Forensics analysis and validation: Determining what data to collect and analyze, validating forensic data, addressing data-hiding techniques, performing remote acquisitions Network Forensics: Network forensics overview, performing live acquisitions, developing standard procedures for network forensics, using network tools, examining the honeynet project.
UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive
Working with Windows and DOS Systems: understanding file systems, exploring Microsoft File Structures, Examining NTFS disks, Understanding whole disk encryption, windows registry, Microsoft startup tasks, MS-DOS startup tasks, virtual machines
UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive
Working with Windows and DOS Systems: understanding file systems, exploring Microsoft File Structures, Examining NTFS disks, Understanding whole disk encryption, windows registry, Microsoft startup tasks, MS-DOS startup tasks, virtual machines
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
Encryption is a crucial and powerful tool in any organization's data protection / privacy arsenal. But to be effective, it must be applied properly. And even then it's not a silver bullet, including from a privacy breach disclosure perspective.
This webinar will discuss:
- Encryption vs. hashing: what is it, and when might you want to use one over the other?
- Practical considerations: implementation options and their merits
- Legal considerations: encryption requirements, benefits and restrictions
- Legal limitations: situations in which encryption is not enough
Our featured speakers for this webinar will be:
- Suhna Pierce, Associate, Morrison Foerster
- Gant Redmon, Esq. CIPP/US, General Counsel & VP of Business Development, Co3 Systems
Are you a CIPP holder? (CIPP/US, CIPP/C, CIPP/E, CIPP/G and CIPP/IT) Attend this webinar for CPE credit.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
For better or worse, electronic data is at the heart of many legal investigations. Therefore, it is becoming increasingly important for lawyers to have a basic understanding of computer forensics including:
- what computer forensics is and what types of things can a computer forensic expert do;
- types of mistakes lawyers or IT professionals make that can corrupt, alter, or destroy evidence that is key to investigations;
what types of electronic evidence exists;
- ways to work efficiently and effectively with a computer forensic expert; and
- when to consider hiring and how to choose a computer forensic expert as part of an investigation
Learn more from Winston & Strawn and listen to the presentation here: https://www.winston.com/en/thought-leadership/computer-forensics-what-every-lawyer-needs-to-know.html.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
The Collections Framework (java.util)- Collections overview, Collection Interfaces, The Collection classes- Array List, Linked List, Hash Set, Tree Set, Priority Queue, Array Deque. Accessing a Collection via an Iterator, Using an Iterator, The For-Each alternative, Map Interfaces and Classes, Comparators, Collection algorithms, Arrays, The Legacy Classes and Interfaces- Dictionary, Hashtable ,Properties, Stack, Vector More Utility classes, String Tokenizer, Bit Set, Date, Calendar, Random, Formatter, Scanner
Exception handling - Fundamentals of exception handling, Exception types, Termination or resumptive models, Uncaught exceptions, using try and catch, multiple catch clauses, nested try statements, throw, throws and finally, built- in exceptions, creating own exception sub classes.
Multithreading- Differences between thread-based multitasking and process-based multitasking, Java thread model, creating threads, thread priorities, synchronizing threads, inter thread communication
Packages- Defining a Package, CLASSPATH, Access protection, importing packages. Interfaces- defining an interface, implementing interfaces, Nested interfaces, applying interfaces, variables in interfaces and extending interfaces.
Stream based I/O (java.io) – The Stream classes-Byte streams and Character streams, Reading console Input and Writing Console Output, File class, Reading and writing Files, Random access file operations, The Console class, Serialization, Enumerations, auto boxing, generics.
Object-Oriented Thinking- A way of viewing world – Agents and Communities, messages and methods, Responsibilities, Classes and Instances, Class Hierarchies- Inheritance, Method binding, Overriding and Exceptions, Summary of Object-Oriented concepts. Java buzzwords, An Overview of Java, Data types, Variables and Arrays, operators, expressions, control statements, Introducing classes, Methods and Classes, String handling.
Inheritance– Inheritance concept, Inheritance basics, Member access, Constructors, Creating Multilevel hierarchy, super uses, using final with inheritance, Polymorphism-ad hoc polymorphism, pure polymorphism, method overriding, abstract classes, Object class, forms of inheritance specialization, specification, construction, extension, limitation, combination, benefits of inheritance, costs of inheritance
JSP
The Anatomy of a JSP Page, JSP Processing, Declarations, Directives, Expressions, Code Snippets, implicit objects, Using Beans in JSP Pages, Using Cookies and session for session tracking, connecting to database in JSP.
Servlet
Common Gateway Interface (CGI), Lifecycle of a Servlet, deploying a servlet, The Servlet API, Reading Servlet parameters, Reading Initialization parameters, Handling Http Request & Responses, Using Cookies and Sessions, connecting to a database using JDBC.
Introduction to XML, Defining XML tags, their attributes and values, Document Type Definition, XML Schemas, Document Object Model, XHTML Parsing XML Data - DOM and SAX Parsers in java.
Introduction to PHP: Declaring variables, data types, arrays, strings, operators, expressions, control structures, functions, Reading data from web form controls like text boxes, radio buttons, lists etc., Handling File Uploads, Connecting to database (MySQL as reference), executing simple queries, handling results, Handling sessions and cookies File Handling in PHP: File operations like opening, closing, reading, writing, appending, deleting etc. on text and binary files, listing directories
Machine-Independent Optimizations: The Principal Sources of Optimization, Introduction to Data-Flow Analysis, Foundations of Data-Flow Analysis, Constant Propagation, Partial Redundancy Elimination, Loops in Flow Graphs
Run-Time Environments: Storage organization, Stack Allocation of Space, Access to Nonlocal Data on the Stack, Heap Management, Introduction to Garbage Collection, Introduction to Trace-Based Collection. Code Generation: Issues in the Design of a Code Generator, The Target Language, Addresses in the Target Code, Basic Blocks and Flow Graphs, Optimization of Basic Blocks, A Simple Code Generator, Peephole Optimization, Register Allocation and Assignment, Dynamic Programming Code-Generation
Syntax-Directed Translation: Syntax-Directed Definitions, Evaluation Orders for SDD's, Applications of Syntax-Directed Translation, Syntax-Directed Translation Schemes, and Implementing L-Attributed SDD's. Intermediate-Code Generation: Variants of Syntax Trees, Three-Address Code, Types and Declarations, Type Checking, Control Flow, Back patching, Switch-Statements
Syntax Analysis: Introduction, Context-Free Grammars, Writing a Grammar, Top-Down Parsing, Bottom-Up Parsing, Introduction to LR Parsing: Simple LR, More Powerful LR Parsers, Using Ambiguous Grammars, Parser Generators.
Introduction: Language Processors, the structure of a compiler, the science of building a compiler, programming language basics.
Lexical Analysis: The Role of the Lexical Analyzer, Input Buffering, Recognition of Tokens, The Lexical-Analyzer Generator Lex, Finite Automata, From Regular Expressions to Automata, Design of a Lexical-Analyzer Generator, Optimization of DFA-Based Pattern Matchers
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
Security Concepts: Introduction, The need for security, Security approaches, Principles of security, Types of Security attacks, Security services, Security Mechanisms, A model for Network Security Cryptography Concepts and Techniques: Introduction, plain text and cipher text, substitution techniques, transposition techniques, encryption and decryption, symmetric and asymmetric key cryptography, steganography, key range and key size, possible types of attacks
More from Jyothishmathi Institute of Technology and Science Karimnagar (20)
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. • Examining and analyzing digital evidence depend on the nature of the
investigation
– And the amount of data to process
• Scope creep - when an investigation expands beyond the original
description
– Because of unexpected evidence found
– Attorneys may ask investigators to examine other areas to recover
more evidence
– Increases the time and resources needed to extract, analyze, and
present evidence
2
Forensics Analysis and Validation
Determining What Data to Collect and Analyze
3. • Scope creep has become more common
– Criminal investigations require more detailed
examination of evidence just before trial
– To help prosecutors fend off attacks from defense
attorneys
• New evidence often isn’t revealed to prosecution
– It’s become more important for prosecution teams to
ensure they have analyzed the evidence exhaustively
before trial
3
Forensics Analysis and Validation
Determining What Data to Collect and Analyze
4. • Ensuring the integrity of data collected is essential
for presenting evidence in court
• Most forensic tools offer hashing of image files
• Example - when ProDiscover loads an image file:
– It runs a hash and compares the value with the original
hash calculated when the image was first acquired
• Using advanced hexadecimal editors ensures data
integrity
4
Forensics Analysis and Validation
Validating Forensic Data
5. Validating with Hexadecimal Editors
• Advanced hex editors offer features not available in digital forensics
tools, such as:
– Hashing specific files or sectors
• With the hash value in hand
– You can use a forensics tool to search for a suspicious file that
might have had its name changed to look like an innocuous file
• WinHex provides MD5 and SHA-1 hashing algorithms
5
Forensics Analysis and Validation
Validating Forensic Data
6. Validating with Hexadecimal Editors
• Advantage of recording hash values
– You can determine whether data has changed
• Block-wise hashing
– A process that builds a data set of hashes of sectors
from the original file
– Then examines sectors on the suspect’s drive to see
whether any other sectors match
– If an identical hash value is found, you have confirmed
that the file was stored on the suspect’s drive 6
Forensics Analysis and Validation
Validating Forensic Data
7. Validating with Hexadecimal Editors
• Using Hash Values to Discriminate Data
– AccessData has its own hashing database, Known File Filter
(KFF)
– KFF filters known program files from view and contains has values
of known illegal files
– It compares known file hash values with files on your evidence
drive to see if they contain suspicious data
– Other digital forensics tools can import the NSRL database and run
7
Forensics Analysis and Validation
Validating Forensic Data
8. Validating with Digital Forensics Tools
• ProDiscover
– .eve files contain metadata that includes hash value
– Has a preference you can enable for using the Auto Verify Image
Checksum feature when image files are loaded
– If the Auto Verify Image Checksum and the hashes in the .eve file’s
metadata don’t match
• ProDiscover will notify that the acquisition is corrupt and can’t be
considered reliable evidence
8
Forensics Analysis and Validation
Validating Forensic Data
9. • Data hiding - changing or manipulating a file to conceal information
• Techniques:
– Hiding entire partitions
– Changing file extensions
– Setting file attributes to hidden
– Bit-shifting
– Using encryption
– Setting up password protection
9
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
10. Hiding Files by Using the OS Techniques:
• One of the first techniques to hide data:
– Changing file extensions
• Advanced digital forensics tools check file headers
– Compare the file extension to verify that it’s correct
– If there’s a discrepancy, the tool flags the file as a possible altered
file
• Another hiding technique
– Selecting the Hidden attribute in a file’s Properties dialog box
10
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
11. Hiding Partitions
• By using the Windows diskpart remove letter command
– You can unassign the partition’s letter, which hides it from view in
File Explorer
• To unhide, use the diskpart assign letter command
• Other disk management tools:
– Partition Magic, Partition Master, and Linux Grand Unified
Bootloader (GRUB)
11
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
12. Hiding Partitions
• To detect whether a partition has been hidden
– Account for all disk space when examining an evidence drive
– Analyze any disk areas containing space you can’t account for
• In ProDiscover, a hidden partition appears as the highest available
drive letter set in the BIOS
– Other forensics tools have their own methods of assigning drive
letters to hidden partitions
12
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
13. Marking Bad Clusters
• A data-hiding technique used in FAT file systems is placing sensitive or
incriminating data in free or slack space on disk partition clusters
– Involves using old utilities such as Norton DiskEdit
• Can mark good clusters as bad clusters in the FAT table so the OS
considers them unusable
– Only way they can be accessed from the OS is by changing them to
good clusters with a disk editor
• DiskEdit runs only in MS-DOS and can access only FAT-formatted
13
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
14. Bit-Shifting
• Some users use a low-level encryption program that changes the order
of binary data
– Makes altered data unreadable To secure a file, users run an
assembler program (also called a “macro”) to scramble bits
– Run another program to restore the scrambled bits to their original
order
• Bit shifting changes data from readable code to data that looks like
binary executable code
• WinHex includes a feature for shifting bits
14
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
15. Understanding Steganalysis Methods
• A way to hide data is to use steganography tools
– Many are freeware or shareware
– Insert information into a variety of files
• If you encrypt a plaintext file with PGP and insert the encrypted text
into a steganography file
– Cracking the encrypted message is extremely difficult
15
Forensics Analysis and Validation
Addressing Data-Hiding Techniques
17. • One can remotely connect to a suspect computer via a network
connection and copy data from it
• This method is also faster at obtaining the necessary files, as it does
not depend on a stable network connection.
• Although this is the preferred method, there may be geographical
constraints, especially with larger organizations where the incident
response analysts are a plane ride away from the location containing
the evidence.
• Remote acquisition tools vary in configurations and capabilities and
tools require installing a remote agent on the suspect computer
17
Forensics Analysis and Validation
Performing Remote Acquisitions
18. Network Forensics
• Process of collecting and analyzing raw network data and tracking
network traffic
▪ To ascertain how an attack was carried out or how an event
occurred on a network
• Intruders leave a trail behind
▪ Knowing your network’s typical traffic patterns is important in
spotting variations in network traffic
18
Network Forensics
Network Forensics Overview
19. The Need for Established Procedures
• Network forensics examiners must establish standard procedures for
how to acquire data after an attack or intrusion
• Essential to ensure that all comprised systems have been found
• Procedures must be based on an organization’s needs and
complement network infrastructure
• NIST created “Guide to Integrating Forensic Techniques into
Incident Response” to address these needs
19
Network Forensics
Developing standard procedures for network forensics
20. The Need for Established Procedures
• Network forensics examiners must establish standard procedures for
how to acquire data after an attack or intrusion
• Essential to ensure that all comprised systems have been found
• Procedures must be based on an organization’s needs and
complement network infrastructure
• NIST created “Guide to Integrating Forensic Techniques into
Incident Response” to address these needs
20
Network Forensics
Developing standard procedures for network forensics
21. • Network forensics can be a long, tedious process
• Standard procedure that is often used: Always use a standard
installation image for systems on a network
• Fix any vulnerability after an attack
• Attempt to retrieve all volatile data
• Acquire all compromised drives
• Compare files on the forensic image to the original installation
image
21
Network Forensics
Developing standard procedures for network forensics
22. • Sysinternals
– A collection of free tools for examining Windows products
• Examples of the Sysinternals tools:
– RegMon shows Registry data in real time
– Process Explorer shows what is loaded
– Handle shows open files and processes using them
– Filemon shows file system activity 22
Network Forensics
Using Network Tools
23. • Tools from PsTools suite created by Sysinternals
– PsExec runs processes remotely
– PsGetSid displays security identifier (SID)
– PsKill kills process by name or ID
– PsList lists details about a process
– PsLoggedOn shows who’s logged locally
– PsPasswd changes account passwords
– PsService controls and views services
– PsShutdown shuts down and restarts PCs
– PsSuspend suspends processes
23
Network Forensics
Using Network Tools
24. • The Honeynet Project was developed to make information widely available in
an attempt to thwart Internet and network hackers
o Objectives are awareness, information, and tools
• Distributed denial-of-service (DDoS) attacks
o Hundreds or even thousands of machines (zombies) can be used
• Zero day attacks
o Another major threat
o Attackers look for holes in networks and OSs and exploit these weaknesses before patches are
available
• Honeypot
o Normal looking computer that lures attackers to it
• Honeywalls
o Monitor what’s happening to honeypots on your network and record what attackers are doing
24
Network Forensics
Examining the Honeynet Project