This document discusses using Debian GNU/Linux as a forensic workstation. It begins with an introduction to digital forensics and defines it as the gathering and analysis of digital information for use as legal evidence. It then discusses why Debian is suitable as a forensic workstation due to its stability, large set of forensic tools, and ability to avoid infecting evidence. The rest of the document outlines the stages of a forensic investigation and various tools that can be used at each stage, including acquiring disk images, examining disk images, collecting volatile memory data, and network forensics.
The article briefly touches upon hiding, finding and destroying data
on Linux file systems. It should become clear that the area of computer
forensics, aimed at recovering the evidence from captured disk drives,
has many challenges, requiring knowledge of hardware, operating
systems and application software.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
The article briefly touches upon hiding, finding and destroying data
on Linux file systems. It should become clear that the area of computer
forensics, aimed at recovering the evidence from captured disk drives,
has many challenges, requiring knowledge of hardware, operating
systems and application software.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Part 4 of 'Introduction to Linux for bioinformatics': Managing data Joachim Jacob
This is part 4 of the training session 'Introduction to Linux for bioinformatics'. We shows basics of data management, and tips for handling big data effectively. Interested in following this training session? Please contact me at http://www.jakonix.be/contact.html
Part 2 of 'Introduction to Linux for bioinformatics': Installing softwareJoachim Jacob
This is part 2 of the training session 'Introduction to Linux for bioinformatics'. We explain different ways how software can be installed. Interested in following this training session? Please contact me at http://www.jakonix.be/contact.html
This 1st presentation in the training "Introduction to linux for bioinformatics" gives an introduction to Linux, and the concepts by which Linux operates.
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Part 4 of 'Introduction to Linux for bioinformatics': Managing data Joachim Jacob
This is part 4 of the training session 'Introduction to Linux for bioinformatics'. We shows basics of data management, and tips for handling big data effectively. Interested in following this training session? Please contact me at http://www.jakonix.be/contact.html
Part 2 of 'Introduction to Linux for bioinformatics': Installing softwareJoachim Jacob
This is part 2 of the training session 'Introduction to Linux for bioinformatics'. We explain different ways how software can be installed. Interested in following this training session? Please contact me at http://www.jakonix.be/contact.html
This 1st presentation in the training "Introduction to linux for bioinformatics" gives an introduction to Linux, and the concepts by which Linux operates.
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
Chapter 8: Common Forensic Tools
Overview
In this chapter, you'll learn more about:
· Explore disk imaging tools, forensic software tool sets, and miscellaneous software tools
· Understand computer forensic hardware
· Assemble your forensic tool kit
The first steps in any investigation nearly always involve old-fashioned detective work. As a forensic investigator, you need to observe and record your observations first. Once you start examining media contents, you'll need some tools to help you find and make sense of stored data.
Forensic investigators and computer examiners need several different types of tools to identify and acquire computer evidence. Some evidence is hidden from the casual observer and requires specialized tools to find and access. In this chapter, we'll examine a sampling of some common and popular tools available to carry out computer forensic tasks.
Disk Imaging and Validation Tools
After identifying the physical media that they suspect contains evidence, forensic investigators must make sure media is preserved before any further steps are taken. Preserving the media is necessary to provide assurance the evidence acquired is valid.
Chapter 3, "Computer Evidence," and Chapter 4, "Common Tasks," both emphasize the importance of copying all media first and then analyzing the copy. It's usually best to create an exact image of the media and verify that it matches the original before continuing the investigation. It's rare to examine the original evidence for any investigation that might end up in court. For other types of investigations, however, forensic investigators might perform a targeted examination on the original evidence. For example, assume the job is to examine a user's home folder on a server for suspected inappropriate material. It might be impossible or extremely difficult to create a mirror image of the disk drive, but the disk can be scanned for existing or deleted files while it is in use. Although examining media while in use might not always be the best practice, informal investigations use this technique frequently.
To Copy or Not to Copy?
Whenever possible, create a duplicate of the original evidence, verify the copy, and then examine the copy. Always invest the time and effort to copy original media for any investigation that might end up in a court of law. If you are sure your investigation will not end up in court, you might decide to analyze the original evidence directly. This is possible and desirable in cases where copying media would cause service interruptions.
Your choice of tools to use depends on several factors, including:
· Operating system(s) supported
Operating system(s) in which the tool runs
File systems the tool supports
· Price
· Functionality
· Personal preference
The following sections list some tools used to create and verify media copies. Some products appear in two places in the chapter. That's because several products play multiple roles. This section lists several products ...
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
Now famous FTP server intrusion investigation, including log analysis, disk forensics as well as lessons learned; all still fun and useful, but circa 2002
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
2. #whoami
Vipin George
Ad-hoc faculty at CEK
Handled Internet plumbing for a Tier- 1 ISP
M.Tech in Cyber Forensics and InfoSec
Mozillian, Wikipedian
Enjoys tinkering with Electronic gadgets
Licensed Radio amateur, call sign: VU3YVG/ KC9VED
3. What is Digital Forensics?
The gathering and analysis of
digital information in an authentic,
accurate and complete form for
presentation as an evidence in a
court of law
Any electronic device (mp3 player,
Hard disk, Mobile phone) can be
the source of evidence
4. What is Digital Forensics?
Investigation takes place after
an incident has happened
Try to answer questions:
Who?
What?
When?
Where?
Why? and
How?
6. Locard’s Exchange principle
whenever two
computers come "into
contact" and interact,
they exchange
something from each
other
This may appear in log
files, and be visible in
the output of
commands.
7. Stages
Digital forensics activities
commonly include:
the secure collection of data
the identification of suspect data
the examination of suspect data
without modifying it
the presentation of information
to courts of law
the application of country's laws
to computer practice.
9. First of the few
One cent crime 1960’s
millions of daily transactions
add up
small attacks add up to one
major attack that can go
undetected due to the nature
of this type of cyber crime
Salami attack !
10. Why Debian GNU/Linux?
It is mandatory to image suspect drive using at least
two tools
Budget
Stability
Dedicated solutions are predictable
Eg: EnCase Forensic Imager vulnerability
Ability to dig deeper
11. Why Debian GNU/Linux?
Support for rapidly changing storage mediums & size
Plenty of tools - Debian Forensics Environment -
essential components (metapackage) by Debian
Security Tools Team has 158 packages as of now
https://packages.debian.org/sid/forensics-full
Restoring a virus infected Thumb-drive to a Windows
system will infect the workstation itself
13. Digital Forensics toolkit
Laptop
Operating System with all patches
Reliable software tools with all
patches
Dedicated Hardware if needed
Evidence container
Storage media
Digital Camera
14. Digital Forensics
Four Cardinal Rules
Never Mishandle Evidence
Never Work on Original Digital Evidence
Never Trust the Subject's OS
Document everything
15. Ensuring Forensic soundness
Use a live CD/DVD
Don’t store anything on suspect storage
Don’t attach these workstation to any network
Use separate VMs for each case to avoid any
cross-contamination
16. Ensuring Forensic soundness
Destination storage should be equal or larger than the
source
Reinstall Forensic platform each time
Normal image
Ghost image
Use Write-blockers
17. Write blocker
Malware, or AV update or scan may update timestamps
Write blocker prevents Data from being written on to drive
Preserves all data on drive
Decreases chance of corrupting drive
Allows investigator to image the drive without affecting the
drive
Write protection
Hardware – SATA, IDE, USB, FireWire
Software
18. Hardware write blocker
Prevents Data from being written on to drive
FORENSIC
WORKSTATION
USB TO IDE/SATA
ADAPTER
EVIDENCE DRIVE
IDE/SATA CABLE
20. Software write blocker
Disable Auto-mount
Turn Swap off
Kernel patch and
userspace tools to
enable Linux software
write blocking
Source:
https://github.com/ms
uhanov/Linux-write-
blocker
21. Acquiring Disk Image
Ordinary file copy won't work
Bit by bit copy needed for Forensic soundness
Why?
22. Acquiring Disk Image
Evidence can be hidden in many places in a disk
Printer Queue can be a source
A hard drive contains partitions, a partition contains a file
system and a file system is used to structure data
Bit by bit disk image
Capture both allocated and unallocated space
Do not use gzip/tar or normal backup tools
Lose unallocated space
Can’t recover deleted files
27. Acquiring Disk Image - Software
dd: Full disk dd if=/dev/sda of=/mnt/usb/sda.img bs=512
But not forensically sound
ddrescue: good for data recovery, but not forensically
sound
dcfldd: disk image verification to ensure integrity, can split
large files
dcfldd if=/dev/sdX hash=md5,sha256 md5log=/root/md5.txt
sha256log=/root/sha256.txt conv=noerror,sync
of=/root/diskimage.dd
28. Acquiring Disk Image - Software
Guymager
Fast, due to multi-threaded, pipelined design and multi-
threaded data compression
Makes full usage of multi-processor machines
Generates flat (dd), EWF (E01) and AFF images, supports
disk cloning
Source https://guymager.sourceforge.io/
29. Examining and Analyzing Disk Images
How to find and interpret forensic artifacts?
TSK + Autopsy (GUI-frontend)
The Sleuth Kit and Autopsy browser
http://www.sleuthkit.org/
It can ingest a disk image, we can explore and extract files
of interest
supports raw, Expert Witness, and AFF file formats
30. Metadata: Data speaks to us
Valuable info. such as time, date, author
of documents may be embedded in the
file
Serial killer Dennis Rader was caught after
31 years
31. On Suspect system
Trusted binaries - statically compiled binaries run from CD
or USB
ls, lsof, ps, netstat, grep, uname, date, find, file, ifconfig, arp
Test before use
different Linux distributions and kernels
both 32 bit and 64 bit platform
Will not modify Access time of system binaries
Be aware of limitation - Kernel mode rootkit
32. Volatile Data Collection
Collect as much volatile data as possible
But minimise footprint on the target system
In the order of most volatile to least
Memory
Network status and connections
Running processes
Other system information
Document everything
33. Volatile Data Collection
Be aware of the concept of “Chain of
custody”
Maintain a good record (a paper trail) of
what you have done with evidence
34. Memory Forensics
Data might be encrypted on disk, but unencrypted on
memory
LiME – Linux Memory Extractor
Less memory footprint
Pre-compile LiME for suspect system architecture for
specific kernel as a loadable Kernel object
Compile LiME on suspect system if architecture
unknown(less recommended)
Source: https://github.com/504ensicsLabs/LiME
35. Memory Forensics
Analyze the memory dump using Volatility
Source: https://github.com/volatilityfoundation/volatility
Photorec can carve out files from memory images too
Supports DD raw image, EnCase E01 image etc.
Source:
https://www.cgsecurity.org/wiki/TestDisk_Download
36. Network Forensics: collecting RAW network
data
Wireshark – GUI
tshark - CLI
tcpdump - CLI
Nmap: Map a network
Snort
P0f (OS passive fingerprinting)
XPLICO: Network Forensic Analysis
Tool, can extract pcap files, has
web interface