2. Network Forensics-An Intro
Introduction to Digital Forensics
Agenda
Classification & Terminologies
Digital Crimes at a Glance
Computer Security Vs. Forensics
Steps in Digital Forensics
Tools and Uses
Research Contributions in Network Forensics
Conclusions
3. Forensics Vs. Digital Forensics
Forensic science is the application of science to
criminal and civil laws. Forensic Investigators collect,
preserve, and analyze scientific
evidence during the course of
an investigation.
Digital Forensics is the collection, preservation,
identification, extraction, interpretation and
documentation of digital evidence which can be used
in the court of law. -
-Digital Forensics Sciences,
-Computer Forensics
3
4. Digital Forensic Science (DFS)
4
The practice of scientifically derived and proven
technical methods and tools toward the preservation,
collection, validation, identification, analysis, interpretation,
documentation and presentation of after-the-fact digital
information derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events as forensic
evidence
5. Computer Security Vs Digital Forensics
Computer Security major’s job is to secure
down systems and prevent hackers from gaining
access
Digital Forensics majors have the job of
figuring out exactly what happened when the
other failed.
Security and forensics are so closely related that
without one the other would be non-existent.
5
8. What is Digital Crime?
Any crime where computer is a tool, target or both
Offences against computer data or systems
Unauthorized access, modification or impairment
of a computer or digital system
Offences against the confidentiality, integrity and
availability of computer data and systems
Conventional Crime Vs. Digital Crime
Examples of Digital Crime
Credit Card Fraud, Identity theft, Spam,DoS
8
9. What Forensics is not……
Pro-Active (Security)
But reactive to an event or request
About finding the bad guy/criminal
But finding evidence of value
Something you do for fun
Expertise is needed
Hacking
Lawful Interception & Ethical Hacking
9
10. Offline Vs Online Forensics
Offline Forensics –Postmortem Forensics,
Performed on tampered or compromised digital
objects or network environment
Online forensics- Live forensics
Performed during the malicious activity on digital
artifacts or computer networks or in
interconnected systems
Challenging
High speed packet capturing devices
10
11. Basic forensic methodology consists
of:
Acquire the digital evidence without altering or
damaging the original
Information stored or transmitted in binary forms, documents,
images, voice and videos
Physical items or data objects( hard disk, CD, memory, computer
etc.)
Admissible, Authentic, Complete, Reliable
Authenticate that your recovered evidence is
the same as the originally seized data
Analyze the data without modifying it.
11
12. Disk Forensics
12
• Disk forensics is the science of extracting
forensic information from hard disk images
• The goal is to recover data from a disk image
using a forensic analysis tool.
• Encryption, file system
Tools Used
1.Sleuth Kit
2.Autopsy Kit
3.Samdump
14. Memory Forensics
14
• Live Forensics
• Capture the Memory
• Analyze the Memory
• Reconstruction of Memory State
Tools Used
1.Memdump
2.Nigilant Kit
3.Memoryze
15. Mobile Forensics
Mobile forensics is a branch of digital forensics.
Simply, it is a science of recovering different kinds of
evidence from mobile phones.
It helps investigators significantly to reach to the
criminal.
15
- Contact numbers.
- Record of calls, SMS, MMS and details
about them.
- Sounds.
- Photographs.
- Email messages.
- Notes.
- Calendar.
Tools
• EnCase Neutrino
• Cell Dek Tech
• Oxygen Forensics
16. Database Forensics
Prove or disprove the occurrence of a data security
breach
Determine the scope of a database intrusion
Retrace user DML and DDL operations
Identify data pre- and post-transactions
Recover previously deleted database data
16
Tools
• Logminer
• Data Carve
17. Web Forensics
Web application forensics (IIS, Tomcat,
Wamp server)
Post Mortem Investigation of compromised
web application system
Traces web vulnerability attacks
Cross site scripting
SQL Injections
Session hijacking etc.
17
Tools
• Encase
• FTK
•Splunk
18. Browser Forensics
People uses Web Browsers to search for
information, shop online, banking, communicate
through emails or instant messaging.
Losses due to crimes
Forensics Investigation to get browsing related
data from computer
Tracing cache, history and cookies of browsers
Tools
AccessData FTK
Imager 3.1.3.2
Autopsy 3.0.6
Web browser Forensic Analyzer, Cache, History and
Cookie viewers by Nirsoft
18
19. Cloud Forensics
Cloud Computing – A transformative Technology
it is easier to share data
Access the files by using a computer, a
smartphone or a tablet device
Choose between free and commercial solutions
Digital Forensics in Cloud Storage Services
Tools
DiskPulse tool to track the disk usage
RegShot and RegFromApp to track the registry changes
19
22. IoT Forensics
Connected, Headless, diverse and small
Sources of evidence on IoT can be categorized into
three groups:
All evidence collected from smart devices and
sensors;
All evidence collected from hardware and
software that provide a communication between
smart devices and the external world (e.g.,
computers, mobile, IPS, IDS and firewalls),
All evidence collected from hardware and
software that are outside the network under
investigation. (ISP, MSP)
22
23. Image Forensics
Digital image forensics aims at restoring some of the lost
trustworthiness of digital images and revolves around the
following two fundamental questions
o From where is the image come from?
o Has the image been processed after acquisition?
o The forensic analysis of digital images (or digital image forensics)
then refers to the reconstruction of the generation process of
a given digital image, where the main focus lies on inference
about the image’s authenticity and origin.
o Forensic face recognition in computer vision.
23
24. Cyber Forensics
The unique process of identifying,
preserving, analyzing and presenting
digital evidence in a manner that is legally
accepted.”
Cyber crime means any criminal activity in
which a computer or network is the
source, tool or target or place of crime
24
26. Steps in Digital Forensics
• Search for Information about information we
requireIdentification
• Obtain Forensic Copies of all Digital
evidencesAcquisition
• Discriminating evidences based on integrityAuthentication
• Logical interpretation of recovered data
• Tentative evidences turn to actual evidencesAnalysis
• Generate Forensic Report
• Prosecution by Court of LawPresentation
26
27. Identification Phase
Sub Phases
Classify Digital Crime
Information Harvesting
Intelligence Gathering
Data Inspection
Functions
Past/ Ongoing, Disk,Memroy,
Cloud, Network forensics
How?When?What?Who?
Scene Audit, System Monitoring
Encrypted, Steganography, Open
27
28. Acquisition Phase
Sub Phases
Pre acquisition process
Acquisition Plan
Post acquisition process
Functions
Implications, lawful interception,
Custody
Snapshot, online, offline, Log file,
Memory, Network Packets, Disk
Images
Handle forensic data, seized
evidences, conservation and
transportation
28
Pro Discover Basic, EnCase
29. Authentication Phase
Sub Phases
Categorize Evidences
Validate Evidences
Discriminate Evidences
Functions
Persistent, Volatile
Use Hashing of Images, other
digital evidences for Integrity
Admissible, Authentic, Complete,
Reliable
Best, Secondary, Direct Evidences
29
30. Forensic Analysis Phase
Sub Phases
Preparation
Extraction (Physical)
Extraction (Logical)
Analysis (Time Line)
Analysis (Data Hiding)
Analysis of Application
Reconstruct Files
Functions
Media, Type of Forensic
analysis
Filter, Packet header, File
Carving,
File system, File slack,
Unallocated space
Review Time, Date
Stamps, Logs
Correlate, Access to
encrypted, protected
assets
Saved passwords, Emails,
Cookies, attachments,
History
30 Access Data Ultimate Toolkit
33. DFS-Tools
Tool Platform License Description
Magnet AXIOM Cross Platform Proprietary Complete Acquisition,
analysis and presentation
EnCase Windows Proprietary Multipurpose Forensic Tool
SANS
Investigative
Forensics Toolkit -
SIFT
Ubuntu Proprietary Multi-purpose forensic
operating system
Digital Forensics
Framework
Cross Platform Proprietary Framework and user
interfaces dedicated to
Digital Forensics
CANE Linux Linux Freeware Gnu/Linux computer
forensics
FTK Windows Proprietary Multipurpose Forensic Tool
COFEE Windows Proprietary A suite of tools for Windows
developed by Microsoft
33
34. Network Forensic –An Intro
• Network forensics is the science that deals with capture,
recording, and analysis of network traffic to retrace the
content of the network session.
34
36. Steps in Network Forensic Analysis
36
C
• Collection & filtering
R
• Correlation Analysis
L
• Log file analysis
S
• Stream Reassembly
A
• Application layer viewer
W
• Workflow or case
management
37. Paths to Careers in CF
Certifications
Associate Degree
Bachelor Degree
Post Grad Certificate
Masters
Doctorate
37
40. Conclusions
• Basics of Digital Forensic Sciences, Classifications
• Steps in Digital Forensics
• Basics of Network Forensics, Steps
• Forensic Tools
• Research Challenges
40