SlideShare a Scribd company logo

Forensics

Ghariani Tewfik
Ghariani Tewfik

A small introduction to computer forensics dedicaded to engineering student, organized by 'Club de Sécurité Informatique - Ecole Nationale des Sciences Informatique'

Data & Analytics
1 of 17
Download to read offline
Ministère de l’Enseignement Supérieur et de la Recherche Scientifique Université de la Manouba Ecole Nationale des Sciences de l’Informatique Ghariani Tewfik CSI Année universitaire 2015/2016 Intro to Forensics
2 Introduction I. Uses of computer forensics II. Stages of Examination III. Computer Forensics Method Conclusion Demo PlanPlan
3 ● What is computer Forensics To start, Forensic science is the scientific method of gathering and examining information about the past which is then used in a court of law. The word forensic comes from the Latin forēnsis, meaning "of or before the forum." In Roman times, a criminal charge meant presenting the case before a group of public individuals in the forum. Another Definition: Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues. Introduction
4 I. Uses Of Computer Forensics There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. More recently, commercial organizations have used computer forensics to their benefit in a variety of cases such as; * Intellectual Property theft * Industrial espionage * Employment disputes * Fraud investigations * Forgeries * Bankruptcy investigations * Inappropriate email and Internet use in the work place
5 Readiness. Evaluation Collection Analysis Presentation Review II. Stages of examination
6 The computer forensic examination process is divided into six stages, presented in their usual chronological order. ReadinessReadiness: For the forensic examiner himself, readiness will include appropriate training, regular testing and verification of their software and equipment, familiarity with legislation, dealing with unexpected issues Evaluation: The evaluation stage includes the receiving of instructions, the clarification of those instructions if unclear or ambiguous, risk analysis and the allocation of roles and resources
7 Analysis:Analysis: Analysis depends on the specifics of each job. The examiner usually provides feedback to the client during analysis and from this dialogue the analysis may take a different path or be narrowed to specific areas. Collection:Collection: If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this stage would include identifying and securing devices which may store evidence and documenting the scene.
8 Presentation : This stage usually involves the examiner producing a structured report on their findings, addressing the points in the initial instructions along with any subsequent instructions. It would also cover any other information which the examiner deems relevant to the investigation Review: As with the readiness stage, the review stage is often overlooked or disregarded. This may be due to the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’.
9 -safe seizure of computer systems and files, to avoid contamination and/or interference -safe collection of data and software -safe and non-contaminating copying of disks and other data media -reviewing and reporting on data media -sourcing and reviewing of back-up and archived files -recovery / reconstruction of deleted files - logical methods -recovery of material from "swap" and "cache" files -recovery of deleted / damaged files - physical methods III. Computer Forensic Methods
10 -core-dump: collecting an image of the contents of the active memory of a computer at a particular time -estimating if files have been used to generate forged output -reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc. -proving / testing of reports produced by complex client / server applications -reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc. -review of system / program documentation for: design methods, testing, audit, revisions, operations management.
11 -reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc. -identification and examination of audit trails -identification and review of monitoring logs -telecoms call path tracing (PTTs and telecoms utilities companies only) -reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services) -reviewing and assessment of access control services - quality of security management -reviewing and assessment of encryption methods - resilience and implementation
12 Conclusion Well my friends, weather you heard about it before or not, I can assure you that this field is so interesting and challenging. To keep it simple, once again, Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is legally admissible. It is basicly like you saw in the movies, the main aspect is to gather evidence which will help you solve any digital crimes that might have occurred. There are a lot of investigation technics which includes analyzing memory dump , logs or network cache... I have chosen few of the best potentiol tools that might help you through your investigation.
13 Time For Practice!
14 Volatility A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows, linux, mac, and android systems. Volatility's modular design allows it to easily support new operating systems and architectures as they are released. All your devices are targets...so don't limit your forensic capabilities to just windows computers. Note that the is an open source program written with python, you can access its source code via github, or even if you still are a windows user, a stand-alone version can be executed directly: _ sudo apt-get install volatility _https://volatility.googlecode.com/files/volatility-2.3.1.standalone.exe it's a powerfull tool that allows you to extract data , register elements , list of network connections, processus... from the memory dump. In fact, the memory dump is the recorded state of the working memory of a computer program at a specific time,generally when the program has crashed. The memory dump file is extracted often with these possible extensions : dmp , .raw , .dd
15 La première démonstration consiste à analyser un memory dump ( celui de hackmeif you can ) Il s'agissait tout simplement de déterminer le nom d'utilisateur du Pc depuis lequel on a eu ce fichier ! 1) sudo apt-get install volatility 2) volatility -f username.raw imageinfo // les informtations générales 3)volatility -f Username.raw hivelist --profile=Win7SP0x64 //les registres 4) Parfait ! maintenant, nous pouvons utiliser cette information pour aller plus loin , par exemple en obtenant la liste des programmes installés sur le système , qui peuvent être extraites de la “ hive“ Software ( System32 Config SOFTWARE ) " en utilisant le " hive- dump " option et spécifiant l'adresse de la mémoire virtuelle de la hive spécifiée
16 TestDisk is a powerful data recovery software ! It was originally designed to help recover lost partitions , repair corrupted partitions tables when these symptoms are caused by faulty software, certain types of viruses or human error such as accidental deletion of Sheet of the table . TestDisk is OpenSource software and is licensed under the GNU General Public License (GPL v2 +). PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying
17 Merci Pour Votre Attention

Recommended

ARM 9 Based Intelligent System for Biometric Figure Authentication
ARM 9 Based Intelligent System for Biometric Figure AuthenticationARM 9 Based Intelligent System for Biometric Figure Authentication
ARM 9 Based Intelligent System for Biometric Figure Authentication
Radita Apriana
 
Formation git
Formation gitFormation git
Formation git
Ghariani Tewfik
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
Laura Arrigo
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 

Recommended

ARM 9 Based Intelligent System for Biometric Figure Authentication
ARM 9 Based Intelligent System for Biometric Figure AuthenticationARM 9 Based Intelligent System for Biometric Figure Authentication
ARM 9 Based Intelligent System for Biometric Figure Authentication
Radita Apriana
 
Formation git
Formation gitFormation git
Formation git
Ghariani Tewfik
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
Adetunji Adeoje
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
Laura Arrigo
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Digital forensics
Digital forensics Digital forensics
Digital forensics Adriana Backman
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
RoshiniVijayakumar1
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
Samantha Vargas
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
ShanaAneevan
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
 
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
edmondpburgess27164
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Anne ndolo
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
theijes
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
IJERA Editor
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
Shashi Mishra
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptx
VaishnaviBorse8
 
一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单
ewymefz
 
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
vcaxypu
 

More Related Content

Similar to Forensics

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
RoshiniVijayakumar1
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
Samantha Vargas
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
ShanaAneevan
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
 
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
edmondpburgess27164
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Anne ndolo
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
theijes
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
IJERA Editor
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
Shashi Mishra
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptx
VaishnaviBorse8
 

Similar to Forensics (20)

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
 
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptx
 

Recently uploaded

一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单
ewymefz
 
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
vcaxypu
 
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
u86oixdj
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
Oppotus
 
一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单
enxupq
 
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Subhajit Sahu
 
Empowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptxEmpowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptx
benishzehra469
 
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdfSample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Linda486226
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
ahzuo
 
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
ewymefz
 
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
AbhimanyuSinha9
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
pchutichetpong
 
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...
John Andrews
 
Predicting Product Ad Campaign Performance: A Data Analysis Project Presentation
Predicting Product Ad Campaign Performance: A Data Analysis Project PresentationPredicting Product Ad Campaign Performance: A Data Analysis Project Presentation
Predicting Product Ad Campaign Performance: A Data Analysis Project Presentation
Boston Institute of Analytics
 
Adjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTESAdjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTES
Subhajit Sahu
 
一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单
enxupq
 
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
axoqas
 
社内勉強会資料_LLM Agents                              .
社内勉強会資料_LLM Agents                              .社内勉強会資料_LLM Agents                              .
社内勉強会資料_LLM Agents                              .
NABLAS株式会社
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP
 

Recently uploaded (20)

一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单
 
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
一比一原版(RUG毕业证)格罗宁根大学毕业证成绩单
 
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
 
一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单
 
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
 
Empowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptxEmpowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptx
 
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdfSample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
 
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
 
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
 
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...
 
Predicting Product Ad Campaign Performance: A Data Analysis Project Presentation
Predicting Product Ad Campaign Performance: A Data Analysis Project PresentationPredicting Product Ad Campaign Performance: A Data Analysis Project Presentation
Predicting Product Ad Campaign Performance: A Data Analysis Project Presentation
 
Adjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTESAdjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTES
 
一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单
 
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
 
社内勉強会資料_LLM Agents                              .
社内勉強会資料_LLM Agents                              .社内勉強会資料_LLM Agents                              .
社内勉強会資料_LLM Agents                              .
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
 

Forensics

  • 1. Ministère de l’Enseignement Supérieur et de la Recherche Scientifique Université de la Manouba Ecole Nationale des Sciences de l’Informatique Ghariani Tewfik CSI Année universitaire 2015/2016 Intro to Forensics
  • 2. 2 Introduction I. Uses of computer forensics II. Stages of Examination III. Computer Forensics Method Conclusion Demo PlanPlan
  • 3. 3 ● What is computer Forensics To start, Forensic science is the scientific method of gathering and examining information about the past which is then used in a court of law. The word forensic comes from the Latin forēnsis, meaning "of or before the forum." In Roman times, a criminal charge meant presenting the case before a group of public individuals in the forum. Another Definition: Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues. Introduction
  • 4. 4 I. Uses Of Computer Forensics There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. More recently, commercial organizations have used computer forensics to their benefit in a variety of cases such as; * Intellectual Property theft * Industrial espionage * Employment disputes * Fraud investigations * Forgeries * Bankruptcy investigations * Inappropriate email and Internet use in the work place
  • 6. 6 The computer forensic examination process is divided into six stages, presented in their usual chronological order. ReadinessReadiness: For the forensic examiner himself, readiness will include appropriate training, regular testing and verification of their software and equipment, familiarity with legislation, dealing with unexpected issues Evaluation: The evaluation stage includes the receiving of instructions, the clarification of those instructions if unclear or ambiguous, risk analysis and the allocation of roles and resources
  • 7. 7 Analysis:Analysis: Analysis depends on the specifics of each job. The examiner usually provides feedback to the client during analysis and from this dialogue the analysis may take a different path or be narrowed to specific areas. Collection:Collection: If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this stage would include identifying and securing devices which may store evidence and documenting the scene.
  • 8. 8 Presentation : This stage usually involves the examiner producing a structured report on their findings, addressing the points in the initial instructions along with any subsequent instructions. It would also cover any other information which the examiner deems relevant to the investigation Review: As with the readiness stage, the review stage is often overlooked or disregarded. This may be due to the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’.
  • 9. 9 -safe seizure of computer systems and files, to avoid contamination and/or interference -safe collection of data and software -safe and non-contaminating copying of disks and other data media -reviewing and reporting on data media -sourcing and reviewing of back-up and archived files -recovery / reconstruction of deleted files - logical methods -recovery of material from "swap" and "cache" files -recovery of deleted / damaged files - physical methods III. Computer Forensic Methods
  • 10. 10 -core-dump: collecting an image of the contents of the active memory of a computer at a particular time -estimating if files have been used to generate forged output -reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc. -proving / testing of reports produced by complex client / server applications -reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc. -review of system / program documentation for: design methods, testing, audit, revisions, operations management.
  • 11. 11 -reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc. -identification and examination of audit trails -identification and review of monitoring logs -telecoms call path tracing (PTTs and telecoms utilities companies only) -reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services) -reviewing and assessment of access control services - quality of security management -reviewing and assessment of encryption methods - resilience and implementation
  • 12. 12 Conclusion Well my friends, weather you heard about it before or not, I can assure you that this field is so interesting and challenging. To keep it simple, once again, Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is legally admissible. It is basicly like you saw in the movies, the main aspect is to gather evidence which will help you solve any digital crimes that might have occurred. There are a lot of investigation technics which includes analyzing memory dump , logs or network cache... I have chosen few of the best potentiol tools that might help you through your investigation.
  • 14. 14 Volatility A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows, linux, mac, and android systems. Volatility's modular design allows it to easily support new operating systems and architectures as they are released. All your devices are targets...so don't limit your forensic capabilities to just windows computers. Note that the is an open source program written with python, you can access its source code via github, or even if you still are a windows user, a stand-alone version can be executed directly: _ sudo apt-get install volatility _https://volatility.googlecode.com/files/volatility-2.3.1.standalone.exe it's a powerfull tool that allows you to extract data , register elements , list of network connections, processus... from the memory dump. In fact, the memory dump is the recorded state of the working memory of a computer program at a specific time,generally when the program has crashed. The memory dump file is extracted often with these possible extensions : dmp , .raw , .dd
  • 15. 15 La première démonstration consiste à analyser un memory dump ( celui de hackmeif you can ) Il s'agissait tout simplement de déterminer le nom d'utilisateur du Pc depuis lequel on a eu ce fichier ! 1) sudo apt-get install volatility 2) volatility -f username.raw imageinfo // les informtations générales 3)volatility -f Username.raw hivelist --profile=Win7SP0x64 //les registres 4) Parfait ! maintenant, nous pouvons utiliser cette information pour aller plus loin , par exemple en obtenant la liste des programmes installés sur le système , qui peuvent être extraites de la “ hive“ Software ( System32 Config SOFTWARE ) " en utilisant le " hive- dump " option et spécifiant l'adresse de la mémoire virtuelle de la hive spécifiée
  • 16. 16 TestDisk is a powerful data recovery software ! It was originally designed to help recover lost partitions , repair corrupted partitions tables when these symptoms are caused by faulty software, certain types of viruses or human error such as accidental deletion of Sheet of the table . TestDisk is OpenSource software and is licensed under the GNU General Public License (GPL v2 +). PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying