This document provides an overview of digital forensics and related topics. It discusses autopsy procedures, computer forensics, memory analysis, volatile vs. non-volatile memory, encryption and steganography techniques, network analysis, challenges in the field, terms used, and how to become a forensics expert. Anti-forensics methods like encryption and data hiding are also covered.

1. Lets do some Autopsy!!

2. AUTOPSY
REALLY?

4. BUT CLOSE…

5. BUT CLOSE…

6. What is forensics
Why to forensics
Anti-Forensics
How To Become Forensics Expert
Some terms
Computer Forensics
Memory analysis
Volatile/non-volatile
Encryption/stegnography
N/w Analysis
Hands on Challenges

7. Vikas Jain
Er.vikey@gmail.com Follow me at @ervikey

8. Forensic is Related to Court and Trials or To Answer
Questions Related to Legal System
Computer Forensics Helps answering If a Digital
Device is part of cyber crime or victim of cybercrime
purpose Is to find evidence which can prove things
done on the system in court of case
Five Aspects:
IF WHO WHAT WHEN WHY

9. Fraud
Drug
traffic
king
Child
pornog
raphy
Espio
nage
Copyrig
ht
infringe
ment
Discover
what was
lost
Recover
Deleted
Data
Discover
entry
point
CYBER - ATTACKS

10. A set of techniques used as countermeasures to forensic analysis
Ex. Full-Disk Encryption
Truecrypt on Linux,Windows and OSX
Filevault 2 on OSX
BitLocker Windows
File Eraser
AbsoluteShield File Shredder
Heidi Eraser
Permanent Eraser

12. TOO DAMN EASY!!

13. Operating
Systems
File System
Disk
Partitioning
Networking
Memory
Management

14. Operating
Systems
File System
Disk
Partitioning
Networking
Memory
Management
And Of Course A little of these…..

15. Collect
evidence
and present
in the court
Search and
seize the
equipment
Conduct
preliminary
assessment
to search for
evidence
Find and
interpret the
clues left
behind
Determine if
an incident
had
occurred

16. Acquisition
e-discovery
Chain of custody
Expert witness
First Responder

17. Branch of digital forensic
science pertaining to legal
evidence found in computers
and digital storage media.
The goal of computer
forensics is to examine digital
media in a forensically sound
manner with the aim of
identifying, preserving,
recovering, analysing and
presenting facts and opinions
about the digital information.
Computer
ForensicsMemory
Analysis
Network
Data
Analysis
Document
or file
analysis
OS
Analysis
Mobile
Analysis
Database
Analysis

18. Hardware
Removable HD enclosures or connectors with different plugs
Write blockers
A DVD burner
External disks
USB2, firewire, SATA and e-SATA controllers, if possible
Software
Multiple operating systems
Linux: extensive native file system
support
VMs running various Windows
versions (XP,Vista, 7, 8)
Forensics
toolkits
E.g., SleuthKit http://www.sleuthkit.org
Winhex
Internet Evidence Finder

19. Non-Volatile Memory
• Stored Data Does not gets erased
when powered off
• Ex. Hdd, SDD,CD,DVD, USB Sticks
Volatile Memory
• requires power to maintain the
stored
• Ex. Ram, pagefiles, Swap, caches,
processes

20. It’s extremely important to understand this
Trying to obtain the data may alter them
Simply doing nothing is also not good
A running system continuously evolves
The Heisenberg Uncertainty Principle of data gathering and system analysis
As you capture data in one part of the computer you are changing data in another
use write blockers

21. Data type Lifetime
Registers, peripheral memory,
caches, etc.
nanoseconds
Main Memory nanoseconds
Network state milliseconds
Running processes seconds
Disk minutes
Floppies, backup media, etc. years
CD-ROMs, printouts, etc. tens of years

22. RAM contains the most recent data such as processes, Open Files, Network
Information, recent chat conversations,social network communications, currently
open Web pages, and decrypted content of files that are stored encrypted on the
hard disk. Live RAM/volatile memory analysis reveals information used by various
applications during their operation, including Facebook,Twitter, Gmail and other
communications.
Tools to be used:-
Belkasoft Live RAM Capturer
Memory DD
MANDIANT Memoryze

23. Data is stored permanently on the disk.
Shift + Delete will NOT remove it
If data is deleted there ARE tools to recover it.
It all based on type of file format being used
NTFS, FAT, ext, HFS….

24. dd
dd if = /dev/sda1 of /dev/sdb1/root.raw
dcfldd
Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
ProDiscover
EnCase
FTk
Seluth kit(autopsy)
Winhex

25. After a clone or an image is made it is very important to make a hash of it.
After the complete analysis of the disk or an image we again calculate the hash.
This is important because we need to prove in the court that the evidence has not
been tampered.
Currently Indian courts accept SHA-256
Tools for calculating hashes:Winhex, Sleuthkit, ENCase.

26. The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so
that you could take a look at the files as they were on the machine.
This makes the entire task of analysis easier.

27. With tools like Live View it is even
possible to recreate the entire
scenario like the actual operating
system on a Virtual Machine.
Live view is only compatible until XP.
The tools to really looked upon for
this are:
Mount Image Pro and Virtual
Forensic Computing

28. Slack Space
ADS streams
Stenography
Hidden Partitions
Unallocated space
Modified file extensions
META DATA

30. While Imaging or cloning a disk
the exact copy is made and hence
the hidden data remains as it is.
There is no specific tool for the
extraction of the hidden data and
hence we need to perform manual
analysis on the image or the disk
using hex editors
Eg:Winhex

31. While performing analysis on disks and images there are very good chances that
we come across encrypted data.
This creates a problem for an forensic analyst.
Even though there are tools and techniques to break encryptions we sometimes fail
to do so.

32. A series of attacks are carried out to break encryptions:
Brute Force Attack
Dictionary Attack
Known Plain Text Attack
Rainbow Table Attack
Tools: A variety of stand-alone as well as online tools are
available which helps us cracking the encrypted files.
AZPR
AOPR
Decryptum(Online)
Passware kit

33. If we come across any type of encryption files or data
that have been encrypted with tools like PGP, True
Crypt etc., It becomes really difficult from the
forensics point of view to get through.
In such cases the farthest we can do is look for the
keys on the machine.

34. From a culprits point of view steganography is
something that would stand beyond cryptography.
This is because detecting steganography
manually is a big challenge to any individual.
And with not enough tools to detect
steganography in the market it makes the job
even more tiresome.
Different tools use different algorithms for hiding
data and one can easily develop a steganography
algorithm. Not a big task to achieve. That makes it
difficult in detection
Confidential
information

35. Speaking of the tools used for steganalysis, these tools may
sometimes give you false positives as well.
StegDetect
StegSecret

36. Network forensics is a sub-branch of digital forensics relating to the monitoring
and analysis of computer network traffic for the purposes of information gathering,
legal evidence, or intrusion detection.
Unlike other areas of digital forensics, network investigations deal with volatile and
dynamic information.
Why Network Forensics plays an important role?
Network Forensics can reveal if the network or a machine from which the crime has
occurred was compromised or not. Which can turn out to be really handy in some
cases.

37. Tcp Dump
Wireshark
Network minner
Snortc

38. Activity:
Find as much information as you can…

39. Happy Hacking!!!