SlideShare a Scribd company logo

Forensics Analysis and Validation

Jyothishmathi Institute of Technology and Science Karimnagar
Jyothishmathi Institute of Technology and Science Karimnagar

Forensics analysis and validation: Determining what data to collect and analyze, validating forensic data, addressing data-hiding techniques, performing remote acquisitions Network Forensics: Network forensics overview, performing live acquisitions, developing standard procedures for network forensics, using network tools, examining the honeynet project.

Technology
1 of 25
Download to read offline
Forensics Analysis and Validation Dr R Jegadeesan Prof-CSE Jyothishmathi Institute of Technology and Science, karimnagar
• Examining and analyzing digital evidence depend on the nature of the investigation – And the amount of data to process • Scope creep - when an investigation expands beyond the original description – Because of unexpected evidence found – Attorneys may ask investigators to examine other areas to recover more evidence – Increases the time and resources needed to extract, analyze, and present evidence 2 Forensics Analysis and Validation Determining What Data to Collect and Analyze
• Scope creep has become more common – Criminal investigations require more detailed examination of evidence just before trial – To help prosecutors fend off attacks from defense attorneys • New evidence often isn’t revealed to prosecution – It’s become more important for prosecution teams to ensure they have analyzed the evidence exhaustively before trial 3 Forensics Analysis and Validation Determining What Data to Collect and Analyze
• Ensuring the integrity of data collected is essential for presenting evidence in court • Most forensic tools offer hashing of image files • Example - when ProDiscover loads an image file: – It runs a hash and compares the value with the original hash calculated when the image was first acquired • Using advanced hexadecimal editors ensures data integrity 4 Forensics Analysis and Validation Validating Forensic Data
Validating with Hexadecimal Editors • Advanced hex editors offer features not available in digital forensics tools, such as: – Hashing specific files or sectors • With the hash value in hand – You can use a forensics tool to search for a suspicious file that might have had its name changed to look like an innocuous file • WinHex provides MD5 and SHA-1 hashing algorithms 5 Forensics Analysis and Validation Validating Forensic Data
Validating with Hexadecimal Editors • Advantage of recording hash values – You can determine whether data has changed • Block-wise hashing – A process that builds a data set of hashes of sectors from the original file – Then examines sectors on the suspect’s drive to see whether any other sectors match – If an identical hash value is found, you have confirmed that the file was stored on the suspect’s drive 6 Forensics Analysis and Validation Validating Forensic Data
Validating with Hexadecimal Editors • Using Hash Values to Discriminate Data – AccessData has its own hashing database, Known File Filter (KFF) – KFF filters known program files from view and contains has values of known illegal files – It compares known file hash values with files on your evidence drive to see if they contain suspicious data – Other digital forensics tools can import the NSRL database and run 7 Forensics Analysis and Validation Validating Forensic Data
Validating with Digital Forensics Tools • ProDiscover – .eve files contain metadata that includes hash value – Has a preference you can enable for using the Auto Verify Image Checksum feature when image files are loaded – If the Auto Verify Image Checksum and the hashes in the .eve file’s metadata don’t match • ProDiscover will notify that the acquisition is corrupt and can’t be considered reliable evidence 8 Forensics Analysis and Validation Validating Forensic Data
• Data hiding - changing or manipulating a file to conceal information • Techniques: – Hiding entire partitions – Changing file extensions – Setting file attributes to hidden – Bit-shifting – Using encryption – Setting up password protection 9 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Hiding Files by Using the OS Techniques: • One of the first techniques to hide data: – Changing file extensions • Advanced digital forensics tools check file headers – Compare the file extension to verify that it’s correct – If there’s a discrepancy, the tool flags the file as a possible altered file • Another hiding technique – Selecting the Hidden attribute in a file’s Properties dialog box 10 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Hiding Partitions • By using the Windows diskpart remove letter command – You can unassign the partition’s letter, which hides it from view in File Explorer • To unhide, use the diskpart assign letter command • Other disk management tools: – Partition Magic, Partition Master, and Linux Grand Unified Bootloader (GRUB) 11 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Hiding Partitions • To detect whether a partition has been hidden – Account for all disk space when examining an evidence drive – Analyze any disk areas containing space you can’t account for • In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS – Other forensics tools have their own methods of assigning drive letters to hidden partitions 12 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Marking Bad Clusters • A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters – Involves using old utilities such as Norton DiskEdit • Can mark good clusters as bad clusters in the FAT table so the OS considers them unusable – Only way they can be accessed from the OS is by changing them to good clusters with a disk editor • DiskEdit runs only in MS-DOS and can access only FAT-formatted 13 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Bit-Shifting • Some users use a low-level encryption program that changes the order of binary data – Makes altered data unreadable To secure a file, users run an assembler program (also called a “macro”) to scramble bits – Run another program to restore the scrambled bits to their original order • Bit shifting changes data from readable code to data that looks like binary executable code • WinHex includes a feature for shifting bits 14 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Understanding Steganalysis Methods • A way to hide data is to use steganography tools – Many are freeware or shareware – Insert information into a variety of files • If you encrypt a plaintext file with PGP and insert the encrypted text into a steganography file – Cracking the encrypted message is extremely difficult 15 Forensics Analysis and Validation Addressing Data-Hiding Techniques
Understanding Steganalysis Methods • Steganalysis methods – Stego-only attack – Known cover attack – Known message attack – Chosen stego attack – Chosen message attack 16 Forensics Analysis and Validation Addressing Data-Hiding Techniques
• One can remotely connect to a suspect computer via a network connection and copy data from it • This method is also faster at obtaining the necessary files, as it does not depend on a stable network connection. • Although this is the preferred method, there may be geographical constraints, especially with larger organizations where the incident response analysts are a plane ride away from the location containing the evidence. • Remote acquisition tools vary in configurations and capabilities and tools require installing a remote agent on the suspect computer 17 Forensics Analysis and Validation Performing Remote Acquisitions
Network Forensics • Process of collecting and analyzing raw network data and tracking network traffic ▪ To ascertain how an attack was carried out or how an event occurred on a network • Intruders leave a trail behind ▪ Knowing your network’s typical traffic patterns is important in spotting variations in network traffic 18 Network Forensics Network Forensics Overview
The Need for Established Procedures • Network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion • Essential to ensure that all comprised systems have been found • Procedures must be based on an organization’s needs and complement network infrastructure • NIST created “Guide to Integrating Forensic Techniques into Incident Response” to address these needs 19 Network Forensics Developing standard procedures for network forensics
The Need for Established Procedures • Network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion • Essential to ensure that all comprised systems have been found • Procedures must be based on an organization’s needs and complement network infrastructure • NIST created “Guide to Integrating Forensic Techniques into Incident Response” to address these needs 20 Network Forensics Developing standard procedures for network forensics
• Network forensics can be a long, tedious process • Standard procedure that is often used: Always use a standard installation image for systems on a network • Fix any vulnerability after an attack • Attempt to retrieve all volatile data • Acquire all compromised drives • Compare files on the forensic image to the original installation image 21 Network Forensics Developing standard procedures for network forensics
• Sysinternals – A collection of free tools for examining Windows products • Examples of the Sysinternals tools: – RegMon shows Registry data in real time – Process Explorer shows what is loaded – Handle shows open files and processes using them – Filemon shows file system activity 22 Network Forensics Using Network Tools
• Tools from PsTools suite created by Sysinternals – PsExec runs processes remotely – PsGetSid displays security identifier (SID) – PsKill kills process by name or ID – PsList lists details about a process – PsLoggedOn shows who’s logged locally – PsPasswd changes account passwords – PsService controls and views services – PsShutdown shuts down and restarts PCs – PsSuspend suspends processes 23 Network Forensics Using Network Tools
• The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network hackers o Objectives are awareness, information, and tools • Distributed denial-of-service (DDoS) attacks o Hundreds or even thousands of machines (zombies) can be used • Zero day attacks o Another major threat o Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available • Honeypot o Normal looking computer that lures attackers to it • Honeywalls o Monitor what’s happening to honeypots on your network and record what attackers are doing 24 Network Forensics Examining the Honeynet Project
Thank you 25 Network Forensics

Recommended

Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
Jyothishmathi Institute of Technology and Science Karimnagar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
edwardbel
 

Recommended

Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
Jyothishmathi Institute of Technology and Science Karimnagar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
edwardbel
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
Online
 
File system
File systemFile system
File system
Harleen Johal
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Email investigation
Email investigationEmail investigation
Email investigation
Animesh Shaw
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 

More Related Content

What's hot

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
Online
 
File system
File systemFile system
File system
Harleen Johal
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Email investigation
Email investigationEmail investigation
Email investigation
Animesh Shaw
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 

What's hot (20)

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
 
File system
File systemFile system
File system
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Email investigation
Email investigationEmail investigation
Email investigation
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 

Similar to Forensics Analysis and Validation

Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
Muzzammil Wani
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
Guide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdfGuide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdf
LaceyTatum1
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
AlfredObia1
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.ppt
TamannaTabassum21
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.ppt
ssuserba01a3
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 

Similar to Forensics Analysis and Validation (20)

Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
CF.ppt
CF.pptCF.ppt
CF.ppt
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Guide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdfGuide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdf
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.ppt
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.ppt
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 

More from Jyothishmathi Institute of Technology and Science Karimnagar

JAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
JAVA PROGRAMMING- GUI Programming with Swing - The Swing ButtonsJAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
JAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
Jyothishmathi Institute of Technology and Science Karimnagar
 
JAVA PROGRAMMING - The Collections Framework
JAVA PROGRAMMING - The Collections Framework JAVA PROGRAMMING - The Collections Framework
JAVA PROGRAMMING - The Collections Framework
Jyothishmathi Institute of Technology and Science Karimnagar
 
JAVA PROGRAMMING- Exception handling - Multithreading
JAVA PROGRAMMING- Exception handling - MultithreadingJAVA PROGRAMMING- Exception handling - Multithreading
JAVA PROGRAMMING- Exception handling - Multithreading
Jyothishmathi Institute of Technology and Science Karimnagar
 
JAVA PROGRAMMING – Packages - Stream based I/O
JAVA PROGRAMMING – Packages - Stream based I/O JAVA PROGRAMMING – Packages - Stream based I/O
JAVA PROGRAMMING – Packages - Stream based I/O
Jyothishmathi Institute of Technology and Science Karimnagar
 
Java programming -Object-Oriented Thinking- Inheritance
Java programming -Object-Oriented Thinking- InheritanceJava programming -Object-Oriented Thinking- Inheritance
Java programming -Object-Oriented Thinking- Inheritance
Jyothishmathi Institute of Technology and Science Karimnagar
 
WEB TECHNOLOGIES JavaScript
WEB TECHNOLOGIES JavaScriptWEB TECHNOLOGIES JavaScript
WEB TECHNOLOGIES JavaScript
Jyothishmathi Institute of Technology and Science Karimnagar
 
WEB TECHNOLOGIES JSP
WEB TECHNOLOGIES JSPWEB TECHNOLOGIES JSP
WEB TECHNOLOGIES JSP
Jyothishmathi Institute of Technology and Science Karimnagar
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES Servlet
Jyothishmathi Institute of Technology and Science Karimnagar
 
WEB TECHNOLOGIES XML
WEB TECHNOLOGIES XMLWEB TECHNOLOGIES XML
WEB TECHNOLOGIES XML
Jyothishmathi Institute of Technology and Science Karimnagar
 
WEB TECHNOLOGIES- PHP Programming
WEB TECHNOLOGIES- PHP ProgrammingWEB TECHNOLOGIES- PHP Programming
WEB TECHNOLOGIES- PHP Programming
Jyothishmathi Institute of Technology and Science Karimnagar
 
Compiler Design- Machine Independent Optimizations
Compiler Design- Machine Independent OptimizationsCompiler Design- Machine Independent Optimizations
Compiler Design- Machine Independent Optimizations
Jyothishmathi Institute of Technology and Science Karimnagar
 
COMPILER DESIGN Run-Time Environments
COMPILER DESIGN Run-Time EnvironmentsCOMPILER DESIGN Run-Time Environments
COMPILER DESIGN Run-Time Environments
Jyothishmathi Institute of Technology and Science Karimnagar
 
COMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed TranslationCOMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed Translation
Jyothishmathi Institute of Technology and Science Karimnagar
 
COMPILER DESIGN- Syntax Analysis
COMPILER DESIGN- Syntax AnalysisCOMPILER DESIGN- Syntax Analysis
COMPILER DESIGN- Syntax Analysis
Jyothishmathi Institute of Technology and Science Karimnagar
 
COMPILER DESIGN- Introduction & Lexical Analysis:
COMPILER DESIGN- Introduction & Lexical Analysis: COMPILER DESIGN- Introduction & Lexical Analysis:
COMPILER DESIGN- Introduction & Lexical Analysis:
Jyothishmathi Institute of Technology and Science Karimnagar
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash FunctionsCRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
Jyothishmathi Institute of Technology and Science Karimnagar
 
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key CiphersCRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
Jyothishmathi Institute of Technology and Science Karimnagar
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITY
Jyothishmathi Institute of Technology and Science Karimnagar
 

More from Jyothishmathi Institute of Technology and Science Karimnagar (20)

JAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
JAVA PROGRAMMING- GUI Programming with Swing - The Swing ButtonsJAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
JAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
 
JAVA PROGRAMMING - The Collections Framework
JAVA PROGRAMMING - The Collections Framework JAVA PROGRAMMING - The Collections Framework
JAVA PROGRAMMING - The Collections Framework
 
JAVA PROGRAMMING- Exception handling - Multithreading
JAVA PROGRAMMING- Exception handling - MultithreadingJAVA PROGRAMMING- Exception handling - Multithreading
JAVA PROGRAMMING- Exception handling - Multithreading
 
JAVA PROGRAMMING – Packages - Stream based I/O
JAVA PROGRAMMING – Packages - Stream based I/O JAVA PROGRAMMING – Packages - Stream based I/O
JAVA PROGRAMMING – Packages - Stream based I/O
 
Java programming -Object-Oriented Thinking- Inheritance
Java programming -Object-Oriented Thinking- InheritanceJava programming -Object-Oriented Thinking- Inheritance
Java programming -Object-Oriented Thinking- Inheritance
 
WEB TECHNOLOGIES JavaScript
WEB TECHNOLOGIES JavaScriptWEB TECHNOLOGIES JavaScript
WEB TECHNOLOGIES JavaScript
 
WEB TECHNOLOGIES JSP
WEB TECHNOLOGIES JSPWEB TECHNOLOGIES JSP
WEB TECHNOLOGIES JSP
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES Servlet
 
WEB TECHNOLOGIES XML
WEB TECHNOLOGIES XMLWEB TECHNOLOGIES XML
WEB TECHNOLOGIES XML
 
WEB TECHNOLOGIES- PHP Programming
WEB TECHNOLOGIES- PHP ProgrammingWEB TECHNOLOGIES- PHP Programming
WEB TECHNOLOGIES- PHP Programming
 
Compiler Design- Machine Independent Optimizations
Compiler Design- Machine Independent OptimizationsCompiler Design- Machine Independent Optimizations
Compiler Design- Machine Independent Optimizations
 
COMPILER DESIGN Run-Time Environments
COMPILER DESIGN Run-Time EnvironmentsCOMPILER DESIGN Run-Time Environments
COMPILER DESIGN Run-Time Environments
 
COMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed TranslationCOMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed Translation
 
COMPILER DESIGN- Syntax Analysis
COMPILER DESIGN- Syntax AnalysisCOMPILER DESIGN- Syntax Analysis
COMPILER DESIGN- Syntax Analysis
 
COMPILER DESIGN- Introduction & Lexical Analysis:
COMPILER DESIGN- Introduction & Lexical Analysis: COMPILER DESIGN- Introduction & Lexical Analysis:
COMPILER DESIGN- Introduction & Lexical Analysis:
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash FunctionsCRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
 
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key CiphersCRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITY
 

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Forensics Analysis and Validation

  • 1. Forensics Analysis and Validation Dr R Jegadeesan Prof-CSE Jyothishmathi Institute of Technology and Science, karimnagar
  • 2. • Examining and analyzing digital evidence depend on the nature of the investigation – And the amount of data to process • Scope creep - when an investigation expands beyond the original description – Because of unexpected evidence found – Attorneys may ask investigators to examine other areas to recover more evidence – Increases the time and resources needed to extract, analyze, and present evidence 2 Forensics Analysis and Validation Determining What Data to Collect and Analyze
  • 3. • Scope creep has become more common – Criminal investigations require more detailed examination of evidence just before trial – To help prosecutors fend off attacks from defense attorneys • New evidence often isn’t revealed to prosecution – It’s become more important for prosecution teams to ensure they have analyzed the evidence exhaustively before trial 3 Forensics Analysis and Validation Determining What Data to Collect and Analyze
  • 4. • Ensuring the integrity of data collected is essential for presenting evidence in court • Most forensic tools offer hashing of image files • Example - when ProDiscover loads an image file: – It runs a hash and compares the value with the original hash calculated when the image was first acquired • Using advanced hexadecimal editors ensures data integrity 4 Forensics Analysis and Validation Validating Forensic Data
  • 5. Validating with Hexadecimal Editors • Advanced hex editors offer features not available in digital forensics tools, such as: – Hashing specific files or sectors • With the hash value in hand – You can use a forensics tool to search for a suspicious file that might have had its name changed to look like an innocuous file • WinHex provides MD5 and SHA-1 hashing algorithms 5 Forensics Analysis and Validation Validating Forensic Data
  • 6. Validating with Hexadecimal Editors • Advantage of recording hash values – You can determine whether data has changed • Block-wise hashing – A process that builds a data set of hashes of sectors from the original file – Then examines sectors on the suspect’s drive to see whether any other sectors match – If an identical hash value is found, you have confirmed that the file was stored on the suspect’s drive 6 Forensics Analysis and Validation Validating Forensic Data
  • 7. Validating with Hexadecimal Editors • Using Hash Values to Discriminate Data – AccessData has its own hashing database, Known File Filter (KFF) – KFF filters known program files from view and contains has values of known illegal files – It compares known file hash values with files on your evidence drive to see if they contain suspicious data – Other digital forensics tools can import the NSRL database and run 7 Forensics Analysis and Validation Validating Forensic Data
  • 8. Validating with Digital Forensics Tools • ProDiscover – .eve files contain metadata that includes hash value – Has a preference you can enable for using the Auto Verify Image Checksum feature when image files are loaded – If the Auto Verify Image Checksum and the hashes in the .eve file’s metadata don’t match • ProDiscover will notify that the acquisition is corrupt and can’t be considered reliable evidence 8 Forensics Analysis and Validation Validating Forensic Data
  • 9. • Data hiding - changing or manipulating a file to conceal information • Techniques: – Hiding entire partitions – Changing file extensions – Setting file attributes to hidden – Bit-shifting – Using encryption – Setting up password protection 9 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 10. Hiding Files by Using the OS Techniques: • One of the first techniques to hide data: – Changing file extensions • Advanced digital forensics tools check file headers – Compare the file extension to verify that it’s correct – If there’s a discrepancy, the tool flags the file as a possible altered file • Another hiding technique – Selecting the Hidden attribute in a file’s Properties dialog box 10 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 11. Hiding Partitions • By using the Windows diskpart remove letter command – You can unassign the partition’s letter, which hides it from view in File Explorer • To unhide, use the diskpart assign letter command • Other disk management tools: – Partition Magic, Partition Master, and Linux Grand Unified Bootloader (GRUB) 11 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 12. Hiding Partitions • To detect whether a partition has been hidden – Account for all disk space when examining an evidence drive – Analyze any disk areas containing space you can’t account for • In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS – Other forensics tools have their own methods of assigning drive letters to hidden partitions 12 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 13. Marking Bad Clusters • A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters – Involves using old utilities such as Norton DiskEdit • Can mark good clusters as bad clusters in the FAT table so the OS considers them unusable – Only way they can be accessed from the OS is by changing them to good clusters with a disk editor • DiskEdit runs only in MS-DOS and can access only FAT-formatted 13 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 14. Bit-Shifting • Some users use a low-level encryption program that changes the order of binary data – Makes altered data unreadable To secure a file, users run an assembler program (also called a “macro”) to scramble bits – Run another program to restore the scrambled bits to their original order • Bit shifting changes data from readable code to data that looks like binary executable code • WinHex includes a feature for shifting bits 14 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 15. Understanding Steganalysis Methods • A way to hide data is to use steganography tools – Many are freeware or shareware – Insert information into a variety of files • If you encrypt a plaintext file with PGP and insert the encrypted text into a steganography file – Cracking the encrypted message is extremely difficult 15 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 16. Understanding Steganalysis Methods • Steganalysis methods – Stego-only attack – Known cover attack – Known message attack – Chosen stego attack – Chosen message attack 16 Forensics Analysis and Validation Addressing Data-Hiding Techniques
  • 17. • One can remotely connect to a suspect computer via a network connection and copy data from it • This method is also faster at obtaining the necessary files, as it does not depend on a stable network connection. • Although this is the preferred method, there may be geographical constraints, especially with larger organizations where the incident response analysts are a plane ride away from the location containing the evidence. • Remote acquisition tools vary in configurations and capabilities and tools require installing a remote agent on the suspect computer 17 Forensics Analysis and Validation Performing Remote Acquisitions
  • 18. Network Forensics • Process of collecting and analyzing raw network data and tracking network traffic ▪ To ascertain how an attack was carried out or how an event occurred on a network • Intruders leave a trail behind ▪ Knowing your network’s typical traffic patterns is important in spotting variations in network traffic 18 Network Forensics Network Forensics Overview
  • 19. The Need for Established Procedures • Network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion • Essential to ensure that all comprised systems have been found • Procedures must be based on an organization’s needs and complement network infrastructure • NIST created “Guide to Integrating Forensic Techniques into Incident Response” to address these needs 19 Network Forensics Developing standard procedures for network forensics
  • 20. The Need for Established Procedures • Network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion • Essential to ensure that all comprised systems have been found • Procedures must be based on an organization’s needs and complement network infrastructure • NIST created “Guide to Integrating Forensic Techniques into Incident Response” to address these needs 20 Network Forensics Developing standard procedures for network forensics
  • 21. • Network forensics can be a long, tedious process • Standard procedure that is often used: Always use a standard installation image for systems on a network • Fix any vulnerability after an attack • Attempt to retrieve all volatile data • Acquire all compromised drives • Compare files on the forensic image to the original installation image 21 Network Forensics Developing standard procedures for network forensics
  • 22. • Sysinternals – A collection of free tools for examining Windows products • Examples of the Sysinternals tools: – RegMon shows Registry data in real time – Process Explorer shows what is loaded – Handle shows open files and processes using them – Filemon shows file system activity 22 Network Forensics Using Network Tools
  • 23. • Tools from PsTools suite created by Sysinternals – PsExec runs processes remotely – PsGetSid displays security identifier (SID) – PsKill kills process by name or ID – PsList lists details about a process – PsLoggedOn shows who’s logged locally – PsPasswd changes account passwords – PsService controls and views services – PsShutdown shuts down and restarts PCs – PsSuspend suspends processes 23 Network Forensics Using Network Tools
  • 24. • The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network hackers o Objectives are awareness, information, and tools • Distributed denial-of-service (DDoS) attacks o Hundreds or even thousands of machines (zombies) can be used • Zero day attacks o Another major threat o Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available • Honeypot o Normal looking computer that lures attackers to it • Honeywalls o Monitor what’s happening to honeypots on your network and record what attackers are doing 24 Network Forensics Examining the Honeynet Project