xpranav-140418121657-phpapp01.pptxsky-xpranav-140418121657-phpapp01.pptx
sky-xpranav-140418121657-phpapp01.pptxPrasannaKumarpanda2
 
cyborgs-150208232058-conversion-gate01.pdf
cyborgs-150208232058-conversion-gate01.pdfcyborgs-150208232058-conversion-gate01.pdf
cyborgs-150208232058-conversion-gate01.pdfPrasannaKumarpanda2
 
Future Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptxFuture Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptxPrasannaKumarpanda2
 
facebookthrift-151001153400-lva1-app6891.pptx
facebookthrift-151001153400-lva1-app6891.pptxfacebookthrift-151001153400-lva1-app6891.pptx
facebookthrift-151001153400-lva1-app6891.pptxPrasannaKumarpanda2
 
PowerBIReportServer_duryan_20170919.pptx
PowerBIReportServer_duryan_20170919.pptxPowerBIReportServer_duryan_20170919.pptx
PowerBIReportServer_duryan_20170919.pptxPrasannaKumarpanda2
 
3-JournalofCommunicationsVol.14No.2February2019.pdf
3-JournalofCommunicationsVol.14No.2February2019.pdf3-JournalofCommunicationsVol.14No.2February2019.pdf
3-JournalofCommunicationsVol.14No.2February2019.pdfPrasannaKumarpanda2
 
Future Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptxFuture Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptxPrasannaKumarpanda2
 

More from PrasannaKumarpanda2 (13)

neuralinterfacing-130331081952-phpapp01.pdf
neuralinterfacing-130331081952-phpapp01.pdfneuralinterfacing-130331081952-phpapp01.pdf
neuralinterfacing-130331081952-phpapp01.pdf
 
seminarpptfogcomp-170420185314.pptx
seminarpptfogcomp-170420185314.pptxseminarpptfogcomp-170420185314.pptx
seminarpptfogcomp-170420185314.pptx
 
Blue Eyes Technology RAMA.pptx
Blue Eyes Technology RAMA.pptxBlue Eyes Technology RAMA.pptx
Blue Eyes Technology RAMA.pptx
 
sky-xpranav-140418121657-phpapp01.pptx
sky-xpranav-140418121657-phpapp01.pptxsky-xpranav-140418121657-phpapp01.pptx
sky-xpranav-140418121657-phpapp01.pptx
 
nikhilvyas-130904132740-.pptx
nikhilvyas-130904132740-.pptxnikhilvyas-130904132740-.pptx
nikhilvyas-130904132740-.pptx
 
cyborgs-150208232058-conversion-gate01.pdf
cyborgs-150208232058-conversion-gate01.pdfcyborgs-150208232058-conversion-gate01.pdf
cyborgs-150208232058-conversion-gate01.pdf
 
nikhilvyas-130904132740-.pdf
nikhilvyas-130904132740-.pdfnikhilvyas-130904132740-.pdf
nikhilvyas-130904132740-.pdf
 
Future Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptxFuture Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptx
 
facebookthrift-151001153400-lva1-app6891.pptx
facebookthrift-151001153400-lva1-app6891.pptxfacebookthrift-151001153400-lva1-app6891.pptx
facebookthrift-151001153400-lva1-app6891.pptx
 
TCS.pptx
TCS.pptxTCS.pptx
TCS.pptx
 
PowerBIReportServer_duryan_20170919.pptx
PowerBIReportServer_duryan_20170919.pptxPowerBIReportServer_duryan_20170919.pptx
PowerBIReportServer_duryan_20170919.pptx
 
3-JournalofCommunicationsVol.14No.2February2019.pdf
3-JournalofCommunicationsVol.14No.2February2019.pdf3-JournalofCommunicationsVol.14No.2February2019.pdf
3-JournalofCommunicationsVol.14No.2February2019.pdf
 
Future Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptxFuture Challenges in Computer Science.pptx
Future Challenges in Computer Science.pptx
 

Recently uploaded

Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 

cyberforensicsv2-191113184409.pptx

  • 1. Overview of Cyber Forensics GAYATRI VIDYA PARISHAD COLLEGE FOR DEGREE AND P.G COURSES(A) RUSHIKONDA-530045 VISAKHAPATNAM By Prasanna kumar panda MCA-4Th Sem
  • 2. Contents 1. Primer: Cyber Forensics Glossary 2. States of Data 3. Network Forensics 4. Event Log Analysis and Sources 5. Anti-Forensics Detection 6. Timeline Analysis © Yansi Keim
  • 4. What is Cybersecurity? ▶ What? Cybersecurity tends to focus on how malicious actors use electronic assets (Internet, WAN, LAN, routers, printers, network appliances) to attack information. ▶ Why? To prevent individuals, organizations, financial institutions and universities from cyber attacks including kill chains, zero-day attacks, ransomware, malware etc. ▶ How? Running the assets safely with security implementations of databases, networks, hardware, firewalls and encryption. © Yansi Keim
  • 5. What is Cyber Forensics? ▶ What? The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. ▶ How? Through the digital forensics investigation process including: Identification, Preservation, Analysis, and Presentation (IPAP). ▶ Why? Used in criminal investigations to identify what happened, how it happened, when it happened and the people involved. © Yansi Keim
  • 6. Relationship between Cybersecurity and Cyber Forensics ▶ Cybersecurity aims to protect electronic assets from breaches; whereas, cyber forensics explains how a policy became violated and who was responsible for it. 6 Cybersecurity Cyber Forensics Fig. 1 Feedback cycle of Cybersecurity and Cyber Forensics © Yansi Keim
  • 7. Edmond Locard’s Principle 7 Locard’s Principle - Perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence; thus, every Cyber Fraud or Cyber Crime will have evidence. Example: 10 people decide to go hunting and all shoot at the same deer at the same time. The group takes the deer’s life; however there is only 1 entry wound. Which hunter killed the deer? © Yansi Keim
  • 8. Digital Forensics Investigation Process Model 8 Identification Presentation Analysis Examination Preservation Collection At crime scene In lab © Yansi Keim
  • 9. Stage 1: Identification 9 In this stage, potential sources of relevant evidence and/or information (devices) as well as key custodians and location of data are identified. • determine the scope of the incident • assess the case, • nature of case : internal, civil or criminal • characteristics of case © Yansi Keim
  • 10. Stage 2: Collection Collecting digital information that may be relevant to the investigation. Collection may involve removing the electronic device(s) from the crime or incident scene and then taking photos, imaging, copying or printing out its (their) content. *Important Note*: As collection begins, those persons doing the collecting should keep the Chain of Custody in mind. 10 © Yansi Keim
  • 11. Step 2: Collection: Chain of Custody (CoC) The CoC is a printed or electronic document in which the acquisition, custody and transfers of any piece of evidence are recorded. It must include all basic information regarding: 1. Acquisition: Who, when, where and how. Who acquired the evidence, when and where the evidence was acquired, and what method was used. 2. Custody: Who, where, how and how long. Who had possession of the evidence, where it was kept, what method was used to store it, and how long it was kept. 3. Processing: What was done to the evidence (cloning, analysis, etc.) 4. Transfer: Transfer of the evidence from one possessor to another, recorded along with the signature of the new keeper. 5. Final Fate: Destruction, secure deletion of evidence, return of evidence to owner, etc. 11 © Yansi Keim
  • 12. Collecting Evidence: What is the most important thing? ▶ Document, document, document ▶ Lawfully capture evidence ▶ Make cryptographically verifiable copies ▶ Setup secure storage of collected evidence ▶ Establish chain of custody ▶ Analyze copies only ▶ Use legally obtained, reputable tools ▶ Document every step 12 © Yansi Keim
  • 13. Stage 3: Preservation The process of preserving relevant electronically stored information (ESI) by protecting the crime or incident scene, capturing visual images of the scene and documenting all relevant information about the evidence and how it was acquired. It’s an important step because information may be lost upon lack of care on volatile electronic devices. 13 © Yansi Keim
  • 14. Stage 4: Examination The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. *Important Note* Before dealing with the data, it’s imperative to know Types of Data which is discussed in later slides. 14 © Yansi Keim
  • 15. Stage 5: Analysis An in-depth systematic search of evidence relating to the incident being investigated. The outputs of examination are data objects found in the collected information; this may include system- and user-generated files. Note: Timeline Analysis aims to draw conclusions based on the evidence found. 15 © Yansi Keim
  • 16. Stage 6: Presentation Begins with reports based on proven techniques and methodologies. Also includes the aspect that other competent forensic examiners should be able to duplicate and reproduce the same results. 16 © Yansi Keim
  • 17. States of Data © Yansi Keim
  • 18. Data at Rest, in Use, & in Transit © Yansi Keim
  • 19. Forensically Analyzing Data at Rest: Disk Imaging 19 It is defined as the processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. This copy does not just include files which are visible to the operating system but every bit of data, every sector, partition, files, folders, master boot records, deleted files and un-allocated spaces. The image is an identical copy of all the drive structures and contents. Note: Imaging is not Copy and Paste | Tool: EnCase Forensics © Yansi Keim
  • 20. Disk cloning: Analyzing Data at Rest Disk cloning creates a copy of the original drive and includes all the information that will enable the duplicate (cloned) drive to boot the operating system, accessing all the files as if it were the original. The Disk Cloning process creates what is known as a 'one-to-one' copy. This duplicate is fully functional and in the event that it is swapped to replace the original drive, will work just like the original. The computer, when booted using the cloned drive, has its operations and data, identical to the original drive. 20 © Yansi Keim
  • 21. Forensically Analyzing Data in Use : Techniques ▶ Cross-drive analysis ▶ Correlation of information found on multiple hard drives. ▶ Techniques: • multi-drive correlation • creation of timelines ▶ Application: identifying social networks and performing anomaly detection ▶ Live Analysis ▶ Examination of computers’ operating systems using custom forensics to extract evidence in real time. ▶ Techniques: • Acquisition of RAM (Ram dump) and capture PageFile • Crash Dump • VM Snapshot ▶ Application: Identifying and quantifying the threat, collecting artifacts – running processes, suspicious mutexes, prefetch files, registry keys, open network connections, system accounts 21 © Yansi Keim
  • 22. Network Forensics Data in Transit © Yansi Keim
  • 23. Network Forensics ▶ What? Process of collecting and analyzing raw network data and tracking network traffic . ▶ Why? Intruders leave a trail behind; thus, this trail leaves a data record for the incident responder(s). It’s also important for daily security operations workflow. ▶ How? Through alerts, network log analysis, threat hunting and intelligence, SIEM. © Yansi Keim
  • 24. Network based Evidence: Methods of acquisition 1. Ethernet ▶ Eavesdropping via sniffers ▶Popular packet analyzers: Wireshark (Win/Linux/MacOS), TCPdump (Unix), Tshark, Netflow 2. Sysinternals ▶ RegMon shows registry data in real time ▶ Process explorer shows what is loaded ▶ Handle shows open files and processes using them ▶ Filemon shows file system activity 24 © Yansi Keim
  • 25. Network based Evidence: Methods of acquisition 3. PsTools (SysInternals) ▶ PsExec - execute processes remotely ▶ PsFile - shows files opened remotely ▶ PsGetSid - display the SID of a computer or a user ▶ PsInfo - list information about a system ▶ PsPing - measure network performance ▶ PsKill - kill processes by name or process ID ▶ PsList - list detailed information about processes 25 © Yansi Keim
  • 26. Network based Evidence : Methods of acquisition 4. Intrusion Detection System ▶ Host based IDS ▶ Network based IDS 5. Intrusion Prevention System ▶ Host based IPS ▶ Network based IPS 6. Honey Pots ▶ Low Interaction ▶ High Interaction 7. Firewalls 26 Fig. Types of Firewalls © Yansi Keim
  • 27. Network based Evidence: Logs…where can you find them? ▶ Most network traffic leaves an audit trail. ▶ Routers, firewalls, servers, maintain logs ▶ DHCP log ▶ Firewalls offer logging. ▶ IDS can capture part of an attack ▶ Host-based sensors detect alteration of libraries ▶ Login attempts are logged ▶ Note: Chain of Custody: captured files need to be authenticated 27 © Yansi Keim
  • 28. Event Log Analysis and Sources © Yansi Keim
  • 29. Event Log Analysis What? On any OS platform (Windows/Linux/MacOS) event logs contains a lot of useful information about the system and its users. How? Through log manager and analyzer tools all the event data can be captured automatically. Why? Event logs can provide investigators with details about applications, login timestamps for users and system events of interest. © Yansi Keim
  • 31. Event Log Sources ▶ Malware © Yansi Keim ▶ Web-Based Attacks ▶ Phishing ▶ Spam ▶ Denial of Service ▶ DDoS (Distributed) Attacks ▶ Ransomware ▶ Web Application ▶ Botnet ▶ Insider Threat 31
  • 32. System Auditing ▶ Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. ▶ Auditing helps in to track what programs ran on the investigated computers. ▶ Windows security auditing lets you enable process tracking and monitor process creation and process termination. ▶ To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). ▶ You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking. 32 © Yansi Keim
  • 33. Threat Hunting Threat Hunting – A focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks. It’s a method of searching though networks and datasets to find APTs that evade existing security defense. (SANS) Note: It’s not a set of tools. It requires human intervention on every step. 33 © Yansi Keim
  • 34. Types of Threat Hunting ▶ Statistical Anomaly – Threats can be detected by taking note of abnormal behavior in a system or network. You may notice this intuitively, but it is better to have a performance “baseline” for comparison. ▶ Open Source Intelligence (OSINT) – Monitoring media sources: social media, e-mail, gossip around the “water cooler” ▶ Situational Awareness – You’re monitoring specific assets, performing risk assessments, and finding threats. 34 © Yansi Keim
  • 35. Threat Hunting Cycle 35 Threat Hunting Loop Purpose CREATE Hypotheses INVESTIGAT E Via Tools and Techniques UNCOVER New Patterns and TTPs INFORM & ENRICH Analytics https://virtualizationandstorage.files.wor dpress.com/2018/08/framework-for- threat-hunting-whitepaper.pdf © Yansi Keim
  • 37. Source : File Systems and Hard Drives 37 ▶ Traditional hard drives store data as sector which is 512 bytes while Modern hard drives use what is called Advanced Format, which is 4096 byte sectors. ▶ However, file systems look at clusters, not sectors. A cluster can be from 1 to 128 sectors. ▶ To recover data, you must know which OS and File System is active on suspect machine. © Yansi Keim
  • 38. Anti-Forensics Detection: Disk Data and Recovery Tools ▶ What all can be recovered? ▶ Known files ▶ Deleted files ▶ Slack Space ▶ Unallocated Space ▶ Compressed File and Sectors 38 Available Tools ▶ Hex Editor, ▶ Encase Forensics, ▶ Volatility ▶ Autopsy (Open Source) © Yansi Keim
  • 40. Timeline Analysis ▶ Used in cybercrime investigation to answer questions like ▶ When a computer was used? ▶ What events occurred before or after an event? ▶ Any potential tool extracts timestamps and clusters similar events from the seized device. The places to find these timestamps are: ▶ Files on the disk ▶ Web or Internet Artefacts ▶ Tool specific data ▶ Tool used: Maltego and Autopsy 40 © Yansi Keim
  • 41. 41 Fig. Timeline like this communicates order of events to judge and other parties Src : Digital Archaeology, The Art and Science of Digital Forensics by Michael W. Graves © Yansi Keim
  • 42. Identifying Preparators (Machines/Users) ▶ Check for live systems in NMAP, Kali Linux ▶ Connect Scan ▶ Half-open Scan ▶ XMAS Scan ▶ FIN Scan ▶ ACK Scan ▶ Null Scan ▶ Idle Scan 42 ▶ Banner Grabbing ▶ OS Version Check ▶ Services Running on the OS and their version ▶ Check for open ports ▶ Vulnerability Scanning ▶ Tool: Nessus, Accunetix © Yansi Keim