A small introduction to computer forensics dedicaded to engineering student, organized by 'Club de Sécurité Informatique - Ecole Nationale des Sciences Informatique'
ARM 9 Based Intelligent System for Biometric Figure AuthenticationRadita Apriana
Now a day’s some universities in India are enforcing afiliated colleges to implement biometric
fingerprint attendance system to monitor student attendance. This sytem requiresbiometric fingerprint
scanner need to be installed in affiliated college where student studying and it is monitored by the
university online. As finger print scanner is placed at affiliated college which is far away from the university,
there is possibility of adding fake finger print into the scanner which can be used for proxy attendance of
student who is not attending the college. In this paper, the proposed system is designed in such a way
that, the acquired fingerprint of the student is initially stored in the database with complete student profile
and photograph. And, when the student places his fingerprint it compares with stored database. If
fingerprint matches it displays the student photo. The proposed intelligent system includes R305 fingerprint
sensor and ARM 9 processor. We used RS232 for interfacing with system and visual studio 2008 software
for designing the interface. This attendance system is verified practically with students and we obtained the
desired results accurately.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
ARM 9 Based Intelligent System for Biometric Figure AuthenticationRadita Apriana
Now a day’s some universities in India are enforcing afiliated colleges to implement biometric
fingerprint attendance system to monitor student attendance. This sytem requiresbiometric fingerprint
scanner need to be installed in affiliated college where student studying and it is monitored by the
university online. As finger print scanner is placed at affiliated college which is far away from the university,
there is possibility of adding fake finger print into the scanner which can be used for proxy attendance of
student who is not attending the college. In this paper, the proposed system is designed in such a way
that, the acquired fingerprint of the student is initially stored in the database with complete student profile
and photograph. And, when the student places his fingerprint it compares with stored database. If
fingerprint matches it displays the student photo. The proposed intelligent system includes R305 fingerprint
sensor and ARM 9 processor. We used RS232 for interfacing with system and visual studio 2008 software
for designing the interface. This attendance system is verified practically with students and we obtained the
desired results accurately.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
The presentation contains: Concept of Forensic, Need & Purpose of Forensic
Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing
Ethical Hacking And Computer ForensicsShanaAneevan
Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged.
.
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxedmondpburgess27164
ASSIGNMENT2: Computer Architecture and Imaging “So you’re telling me an exact replica of ZeroBit’s concept drawing has shown up on the cover of Apex’s product development brochure? What are the chances of that? … Unless somebody here at ZeroBit is leaking information…. I’ll get my best investigator on it.” “Thanks for coming by. I wanted to talk with you face to face. I just spoke with our VP for External Relations, and it looks like we may have a major security breach on our hands. How quickly can you image this USB stick?” “Our suspect has access to a live system here at Headquarters, as well as a networked computer at our remote location. We’ll need to examine both of them. You should be able to slip into his office and acquire his RAM and swap space while he's at training this afternoon. But while you’re waiting, check your email for a message from Legal.” When you open the message from the ZeroBit Counsel, you see four questions that need to be answered in preparation for any possible legal challenge. As you’re answering the fourth one, a notification pops up reminding you that the suspect’s training session is about to start...that’s your cue that it will soon be safe to log in to the suspect’s computer. You run your program, acquiring the RAM and swap space from the live system. Then you log out, leaving the suspect’s office and computer as you found them. Your colleagues have left for the day, but you’ve stayed behind to image the suspect’s remote computer after hours. You log on to the system and have no problem using netcat to transfer a copy of his remote hard drive to your workstation at Headquarters. You lean back in your chair and smile. You’ve imaged all of the suspect’s known devices. Tomorrow you’ll compile your analyses into a final forensic report. Who knows? You may even be asked to present your report in court!
Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles, aircraft, and other technologies. In this project you will focus on the architecture and imaging of desktop and laptop computers. You will be working in the VM to image and verify the contents of the following:
1. a USB stick
2. the RAM and swap space of a live computer
3. a networked computer hard drive
\ In the final step, you compile all of the previous lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.
Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a statement of work to give to your company's legal team. Are you ready to get started?
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
· 1.1: Or.
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...theijes
Nowadays, android smartphones are becoming more popular and the greatest platform for mobile devices which has capability to run millions of mobile phones in about more than 200 countries. It may bring not only convenience for people but also crimes or security issues. Some people are committed the crimes by using the technology and mobile devices. So, android forensics is very important and necessary in cyber-crime investigation. With no doubt, this proposed process flow and framework will definitely support for android forensics in developing countries’ cyber-crime investigation. Because it provides to solve the crimes with applicable guidelines and includes Open Source Tools, Linux command-line utility, Android Debug Bridge (ADB) commands, Freeware tools and Proposed tools. Although forensics tools are non-commercial in this framework, they can cover and support for android forensics process.
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
The increase in sophisticated attack on computers needs the assistance of Live forensics to uncover the evidence
since traditional forensics methods doesn’t collect volatile data. The volatile data can ease the difficulty towards
investigation in fact it can provide investigator with rich information towards solving a case. Here we are trying
to eliminate the complexity involved in normal process by automating the process of acquisition and analyzing
at the same time providing integrity towards evidence data through python scripting.
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
This presentation tell us about how computer forensic help to find criminals. What strategy is used by forensic specialist for finding a clue. How computer forensic play an important role in case study.
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
The presentation contains: Concept of Forensic, Need & Purpose of Forensic
Computer Forensic, Role of IT for Forensic, Data Collection / Mining Tools, Data Analysis & Reporting, Fraud Detection & Auditing
Ethical Hacking And Computer ForensicsShanaAneevan
Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged.
.
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxedmondpburgess27164
ASSIGNMENT2: Computer Architecture and Imaging “So you’re telling me an exact replica of ZeroBit’s concept drawing has shown up on the cover of Apex’s product development brochure? What are the chances of that? … Unless somebody here at ZeroBit is leaking information…. I’ll get my best investigator on it.” “Thanks for coming by. I wanted to talk with you face to face. I just spoke with our VP for External Relations, and it looks like we may have a major security breach on our hands. How quickly can you image this USB stick?” “Our suspect has access to a live system here at Headquarters, as well as a networked computer at our remote location. We’ll need to examine both of them. You should be able to slip into his office and acquire his RAM and swap space while he's at training this afternoon. But while you’re waiting, check your email for a message from Legal.” When you open the message from the ZeroBit Counsel, you see four questions that need to be answered in preparation for any possible legal challenge. As you’re answering the fourth one, a notification pops up reminding you that the suspect’s training session is about to start...that’s your cue that it will soon be safe to log in to the suspect’s computer. You run your program, acquiring the RAM and swap space from the live system. Then you log out, leaving the suspect’s office and computer as you found them. Your colleagues have left for the day, but you’ve stayed behind to image the suspect’s remote computer after hours. You log on to the system and have no problem using netcat to transfer a copy of his remote hard drive to your workstation at Headquarters. You lean back in your chair and smile. You’ve imaged all of the suspect’s known devices. Tomorrow you’ll compile your analyses into a final forensic report. Who knows? You may even be asked to present your report in court!
Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles, aircraft, and other technologies. In this project you will focus on the architecture and imaging of desktop and laptop computers. You will be working in the VM to image and verify the contents of the following:
1. a USB stick
2. the RAM and swap space of a live computer
3. a networked computer hard drive
\ In the final step, you compile all of the previous lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.
Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a statement of work to give to your company's legal team. Are you ready to get started?
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
· 1.1: Or.
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...theijes
Nowadays, android smartphones are becoming more popular and the greatest platform for mobile devices which has capability to run millions of mobile phones in about more than 200 countries. It may bring not only convenience for people but also crimes or security issues. Some people are committed the crimes by using the technology and mobile devices. So, android forensics is very important and necessary in cyber-crime investigation. With no doubt, this proposed process flow and framework will definitely support for android forensics in developing countries’ cyber-crime investigation. Because it provides to solve the crimes with applicable guidelines and includes Open Source Tools, Linux command-line utility, Android Debug Bridge (ADB) commands, Freeware tools and Proposed tools. Although forensics tools are non-commercial in this framework, they can cover and support for android forensics process.
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
The increase in sophisticated attack on computers needs the assistance of Live forensics to uncover the evidence
since traditional forensics methods doesn’t collect volatile data. The volatile data can ease the difficulty towards
investigation in fact it can provide investigator with rich information towards solving a case. Here we are trying
to eliminate the complexity involved in normal process by automating the process of acquisition and analyzing
at the same time providing integrity towards evidence data through python scripting.
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
This presentation tell us about how computer forensic help to find criminals. What strategy is used by forensic specialist for finding a clue. How computer forensic play an important role in case study.
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Show drafts
volume_up
Empowering the Data Analytics Ecosystem: A Laser Focus on Value
The data analytics ecosystem thrives when every component functions at its peak, unlocking the true potential of data. Here's a laser focus on key areas for an empowered ecosystem:
1. Democratize Access, Not Data:
Granular Access Controls: Provide users with self-service tools tailored to their specific needs, preventing data overload and misuse.
Data Catalogs: Implement robust data catalogs for easy discovery and understanding of available data sources.
2. Foster Collaboration with Clear Roles:
Data Mesh Architecture: Break down data silos by creating a distributed data ownership model with clear ownership and responsibilities.
Collaborative Workspaces: Utilize interactive platforms where data scientists, analysts, and domain experts can work seamlessly together.
3. Leverage Advanced Analytics Strategically:
AI-powered Automation: Automate repetitive tasks like data cleaning and feature engineering, freeing up data talent for higher-level analysis.
Right-Tool Selection: Strategically choose the most effective advanced analytics techniques (e.g., AI, ML) based on specific business problems.
4. Prioritize Data Quality with Automation:
Automated Data Validation: Implement automated data quality checks to identify and rectify errors at the source, minimizing downstream issues.
Data Lineage Tracking: Track the flow of data throughout the ecosystem, ensuring transparency and facilitating root cause analysis for errors.
5. Cultivate a Data-Driven Mindset:
Metrics-Driven Performance Management: Align KPIs and performance metrics with data-driven insights to ensure actionable decision making.
Data Storytelling Workshops: Equip stakeholders with the skills to translate complex data findings into compelling narratives that drive action.
Benefits of a Precise Ecosystem:
Sharpened Focus: Precise access and clear roles ensure everyone works with the most relevant data, maximizing efficiency.
Actionable Insights: Strategic analytics and automated quality checks lead to more reliable and actionable data insights.
Continuous Improvement: Data-driven performance management fosters a culture of learning and continuous improvement.
Sustainable Growth: Empowered by data, organizations can make informed decisions to drive sustainable growth and innovation.
By focusing on these precise actions, organizations can create an empowered data analytics ecosystem that delivers real value by driving data-driven decisions and maximizing the return on their data investment.
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...pchutichetpong
M Capital Group (“MCG”) expects to see demand and the changing evolution of supply, facilitated through institutional investment rotation out of offices and into work from home (“WFH”), while the ever-expanding need for data storage as global internet usage expands, with experts predicting 5.3 billion users by 2023. These market factors will be underpinned by technological changes, such as progressing cloud services and edge sites, allowing the industry to see strong expected annual growth of 13% over the next 4 years.
Whilst competitive headwinds remain, represented through the recent second bankruptcy filing of Sungard, which blames “COVID-19 and other macroeconomic trends including delayed customer spending decisions, insourcing and reductions in IT spending, energy inflation and reduction in demand for certain services”, the industry has seen key adjustments, where MCG believes that engineering cost management and technological innovation will be paramount to success.
MCG reports that the more favorable market conditions expected over the next few years, helped by the winding down of pandemic restrictions and a hybrid working environment will be driving market momentum forward. The continuous injection of capital by alternative investment firms, as well as the growing infrastructural investment from cloud service providers and social media companies, whose revenues are expected to grow over 3.6x larger by value in 2026, will likely help propel center provision and innovation. These factors paint a promising picture for the industry players that offset rising input costs and adapt to new technologies.
According to M Capital Group: “Specifically, the long-term cost-saving opportunities available from the rise of remote managing will likely aid value growth for the industry. Through margin optimization and further availability of capital for reinvestment, strong players will maintain their competitive foothold, while weaker players exit the market to balance supply and demand.”
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
1. Ministère de l’Enseignement Supérieur
et de la Recherche Scientifique
Université de la Manouba
Ecole Nationale des Sciences de l’Informatique
Ghariani Tewfik
CSI
Année universitaire 2015/2016
Intro to Forensics
2. 2
Introduction
I. Uses of computer forensics
II. Stages of Examination
III. Computer Forensics Method
Conclusion
Demo
PlanPlan
3. 3
●
What is computer Forensics
To start, Forensic science is the
scientific method of gathering
and examining information about
the past which is then used in a
court of law. The word forensic
comes from the Latin forēnsis,
meaning "of or before the forum."
In Roman times, a criminal
charge meant presenting the case
before a group of public
individuals in the forum.
Another Definition:
Computer forensics is the practice of
collecting, analyzing and reporting
on digital data in a way that is
legally admissible. It can be used in
the detection and prevention of
crime and in any dispute where
evidence is stored digitally.
Computer forensics follows a similar
process to other forensic disciplines,
and faces similar issues.
Introduction
4. 4
I. Uses Of Computer Forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law
enforcement agencies have been among the earliest and heaviest users of computer forensics
and consequently have often been at the forefront of developments in the field.
More recently, commercial organizations have used computer forensics to their benefit in a
variety of cases such as;
* Intellectual Property theft
* Industrial espionage
* Employment disputes
* Fraud investigations
* Forgeries
* Bankruptcy investigations
* Inappropriate email and Internet use in the work place
6. 6
The computer forensic examination process is divided into six stages,
presented in their usual chronological order.
ReadinessReadiness:
For the forensic examiner himself, readiness will include appropriate training,
regular testing and verification of their software and equipment, familiarity
with legislation, dealing with unexpected issues
Evaluation:
The evaluation stage includes the receiving of instructions, the
clarification of those instructions if unclear or ambiguous, risk
analysis and the allocation of roles and resources
7. 7
Analysis:Analysis:
Analysis depends on the specifics of each job. The
examiner usually provides feedback to the client
during analysis and from this dialogue the
analysis may take a different path or be narrowed
to specific areas.
Collection:Collection:
If acquisition is to be carried out on-site rather than in a computer
forensic laboratory, then this stage would include identifying and
securing devices which may store evidence and documenting the scene.
8. 8
Presentation :
This stage usually involves the examiner producing a structured
report on their findings, addressing the points in the initial
instructions along with any subsequent instructions. It would
also cover any other information which the examiner deems
relevant to the investigation
Review:
As with the readiness stage, the review stage is often overlooked
or disregarded. This may be due to the perceived costs of doing
work that is not billable, or the need ‘to get on with the next
job’.
9. 9
-safe seizure of computer systems and files, to avoid contamination
and/or interference
-safe collection of data and software
-safe and non-contaminating copying of disks and other data media
-reviewing and reporting on data media
-sourcing and reviewing of back-up and archived files
-recovery / reconstruction of deleted files - logical methods
-recovery of material from "swap" and "cache" files
-recovery of deleted / damaged files - physical methods
III. Computer Forensic Methods
10. 10
-core-dump: collecting an image of the contents of the active memory of a
computer at a particular time
-estimating if files have been used to generate forged output
-reviewing of single computers for "proper" working during relevant period, including
service logs, fault records, etc.
-proving / testing of reports produced by complex client / server applications
-reviewing of complex computer systems and networks for "proper" working during
relevant period, including service logs, fault records, etc.
-review of system / program documentation for: design methods, testing, audit,
revisions, operations management.
11. 11
-reviewing of applications programs for "proper" working during relevant
period, including service logs, fault records, etc.
-identification and examination of audit trails
-identification and review of monitoring logs
-telecoms call path tracing (PTTs and telecoms utilities companies only)
-reviewing of access control services - quality and resilience of facilities (hardware
and software, identification / authentication services)
-reviewing and assessment of access control services - quality of security
management
-reviewing and assessment of encryption methods - resilience and implementation
12. 12 Conclusion
Well my friends, weather you heard about it before or not, I can
assure you that this field is so interesting and challenging. To keep it
simple, once again, Computer forensics is the practice of collecting,
analyzing and reporting on digital data in a way that is legally
admissible.
It is basicly like you saw in the movies, the main aspect is to gather
evidence which will help you solve any digital crimes that might
have occurred.
There are a lot of investigation technics which includes analyzing
memory dump , logs or network cache...
I have chosen few of the best potentiol tools that might help you
through your investigation.
14. 14 Volatility
A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows,
linux, mac, and android systems. Volatility's modular design allows it to easily
support new operating systems and architectures as they are released. All your
devices are targets...so don't limit your forensic capabilities to just windows
computers.
Note that the is an open source program written with python, you can access its
source code via github, or even if you still are a windows user, a stand-alone version
can be executed directly:
_ sudo apt-get install volatility
_https://volatility.googlecode.com/files/volatility-2.3.1.standalone.exe
it's a powerfull tool that allows you to extract data , register elements , list of network
connections, processus... from the memory dump. In fact, the memory dump is the
recorded state of the working memory of a computer program at a specific
time,generally when the program has crashed. The memory dump file is extracted
often with these possible extensions : dmp , .raw , .dd
15. 15
La première démonstration consiste à analyser un memory dump ( celui de hackmeif you
can )
Il s'agissait tout simplement de déterminer le nom d'utilisateur du Pc depuis lequel on a eu
ce fichier !
1) sudo apt-get install volatility
2) volatility -f username.raw imageinfo // les informtations générales
3)volatility -f Username.raw hivelist --profile=Win7SP0x64 //les registres
4) Parfait ! maintenant, nous pouvons utiliser cette information pour aller plus loin , par
exemple en obtenant la liste des programmes installés sur le système , qui peuvent être
extraites de la “ hive“ Software ( System32 Config SOFTWARE ) " en utilisant le "
hive- dump " option et spécifiant l'adresse de la mémoire virtuelle de la hive spécifiée
16. 16
TestDisk
is a powerful data recovery software ! It was originally designed to help recover
lost partitions , repair corrupted partitions tables when these symptoms are
caused by faulty software, certain types of viruses or human error such as
accidental deletion of Sheet of the table .
TestDisk is OpenSource software and is licensed under the GNU General
Public License (GPL v2 +).
PhotoRec
is file data recovery software designed to recover lost files including video,
documents and archives from hard disks, CD-ROMs, and lost pictures (thus
the Photo Recovery name) from digital camera memory. PhotoRec ignores the
file system and goes after the underlying