The document discusses different types of evidence used in legal cases, including testimonial evidence from eyewitnesses and physical evidence found at crime scenes. It notes that eyewitness testimony can be unreliable due to factors like stress, biases, and memory errors over time. Physical evidence is considered more reliable and can include trace evidence like fibers, fingerprints, DNA, tool marks, firearms evidence, and more. The document emphasizes how physical evidence can be analyzed and compared to help determine its origin and link it to people or places associated with a crime.
The document discusses digital forensics, including what it is, types of computer crimes, tools used like FTK and Encase, procedures that must be followed, and examples of cases like Enron and United States vs Ivanov. Digital forensics involves recovering and investigating digital evidence from devices and can be used to find deleted data, track locations, and discover information through tools like forensic software. Proper seizure and collection of evidence must adhere to legal standards like using a write blocker.
Computer forensics is used to discover evidence of computer crimes by collecting, preserving, and analyzing digital evidence from computers and storage media. It helps criminal and civil legal cases involving issues like espionage, intellectual property theft, employee misuse of computers, and medical billing fraud. The computer forensics process includes securing evidence, making copies or images of storage devices, examining files and locations where deleted or hidden data may be stored, and documenting the investigation. Maintaining control of intellectual property and trade secrets is challenging as organizations increasingly process data overseas where there is greater risk of information leakage.
This document provides an overview of crime scene investigation and analysis of forensic evidence. It discusses what constitutes a crime scene and the types of evidence that may be collected, including biological evidence, latent prints, footwear and tire tracks, trace evidence, and firearm evidence. It outlines the basic process of conducting a crime scene investigation and how the evidence is analyzed, with a focus on DNA evidence analysis using techniques like polymerase chain reaction, short tandem repeats, Y-chromosome analysis, and mitochondrial DNA analysis.
The document outlines the responsibilities and procedures for the initial responding officer arriving at a crime scene. It discusses 5 key steps: 1) making initial observations and assessments, 2) ensuring safety, 3) providing medical assistance, 4) controlling persons at the scene, and 5) defining and securing boundaries. The initial responding officer is responsible for preserving evidence, documenting information, and controlling access to protect the integrity of the crime scene.
Cyber crimes are increasing day by day, so as the cyber evidences at the crime scene.
To know more about the cyber evidence, go to the link given below-
https://youtu.be/2PBoOPU9e00
The forensic science laboratory plays an important role in criminal investigations by examining physical evidence scientifically. It has several units that analyze evidence including firearms, fingerprints, documents, and biology. Evidence is carefully collected according to established principles and can be used to link suspects to crimes, aid in reconstructing events, and protect the innocent. The laboratory utilizes multiple types of evidence including physical traces, chemicals, and biological samples to help solve cases.
The document discusses different types of evidence used in legal cases, including testimonial evidence from eyewitnesses and physical evidence found at crime scenes. It notes that eyewitness testimony can be unreliable due to factors like stress, biases, and memory errors over time. Physical evidence is considered more reliable and can include trace evidence like fibers, fingerprints, DNA, tool marks, firearms evidence, and more. The document emphasizes how physical evidence can be analyzed and compared to help determine its origin and link it to people or places associated with a crime.
The document discusses digital forensics, including what it is, types of computer crimes, tools used like FTK and Encase, procedures that must be followed, and examples of cases like Enron and United States vs Ivanov. Digital forensics involves recovering and investigating digital evidence from devices and can be used to find deleted data, track locations, and discover information through tools like forensic software. Proper seizure and collection of evidence must adhere to legal standards like using a write blocker.
Computer forensics is used to discover evidence of computer crimes by collecting, preserving, and analyzing digital evidence from computers and storage media. It helps criminal and civil legal cases involving issues like espionage, intellectual property theft, employee misuse of computers, and medical billing fraud. The computer forensics process includes securing evidence, making copies or images of storage devices, examining files and locations where deleted or hidden data may be stored, and documenting the investigation. Maintaining control of intellectual property and trade secrets is challenging as organizations increasingly process data overseas where there is greater risk of information leakage.
This document provides an overview of crime scene investigation and analysis of forensic evidence. It discusses what constitutes a crime scene and the types of evidence that may be collected, including biological evidence, latent prints, footwear and tire tracks, trace evidence, and firearm evidence. It outlines the basic process of conducting a crime scene investigation and how the evidence is analyzed, with a focus on DNA evidence analysis using techniques like polymerase chain reaction, short tandem repeats, Y-chromosome analysis, and mitochondrial DNA analysis.
The document outlines the responsibilities and procedures for the initial responding officer arriving at a crime scene. It discusses 5 key steps: 1) making initial observations and assessments, 2) ensuring safety, 3) providing medical assistance, 4) controlling persons at the scene, and 5) defining and securing boundaries. The initial responding officer is responsible for preserving evidence, documenting information, and controlling access to protect the integrity of the crime scene.
Cyber crimes are increasing day by day, so as the cyber evidences at the crime scene.
To know more about the cyber evidence, go to the link given below-
https://youtu.be/2PBoOPU9e00
The forensic science laboratory plays an important role in criminal investigations by examining physical evidence scientifically. It has several units that analyze evidence including firearms, fingerprints, documents, and biology. Evidence is carefully collected according to established principles and can be used to link suspects to crimes, aid in reconstructing events, and protect the innocent. The laboratory utilizes multiple types of evidence including physical traces, chemicals, and biological samples to help solve cases.
This document provides an overview of cyber forensics. It discusses the cyber forensics process, which involves collection, preservation, analysis, documentation and presentation of digital evidence. It also covers topics like the chain of custody process, the role of first responders, acquisition and duplication of evidence, hashing and write protection, analyzing deleted data through data recovery tools, Windows and Linux log analysis, and responding to cyber crimes. Specific cyber crimes discussed include phishing, 419 scams, spamming, malware distribution, cyberstalking, fake online profiles, credit card fraud, and ransomware attacks. Reporting mechanisms and analysis tools for each are presented. The document concludes with a discussion of career paths in cyber forensics
This document provides an overview of law enforcement procedures for criminal investigations, including preliminary investigations, securing crime scenes, collecting evidence, and forensic analysis techniques. It discusses protocols for responding to and documenting crime scenes, as well as collecting trace evidence like fingerprints, ballistics, and DNA. Advanced technologies like AFIS, NIBIN, and superglue fuming have improved the ability to identify suspects and link crimes through physical evidence analysis.
Forensic science is the application of science to matters of law. It involves the examination of physical evidence found at crime scenes to help establish facts. Forensic scientists study evidence to identify its origin and how it got to the crime scene. They then present their expert analysis and conclusions in court. Crime labs, which can be public or private, have different units that examine different types of evidence using various scientific disciplines like chemistry, biology, and physics.
The document discusses questioned documents and provides definitions and examples of different types of questioned documents. It covers two levels of information that can be obtained from documents - superficial and deeper evidence. It also lists different types of evidence that can be analyzed from documents, including identifying the author or determining authenticity. The document provides a brief history of the field and discusses tools and techniques used in analysis, such as ultraviolet light, infrared examination, video spectral comparator, and electrostatic detection apparatus.
The crime scene is where forensic investigations begin and physical evidence must be carefully collected and preserved. Upon arrival, the scene is documented through photography, sketches, and notes while being secured and searched systematically. Evidence is then packaged with detailed labeling to maintain the strict chain of custody, recording everyone who handles it to ensure its integrity if used in court.
This document provides an overview of forensic document examination. It discusses the role of a forensic document examiner, the types of examinations they conduct, and several past and ongoing cases. The Albert Osborn and Lindbergh Baby case is discussed as establishing the field. Current cases mentioned include the Casey Anthony trial, where a heart-shaped sticker was found but then not seen later, and the ongoing Gabrielle Giffords case where handwriting analysis is being requested. The document also outlines the training, skills, and protocols used in comparing documents and specimens.
This document provides an overview of computer forensics. It defines computer forensics as the process of preserving, identifying, extracting, documenting and interpreting computer data for legal evidence. The document then outlines the history of computer forensics, the steps involved which include acquisition, identification, evaluation and presentation, certifications available, requirements to work in the field, how evidence is collected, uses of computer forensics in criminal and civil cases, advantages like ability to search large amounts of data quickly, and disadvantages such as costs and ensuring no evidence tampering. It also lists some computer forensics labs and centers in India.
Admissibility of forensic evidence in the court of lawRajshree Sable
This document discusses the admissibility and constitutional validity of various forensic evidence techniques in Indian courts. It begins by defining evidence and forensic evidence. It then outlines certain fundamental rights from the Indian Constitution that relate to admissibility, including protections against self-incrimination (Article 20), the right to life and personal liberty (Article 21), and the right against arbitrary arrest or detention (Article 22). The document goes on to analyze the constitutional validity of specific forensic techniques like narco-analysis, DNA fingerprinting, and polygraph testing. It finds that narco-analysis and polygraph testing violate constitutional protections against self-incrimination, while DNA fingerprinting is acceptable if collected and used properly. The conclusion is
This document provides an overview of computer forensics. It defines computer forensics as the process of identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner. The document discusses the history, goals, and methodology of computer forensics, as well as who uses these services and the skills required. Computer forensics is used to find evidence for a variety of computer crimes and cybercrimes to assist in arrests and prosecutions.
Computer forensics involves the legal acquisition, preservation, analysis and presentation of digital evidence found on computers and digital devices. It follows standard processes and guidelines to ensure evidence is collected properly and can be used in legal cases. The main steps are acquisition of evidence from devices, identification and evaluation of relevant data found, and proper presentation of findings. Computer forensics experts work in law enforcement, private companies, and other organizations to gather digital evidence for various crimes and disputes.
This document provides an overview of glass examination in forensic science. It defines glass and describes its amorphous internal structure. The document outlines the major types of glass based on manufacturing process and composition, and notes the most common uses. It discusses how glass fragments can be found at crime scenes and their evidentiary value. The document details how glass is collected and preserved as evidence. It explains methods for physical and chemical matching of glass, including examining refractive index, density, and fracture markings. It provides examples of common fracture patterns like radial and concentric fractures. In summary, the document serves as an introduction to the forensic analysis of glass evidence.
Digital forensics is a scientific field that involves the identification, collection, examination, and analysis of digital data for use as evidence in court. It has several sub-disciplines including computer forensics, network forensics, mobile device forensics, digital image/video/audio forensics, memory forensics, and cloud forensics. The goal of digital forensics is to recover electronic evidence from computers, networks, mobile devices, and digital media in a forensically sound manner.
The document discusses the psychology and theory behind polygraph examinations. It states that polygraph techniques use physiological changes accompanying deception that can be recorded and interpreted. When lying, the body's functions are influenced by the mental state of fear or anxiety, causing fluctuations in things like pulse rate, blood pressure, breathing and perspiration. The polygraph aims to measure this fear of detection rather than deception itself by comparing physiological responses to different types of questions. However, other personal factors can also influence responses. More research is needed to improve the theoretical basis for polygraph applications.
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
Pelorus shares a presentation on search & seizure of electronic evidence Digital evidence is any digital information which is received from computers, audio files, video recordings, digital images etc. The evidence obtained is essential in computer and cyber crimes. For more information on search & seizure of electronic evidence visit our website.
This document discusses crime scene management and security. It defines a crime scene as the area where evidence of a crime may be found. The responsibilities of the first responder are to assist victims, secure witnesses and the crime scene to preserve evidence, and notify authorities. The crime scene must be cordoned off and a log kept of all entries and exits to prevent contamination. Proper crime scene management requires information management, manpower management, technology management, and logistics management. Securing the crime scene is crucial to preserve physical evidence and solve crimes according to Locard's exchange principle, which states that every contact leaves a trace.
The document discusses the admissibility of forensic scientists and their reports as expert evidence in court. It covers the Daubert and Frye standards for expert testimony admissibility. Daubert focuses on relevance and reliability, while Frye focuses on general acceptance in the scientific community. The document also discusses components of strong report writing for forensic scientists, including being clear, concise, structured, impartial and professional. Finally, it notes that while lie detector tests were once inadmissible, they are now accepted in court.
Live data collection_from_windows_systemMaceni Muse
This document discusses techniques for collecting volatile data and performing a live response investigation on a Windows system. It provides a list of tools to create a response toolkit and obtain information such as running processes, open ports, logged on users, and network connections. The document recommends using these tools to review the event logs and registry for evidence, obtain passwords from the SAM database, and dump system memory for a more in-depth investigation.
Fingerprint - Everything You Need To Know About FingerprintsSwaroopSonone
A detailed fingerprint presentation. Fingerprint is one of the most important criminal investigation tools due to their two significant features- uniqueness and persistence. The unique features of friction ridge skin persist from before birth, i.e. during fetal development to the decomposition after death...
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Intrusion detection systems collect information from systems and networks to analyze for signs of intrusion. Digital evidence encompasses any digital data that can establish a crime or link a crime to a victim or perpetrator. It is important to properly collect, preserve, and identify digital evidence using forensically-sound procedures to avoid altering or destroying the original evidence. This involves creating bit-stream copies of storage devices, documenting the collection and examination process, and verifying the integrity of evidence.
This document discusses how forensic science uses math and science to solve crimes. It explains that forensic scientists gather and analyze evidence from crime scenes using scientific processes like DNA analysis and chemical breakdown. The evidence is then tested and conclusions are formed to determine facts that can be presented in court. Forensic science provides expert opinions that can help determine a person's innocence or guilt.
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
- The document discusses analyzing physical memory to recover information from live CDs that normally evades digital forensics investigations.
- It presents research on developing algorithms to enumerate the in-memory file system structure of live CDs like TAILS to recover file metadata and contents directly from RAM.
- The goal is to apply traditional investigative techniques like timeline analysis that are usually impossible for live CDs by reconstructing the complete in-memory file system and contents through memory analysis.
This document provides an overview of cyber forensics. It discusses the cyber forensics process, which involves collection, preservation, analysis, documentation and presentation of digital evidence. It also covers topics like the chain of custody process, the role of first responders, acquisition and duplication of evidence, hashing and write protection, analyzing deleted data through data recovery tools, Windows and Linux log analysis, and responding to cyber crimes. Specific cyber crimes discussed include phishing, 419 scams, spamming, malware distribution, cyberstalking, fake online profiles, credit card fraud, and ransomware attacks. Reporting mechanisms and analysis tools for each are presented. The document concludes with a discussion of career paths in cyber forensics
This document provides an overview of law enforcement procedures for criminal investigations, including preliminary investigations, securing crime scenes, collecting evidence, and forensic analysis techniques. It discusses protocols for responding to and documenting crime scenes, as well as collecting trace evidence like fingerprints, ballistics, and DNA. Advanced technologies like AFIS, NIBIN, and superglue fuming have improved the ability to identify suspects and link crimes through physical evidence analysis.
Forensic science is the application of science to matters of law. It involves the examination of physical evidence found at crime scenes to help establish facts. Forensic scientists study evidence to identify its origin and how it got to the crime scene. They then present their expert analysis and conclusions in court. Crime labs, which can be public or private, have different units that examine different types of evidence using various scientific disciplines like chemistry, biology, and physics.
The document discusses questioned documents and provides definitions and examples of different types of questioned documents. It covers two levels of information that can be obtained from documents - superficial and deeper evidence. It also lists different types of evidence that can be analyzed from documents, including identifying the author or determining authenticity. The document provides a brief history of the field and discusses tools and techniques used in analysis, such as ultraviolet light, infrared examination, video spectral comparator, and electrostatic detection apparatus.
The crime scene is where forensic investigations begin and physical evidence must be carefully collected and preserved. Upon arrival, the scene is documented through photography, sketches, and notes while being secured and searched systematically. Evidence is then packaged with detailed labeling to maintain the strict chain of custody, recording everyone who handles it to ensure its integrity if used in court.
This document provides an overview of forensic document examination. It discusses the role of a forensic document examiner, the types of examinations they conduct, and several past and ongoing cases. The Albert Osborn and Lindbergh Baby case is discussed as establishing the field. Current cases mentioned include the Casey Anthony trial, where a heart-shaped sticker was found but then not seen later, and the ongoing Gabrielle Giffords case where handwriting analysis is being requested. The document also outlines the training, skills, and protocols used in comparing documents and specimens.
This document provides an overview of computer forensics. It defines computer forensics as the process of preserving, identifying, extracting, documenting and interpreting computer data for legal evidence. The document then outlines the history of computer forensics, the steps involved which include acquisition, identification, evaluation and presentation, certifications available, requirements to work in the field, how evidence is collected, uses of computer forensics in criminal and civil cases, advantages like ability to search large amounts of data quickly, and disadvantages such as costs and ensuring no evidence tampering. It also lists some computer forensics labs and centers in India.
Admissibility of forensic evidence in the court of lawRajshree Sable
This document discusses the admissibility and constitutional validity of various forensic evidence techniques in Indian courts. It begins by defining evidence and forensic evidence. It then outlines certain fundamental rights from the Indian Constitution that relate to admissibility, including protections against self-incrimination (Article 20), the right to life and personal liberty (Article 21), and the right against arbitrary arrest or detention (Article 22). The document goes on to analyze the constitutional validity of specific forensic techniques like narco-analysis, DNA fingerprinting, and polygraph testing. It finds that narco-analysis and polygraph testing violate constitutional protections against self-incrimination, while DNA fingerprinting is acceptable if collected and used properly. The conclusion is
This document provides an overview of computer forensics. It defines computer forensics as the process of identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner. The document discusses the history, goals, and methodology of computer forensics, as well as who uses these services and the skills required. Computer forensics is used to find evidence for a variety of computer crimes and cybercrimes to assist in arrests and prosecutions.
Computer forensics involves the legal acquisition, preservation, analysis and presentation of digital evidence found on computers and digital devices. It follows standard processes and guidelines to ensure evidence is collected properly and can be used in legal cases. The main steps are acquisition of evidence from devices, identification and evaluation of relevant data found, and proper presentation of findings. Computer forensics experts work in law enforcement, private companies, and other organizations to gather digital evidence for various crimes and disputes.
This document provides an overview of glass examination in forensic science. It defines glass and describes its amorphous internal structure. The document outlines the major types of glass based on manufacturing process and composition, and notes the most common uses. It discusses how glass fragments can be found at crime scenes and their evidentiary value. The document details how glass is collected and preserved as evidence. It explains methods for physical and chemical matching of glass, including examining refractive index, density, and fracture markings. It provides examples of common fracture patterns like radial and concentric fractures. In summary, the document serves as an introduction to the forensic analysis of glass evidence.
Digital forensics is a scientific field that involves the identification, collection, examination, and analysis of digital data for use as evidence in court. It has several sub-disciplines including computer forensics, network forensics, mobile device forensics, digital image/video/audio forensics, memory forensics, and cloud forensics. The goal of digital forensics is to recover electronic evidence from computers, networks, mobile devices, and digital media in a forensically sound manner.
The document discusses the psychology and theory behind polygraph examinations. It states that polygraph techniques use physiological changes accompanying deception that can be recorded and interpreted. When lying, the body's functions are influenced by the mental state of fear or anxiety, causing fluctuations in things like pulse rate, blood pressure, breathing and perspiration. The polygraph aims to measure this fear of detection rather than deception itself by comparing physiological responses to different types of questions. However, other personal factors can also influence responses. More research is needed to improve the theoretical basis for polygraph applications.
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
Pelorus shares a presentation on search & seizure of electronic evidence Digital evidence is any digital information which is received from computers, audio files, video recordings, digital images etc. The evidence obtained is essential in computer and cyber crimes. For more information on search & seizure of electronic evidence visit our website.
This document discusses crime scene management and security. It defines a crime scene as the area where evidence of a crime may be found. The responsibilities of the first responder are to assist victims, secure witnesses and the crime scene to preserve evidence, and notify authorities. The crime scene must be cordoned off and a log kept of all entries and exits to prevent contamination. Proper crime scene management requires information management, manpower management, technology management, and logistics management. Securing the crime scene is crucial to preserve physical evidence and solve crimes according to Locard's exchange principle, which states that every contact leaves a trace.
The document discusses the admissibility of forensic scientists and their reports as expert evidence in court. It covers the Daubert and Frye standards for expert testimony admissibility. Daubert focuses on relevance and reliability, while Frye focuses on general acceptance in the scientific community. The document also discusses components of strong report writing for forensic scientists, including being clear, concise, structured, impartial and professional. Finally, it notes that while lie detector tests were once inadmissible, they are now accepted in court.
Live data collection_from_windows_systemMaceni Muse
This document discusses techniques for collecting volatile data and performing a live response investigation on a Windows system. It provides a list of tools to create a response toolkit and obtain information such as running processes, open ports, logged on users, and network connections. The document recommends using these tools to review the event logs and registry for evidence, obtain passwords from the SAM database, and dump system memory for a more in-depth investigation.
Fingerprint - Everything You Need To Know About FingerprintsSwaroopSonone
A detailed fingerprint presentation. Fingerprint is one of the most important criminal investigation tools due to their two significant features- uniqueness and persistence. The unique features of friction ridge skin persist from before birth, i.e. during fetal development to the decomposition after death...
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Intrusion detection systems collect information from systems and networks to analyze for signs of intrusion. Digital evidence encompasses any digital data that can establish a crime or link a crime to a victim or perpetrator. It is important to properly collect, preserve, and identify digital evidence using forensically-sound procedures to avoid altering or destroying the original evidence. This involves creating bit-stream copies of storage devices, documenting the collection and examination process, and verifying the integrity of evidence.
This document discusses how forensic science uses math and science to solve crimes. It explains that forensic scientists gather and analyze evidence from crime scenes using scientific processes like DNA analysis and chemical breakdown. The evidence is then tested and conclusions are formed to determine facts that can be presented in court. Forensic science provides expert opinions that can help determine a person's innocence or guilt.
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
- The document discusses analyzing physical memory to recover information from live CDs that normally evades digital forensics investigations.
- It presents research on developing algorithms to enumerate the in-memory file system structure of live CDs like TAILS to recover file metadata and contents directly from RAM.
- The goal is to apply traditional investigative techniques like timeline analysis that are usually impossible for live CDs by reconstructing the complete in-memory file system and contents through memory analysis.
This document summarizes Linux memory analysis capabilities in the Volatility framework. It discusses general plugins that recover process, network, and system information from Linux memory images. It also describes techniques for detecting rootkits by leveraging kmem_cache structures and recovering hidden processes. Additionally, it covers analyzing live CDs by recovering the in-memory filesystem and analyzing Android memory images at both the kernel and Dalvik virtual machine levels.
This document provides an overview of the Volatility memory forensics framework. It discusses the Volatility Foundation, which supports development of the open-source Volatility tool. It highlights new features in Volatility 2.4, including improved support for Windows, Linux, MacOS, and analyzing application artifacts from programs like Chrome, Firefox, and Notepad. It outlines the Volatility roadmap and concludes by discussing the 2014 Volatility Plugin Contest winners, whose new plugins will enhance Volatility's capabilities.
Designing and building a forensic laboratory is a complicated undertaking. Design issues include those considerations present when designing any building, with enhanced concern and special requirements involving environmental health and safety, hazardous materials, management, operational efficiency, adaptability, security of evidence, preservation of evidence in an uncontaminated state, as well as budgetary concerns.
Each month, join us as we highlight and discuss hot topics ranging from the future of higher education to wearable technology, best productivity hacks and secrets to hiring top talent. Upload your SlideShares, and share your expertise with the world!
Not sure what to share on SlideShare?
SlideShares that inform, inspire and educate attract the most views. Beyond that, ideas for what you can upload are limitless. We’ve selected a few popular examples to get your creative juices flowing.
SlideShare is a global platform for sharing presentations, infographics, videos and documents. It has over 18 million pieces of professional content uploaded by experts like Eric Schmidt and Guy Kawasaki. The document provides tips for setting up an account on SlideShare, uploading content, optimizing it for searchability, and sharing it on social media to build an audience and reputation as a subject matter expert.
Digital forensics involves analyzing digital artifacts like computers, storage devices, and network traffic as potential legal evidence. The process includes preparing investigators, collecting evidence while maintaining a chain of custody, examining and analyzing the data, and reporting the results. Key steps are imaging systems to obtain an exact duplicate without altering the original, recovering volatile data from memory, and using tools like EnCase and The Sleuth Kit to manually review and search the evidence for relevant information.
Digital forensics involves analyzing digital artifacts like computers, storage devices, and network traffic as potential legal evidence. The process includes preparing investigators, carefully collecting and preserving evidence while maintaining a clear chain of custody, examining and analyzing the data found, and reporting the results. Key steps are imaging systems to obtain an exact duplicate without altering the original, recovering both data at rest and volatile memory, and using specialized tools to find relevant information for investigations. Examples of cases that relied on digital evidence include those of Chandra Levy and the BTK killer.
This document discusses cyber forensics and investigating large scale data breaches. It begins by defining cyber forensics as an electronic discovery technique used to determine and reveal technical criminal evidence, often involving extracting electronic data for legal purposes. It then discusses challenges in investigating corporate networks due to different operating systems, file systems, and administrative access used. When investigating large data breaches, security exploits and employee devices are common entry points, while pace of growth and lack of evidence erasure complicate progress. The Yahoo breach example turned tides by providing data to investigators that aided geopolitical understanding. Immediate actions include response and isolation, while tools like COFEE, SIFT, and ProDiscover aid forensic analysis at different levels.
Digital forensics involves the process of preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable. This document defines digital forensics and outlines the key steps involved, including acquiring evidence, recovering data, analyzing findings, and presenting results. It also discusses who uses computer forensics, common file types and locations examined, and important tools and skills required by forensic examiners. Maintaining a legally-sound methodology is important to ensure evidence is handled properly and can be used in legal cases.
Digital forensics involves the process of preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable. This document defines digital forensics and outlines the key steps involved, including acquiring evidence, recovering data, analyzing findings, and presenting results. It also discusses who uses computer forensics, common file types and locations examined, and important tools and skills required like drive imaging software, network analyzers, and operating system expertise. Maintaining a proper forensic workstation, following evidence handling guidelines, and anticipating anti-forensics techniques are also covered.
Introduction to Cyber Forensics Module 1Anpumathews
This document provides an introduction to cyber forensics. It discusses computer forensics techniques used to determine and reveal technical criminal evidence, often involving extracting electronic data for legal purposes. The document outlines several modules that will be covered, including information security investigations, corporate cyber forensics, the scientific method in forensic analysis, and investigating large scale data breach cases. It also discusses advantages and disadvantages of cyber forensics and some common cyber forensic techniques.
Cyber forensics involves the scientific examination and analysis of digital evidence for use in a court of law. It includes network, device, and storage media forensics as well as code analysis. The basic methodology consists of acquiring evidence without altering it, authenticating any copies, and analyzing the data. Careers in cyber forensics involve roles such as technician, investigator, analyst, and scientist in fields like law enforcement, private sector, military, and academia.
Computer forensics involves the collection, analysis and presentation of digital evidence for use in legal cases. It combines elements of law, computer science and forensic science. The goal is to identify, collect and analyze digital data in a way that preserves its integrity so it can be used as admissible evidence. This involves understanding storage technologies, file systems, data recovery techniques and tools for acquisition, discovery and analysis of both volatile and persistent data. Computer forensics practitioners must be aware of ethical standards to maintain impartiality and integrity in their investigations.
This document discusses computer forensics and portable computer forensics. It defines computer forensics as the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary purposes. It outlines the steps of computer forensics including acquisition, identification, evaluation and presentation. It also discusses who uses computer forensics such as law enforcement, prosecutors, and private companies. The document introduces portable computer forensics and provides contact information for the Technology Open Source Laboratory.
Cyber forensics involves the secure collection and examination of digital evidence from a variety of sources without altering the original data. This includes networks, small devices, storage media, and code. The process consists of acquiring evidence, authenticating any copies made, and analyzing the data without modification. Key principles are documenting all actions, creating forensic copies to preserve the original, and hashing copies to verify their integrity. The goal is to identify relevant evidence through examination while maintaining evidentiary standards for court.
This document discusses Domain VII (Security Operations) of the CISSP exam, focusing on investigations, logging and monitoring, incident management, and backup/disaster recovery. It covers topics such as digital investigations processes and challenges, investigation stages, securing crime scenes, and common forensics tools and techniques. Key aspects of investigations covered are the chain of custody, five rules of evidence, and volatility of digital evidence. Incident management processes are also briefly introduced.
Boxing legend Joe Louis famously said, "Everyone has a plan... until they get hit." While grizzled incident response veterans can relate to this sentiment, they all know that thorough preparation is crucial to success. Response procedures that are so thoroughly ingrained that executing them is like muscle memory have a chance, even in the fog of battle.
Have you thoroughly prepared your organization to respond when the inevitable happens? How confident are you that it will work in a real-world situation? Proper incident response preparation is key to answering these questions and is frankly the foundation of any incident response capability.
This webinar will review critical components of IR preparation including:
- IR Underpinnings
- Flexible Frameworks
- Leadership Challenges
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Sean Mason, Global Incident Response Leader, CSC
For better or worse, electronic data is at the heart of many legal investigations. Therefore, it is becoming increasingly important for lawyers to have a basic understanding of computer forensics including:
- what computer forensics is and what types of things can a computer forensic expert do;
- types of mistakes lawyers or IT professionals make that can corrupt, alter, or destroy evidence that is key to investigations;
what types of electronic evidence exists;
- ways to work efficiently and effectively with a computer forensic expert; and
- when to consider hiring and how to choose a computer forensic expert as part of an investigation
Learn more from Winston & Strawn and listen to the presentation here: https://www.winston.com/en/thought-leadership/computer-forensics-what-every-lawyer-needs-to-know.html.
The document discusses the "Aurora Attack" on Google and other companies in 2009 by hackers in China. It then provides an overview of network security monitoring (NSM) including defining NSM, the role of computer incident response teams, capabilities of NSM, why intrusions can't always be prevented, and some drawbacks of NSM such as dealing with encrypted or high volume traffic.
This document provides an overview of computer forensics. It defines computer forensics as the process of preserving, identifying, extracting, documenting and interpreting computer media for legal evidence. It discusses what constitutes digital evidence and provides examples of computer forensic investigations. It also outlines the reasons for collecting digital evidence, who uses computer forensics, and the basic steps involved in a computer forensics investigation. Finally, it discusses methods of hiding and detecting hidden data.
The document discusses best practices for processing crime and incident scenes involving digital evidence. It outlines general tasks investigators perform, including identifying digital artifacts as evidence, collecting and preserving evidence, analyzing and organizing it, and reproducing results reliably. It emphasizes the importance of collecting evidence systematically and in compliance with relevant rules and standards to ensure the authenticity and credibility of the evidence.
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
The document discusses incident response and handling. It outlines the incident response process including preparation, identification, containment, eradication, recovery, and lessons learned. It also discusses the attacker's methodology of reconnaissance, scanning, exploitation, keeping access, and covering tracks. An example scenario is provided where an attacker uses a 0-day exploit to infiltrate a target organization and steal intellectual property. The incident response team is then activated to contain the incident, eradicate the threat, and implement lessons learned.
Remote forensics involves acquiring digital evidence from remote devices or locations without physical access. It includes applications like electronic discovery, incident response, network forensics, and cloud forensics. While often understood as live forensics, remote forensics also includes techniques like booting devices into forensic modes remotely or using forensic tools on remote systems to access local evidence. Enterprise-level remote forensic tools allow preventative forensics and faster incident response but are not widely used due to budget, knowledge, and legal barriers. As technology spreads and more data is stored remotely, remote forensics will become more important and perhaps even fully automated for Internet of Things devices in the future.
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
The document discusses a workshop on incident response and handling and digital forensics presented by ACAD-CSIRT. It provides an overview of the incident response process, including preparation, identification, containment, eradication, recovery, and lessons learned. It also discusses the attacker's process and common techniques. The workshop covers the incident response lifecycle in detail and strategies for containment, including quarantining systems, documentation, backups, and digital forensics best practices.
Digital forensics is the practice of determining past actions on a computer system using forensic techniques to understand artifacts. It began in 1984 with 3 cases handled by the FBI's Media Magnet Program and has expanded to include 16 regional computer forensics laboratories. Digital forensics can recover deleted files, determine programs run, and discover web and document histories. Tools used include forensic workstations, write blockers, anti-static bags, and software like EnCase and FTK. Becoming an examiner requires formal training, certifications, experience, and skills in forensic tools, practices, and methodologies along with an analytical and detail-oriented personality.
Similar to Investigating Cooridinated Data Exfiltration (20)
Proactive Measures to Defeat Insider ThreatAndrew Case
This presentation was delivered at RSA 2016 and discussed measures to defeat insider threat. It focused on real investigations that I have performed and how the victim companies could have prevented the associated harm.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
This document discusses analyzing Linux rootkits using Volatility, an open source memory forensics framework. It analyzes several Linux rootkits including Average Coder, KBeast, and Jynx/Jynx 2. For each rootkit, it describes the rootkit's techniques for hiding processes, files, network connections and how Volatility plugins like linux_check_fop, linux_check_modules, linux_check_syscall, and linux_check_afinfo can detect the rootkit by validating file operations structures, the kernel module list, system call tables, and network operations structures. It also shows how Volatility can recover hidden files, processes, network connections, and shared libraries loaded by the root
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
This is the slides from keynote presentation at BSidesTampa 2015. A recording of the talk can be found at: https://www.youtube.com/watch?v=751bkSD2Nn8&t=1m35s
Workshop - Linux Memory Analysis with VolatilityAndrew Case
Slides from my 3 hour workshop at Blackhat Vegas 2011. Covers using Volatility to perform Linux memory analysis investigations as well Linux kernel internals.
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
The document summarizes research on analyzing the memory of the Dalvik virtual machine used in Android. It describes acquiring memory from Android devices, locating key data structures in memory like loaded classes and their fields, and analyzing specific Android applications to recover data like call histories, text messages, and location information. The goal is to develop forensics capabilities for investigating Android devices through memory analysis.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
1. Inves&ga&ng
Coordinated
Data
Exfiltra&on
Golden
G.
Richard
III
University
of
New
Orleans
and
Digital
Forensics
Solu9ons,
LLC
&
Andrew
Case
Digital
Forensics
Solu9ons,
LLC
2. 2
Speaker’s
Introduc&on
(1)
Golden
G.
Richard
III
• Professor
of
Computer
Science
and
University
Research
Professor
@
University
of
New
Orleans
• Director,
Greater
New
Orleans
Center
for
Informa9on
Assurance
(GNOCIA)
• Co-‐founder,
Digital
Forensics
Solu9ons,
LLC
• GCFA
cert
• United
States
Secret
Service
Cybercrime
Taskforce
• Member
of
the
American
Academy
of
Forensic
Sciences
(AAFS)
3. 3
Speaker’s
Introduc&on
(2)
Andrew
Case
• Senior
Security
Analyst
• GCFA
cert
• Blackhat,
DFRWS,
and
SOURCE
speaker
• Experienced
digital
forensics
inves9gator,
penetra9on
tester,
and
reverse
engineer
4. 4
Digital
Forensics
Solu&ons
/
UNO
• Digital
Forensics
Solu9ons,
LLC
– New
Orleans
company
with
offices
in
the
Garden
District
– Full
service
digital
forensics,
data
recovery
– Rela9onships
for
seamless
digital
forensics
/
e-‐discovery
– Security
assessment,
secure
erasure
of
media,
security
training
– Research:
new
tools
and
techniques
• GNOCIA
/
University
of
New
Orleans
– Pioneering
curriculum
in
digital
forensics
and
reverse
engineering
– Digital
forensics
research:
new
tools
and
techniques
– Educa9on:
Crea9ng
a
strong
local
tech
workforce
– Liaison
with
local,
state,
federal
law
enforcement
to
solve
difficult
cases
5. 5
The
Purpose
of
This
Talk
• Provide
some
basic
background
on
digital
forensics
techniques
applicable
to
data
exfiltra9on
cases
• Illustrate
the
extent
to
which
data
exfiltra9on
can
be
performed
in
a
straighZorward
manner
on
a
normal
computer
• And
how
data
exfiltra9on
can
be
inves9gated
• A
recent
case
we
inves9gated
required
analyzing
almost
every
common
data
exfiltra9on
technique
• We
believe
this
case
serves
as
a
great
learning
example
for
other
inves9gators
6. Digital
Forensics?
★★
• (Benevolently)
prey
on
mechanisms
designed
with
performance
(not
privacy)
in
mind
• Crea9ve
uses
of
data
intended
mostly
for
other
things
• Correla9on
of
simplis9c
data
sources
to
create
richer
context
• In
some
cases:
logs,
etc.
actually
meant
to
be
used
for
forensic
purposes
7. 7
Agenda
• Introduc9on
to
Data
Exfiltra9on
Issues
• Overview
of
our
Recent
Case
• How
to
Inves9gate
Exfiltra9on
• Wri9ng
a
Proper
Case
Report
• Conclusion
[Some
brief
background
on
various
digital
forensics
issues
and
techniques
as
we
go—please
feel
free
to
ask
ques&ons
to
clarify
anything
that
isn’t
clear]
8. 8
Data
Exfiltra&on
Introduc&on
• Data
exfiltra9on
is
the
removal
of
sensi9ve
informa9on
from
an
owner’s
control
• Common
examples
include:
–
A
rogue
employee
removing
informa9on
from
a
company’s
computer
systems
– Aaackers
stealing
data
aber
they
have
gained
access
to
an
internal
network
– Malware
stealing
and
expor9ng
sensi9ve
data
9. 9
How
Exfiltra&on
Occurs
1. A
malicious
user
(or
program)
gets
access
to
sensi9ve
data
2. The
data
is
then
gathered
and
moved
outside
of
the
owner’s
network
3. Commonly
used
methods
• Removable
Media
(USB,
CD/DVD,
Smartphones)
• Internet-‐Based
(Email,
File
Uploads,
Dropbox,
FTP,
SCP,
etc.)
• Malware
(transmission
via
email,
TCP,
UDP,
etc.)
10. 10
Consequences
of
Exfiltra&on
• Consequences
can
be
severe
• Immediate
effect:
– Loss
of
intellectual
property
and
other
sensi9ve
informa9on
– Expensive
incident
response
process
must
begin
– Possible
requirements
for
disclosure
to
be
made
and
compensa9on
of
affected
par9es
• Long
term
effect:
– Loss
of
trust
by
clients
– Liability
/
Lawsuits
/
Other
legal
issues
12. 12
Preliminary
Informa&on
• A
former
employee
of
a
financial
ins9tu9on
(our
client)
was
suspected
of
stealing
sensi9ve
informa9on
and
using
it
to
bring
business
to
his
new
employer
• We
were
to
inves9gate:
1. Was
data
stolen?
2. If
so,
how?
3. What
data
was
taken
4. If
other
people
were
involved
in
the
incident
13. 13
Data/Equipment
to
Inves&gate
• We
were
given
the
suspected
user’s
laptop
• The
user’s
Blackberry
was
remote
wiped
upon
his
leaving
the
company
as
per-‐policy
– No
backups
made
before
wiping
– Never
got
access
to
this
informa9on
• We
were
supposed
to
receive
a
copy
of
the
user’s
archived
Outlook
email
(PST
file)
– This
was
never
provided
15. 15
Ini&al
Analysis
• Imaged
hard
drive
of
laptop
• The
suspect’s
laptop
was
running
XP
SP2
• Internet
Explorer
only
browser
installed
• The
user
was
not
a
local
administrator
• The
machine
had
over
20
System
Restore
Points
– We
will
be
discussing
the
importance
of
this
throughout
16. 16
System
Restore
Points
• System
Restore
Points
are
created
to
backup
cri9cal
files
when
de-‐stabilizing
opera9ons
are
performed
on
the
OS
– System
updates
– 3rd
Party
sobware
installa9ons
– Installa9on
of
unsigned
drivers
– …
• Good
source
for
historical
copies
of
the
Windows
registry
• In
our
case,
System
Restore
Points
allowed
orderly
examina9on
of
data
over
five
months
old
17. 17
Inves&ga&on
Flow
• Inves9gate
Removable
Media
– Determine
which
removable
media
was
used,
which
files
were
moved,
when
they
moved,
and
to
where
• Inves9gate
Web
Based
Ac9vity
– Determine
if
files
were
transferred
over
network
• Inves9gate
Accessed
Files
– Find
any
files
that
were
inappropriately
accessed
• Determine
if
other
people
were
involved
– Look
for
emails
and
other
communica9on
19. 19
First
Steps
• USB
history
analysis
typically
requires
analyzing
two
sources:
– USBSTOR
registry
informa9on
– The
setupapi.log
file
– Renamed
and
split
under
Win7:
• setupapi.app.log
and
setupapi.dev.log
• Details
aber
a
brief
discussion
of
the
Windows
registry
21. 21
Windows
Registry
• Can
be
a
forensics
goldmine
• Lots
of
informa9on,
fairly
difficult
to
“clean”
• Usernames
• Internet
history
• Program
installa9on
informa9on
• Recently
accessed
files
• Devices
(USB,
et
al)
• Network
configura9on
22. 22
Registry:
Windows
9x
• On
Windows
95/98:
• “system.dat”
and
“user.dat”
files
• If
mul9ple
users,
look
in
Windowsprofiles<acct>
for
individual
user.dat
files
• “system.dat”
– System-‐wide
informa9on
• “user.dat”
(one
“original”
one,
then
others
as
users
are
created)
– User
informa9on
• Careful,
because
on
Windows
9x,
new
user
profiles
are
oben
based
on
previously
created
profiles!
23. 23
Registry:
NT/Win2K/XP
• “ntuser.dat”
– List
of
most
recently
used
files
– Each
user
has
a
separate
“ntuser.dat”
file
– documents
and
sesngsuser
• “default”
in
<windowsdir>system32config
– Ini9al
system
sesngs
• “SAM”
– User
account
sesngs,
security
sesngs
• “security”
– Security-‐related
sesngs
• “sobware”
– Installed
programs,
sesngs,
usernames,
passwords
• “system”
– Misc.
system
sesngs
25. 25
**
VERY
IMPORTANT
**
“Select”
key
chooses
which
control
set
is
current,
which
is
“last
known
good”
configura9on
SYSTEM
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
26. 26
What
user
accounts
are
on
the
machine?
SAM
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
27. 27
Which
&mezone
does
the
computer
use?
SYSTEM
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
28. 28
Which
files
were
recently
accessed
by
a
par&cular
user?
NTUSER.dat
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
29. 29
Which
URLS
were
typed
recently
by
a
par&cular
user?
NTUSER.dat
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
30. 30
SOFTWARE
file
Which
programs
are
installed
on
the
machine?
Which
license
keys
are
in
use?
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
31. 31
Which
programs
run
automa&cally
when
a
par&cular
user
logs
in?
NTUSER.dat
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
32. 32
Which
programs
run
automa&cally
when
ANY
user
SOFTWARE
file
logs
in?
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
33. 33
Two
Jumpdrive
Elite
thumbdrives
750GB
USB
hard
drives
(same
type)
What
has
been
plugged
in?
SYSTEM
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
34. 34
Networking
info
SYSTEM
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
35. 35
Disk
info
SYSTEM
file
Copyright
2004-‐2011
by
Golden
G.
Richard
III.
36. 36
Summary:
Registry
Forensics
• Last
write
9mes
for
individual
registry
keys
can
be
used
to
infer
useful
informa9on
• Overall,
lots
of
informa9on,
some
of
which
can’t
be
obtained
elsewhere
• Extreme
care
is
needed
during
analysis
• Lots
of
mysterious
data
• Much
of
the
informa&on
is
essen&ally
undocumented
and
meaning
is
determined
experimentally
37. 37
USBSTOR
• The
SYSTEM
registry
hive
contains
a
history
of
connected
USB
devices
– Registry
files
backed
up
by
System
Restore
Point
facility
• All
of
this
informa9on
is
stored
under
the
CurrentControlSetEnumUSBSTOR
key
• Contains
an
entry
for
each
USB
device
that
was
connected
to
the
machine
• Also
contains
the
“Friendly
Name”
and
serial
number
of
each
aaached
device
• The
only
9mestamp
informa9on
available
is
last
wriaen
9me
for
key
corresponding
to
par9cular
USB
device!
38. 38
Analyzing
the
Registry
Files
• Aber
gathering
all
of
the
SYSTEM
files…
– Current
– Historical
(via
System
Restore
Points)
• …Used
Regripper
[6]
USBSTOR
plugin
to
enumerate
previously
aaached
USB
devices
• Then
wrote
a
wrapper
script
to
dump
this
informa9on
into
Excel
• Now
we
had
informa9on
on
connected
USB
devices
going
back
many
months
39. 39
Results
of
USBSTOR
Analysis
• Eight
USB
drives
were
used
during
the
target
9me
range
– Six
were
thumb
drives
with
capacity
ranging
from
2
to
8GB
– One
USB
device
was
the
previously
men9oned
user’s
Blackberry
smartphone
– Last
was
a
digital
camera
• Next
step
was
to
determine
the
extent
of
use
for
the
six
thumb
drives
40. 40
Analyzing
setupapi.log
• Text
file
in
c:Windows
(under
XP)
• Tracks
device
installa9on,
service-‐pack
installa9on,
hoZix
installa9on,
etc.
for
the
setup
applica9on
• Reveals
the
first
9me
each
device
was
plugged
in,
as
Windows
selects
appropriate
device
drivers
• USBSTOR
registry
key
tells
us
the
last
9me
a
device
was
connected
• We
used
SetupAPI
Extractor
[15]
to
analyze
the
file
rather
than
simply
viewing
it
as
a
text
file
41. 41
Using
setupapi.log
Informa&on
• Using
the
first
and
last
connect
9mes
gives
us
a
9me
range
for
each
device
• Use
this
informa9on
to
assign
drive
leaers
to
specific
thumb
drives
– Discussed
next
• Also
helped
build
a
clearer
9meline
of
the
suspected
user’s
ac9vity
42. 42
Inves&ga&ng
Individual
Drives
• Used
procedure
illustrated
on
next
slide
to
determine:
– Drive
leaer
mapped
to
a
USB
device
– The
first
and
last
9me
each
device
was
connected
• Have
to
be
careful
when
assigning
drive
leaers
– Mul9ple
drives
can
be
mapped
to
same
leaer
over
9me
– Need
to
correlate
9me
informa9on
between
drive
and
files
accessed
to
substan9ate
45. 45
Email
Examina&on:
Overview
• Two
email
services
were
used
to
exfiltrate
files:
– Gmail
– Company
Email
(Exchange)
• We
were
told
during
the
pre-‐inves9ga9on
phase
that
the
IT
team
knew
of
a
Gmail
account
for
the
user
under
inves9ga9on
• Needed
to
find
all
contact
with
suspect’s
new
employer
while
s9ll
employed
by
our
client
• We
didn’t
have
PST
access,
our
only
hope
was
web-‐
based
email
• Knew
that
only
fragments
would
be
recovered
from
Gmail
46. 46
Inves&ga&ng
Gmail
• Two
pieces
of
evidence
were
discovered
from
Gmail:
– A
number
of
file
exfiltra9on
instances
– Evidence
of
contact
between
suspect
and
new
employer
well
before
our
client
suspected
• How
did
we
find
this
informa9on?
47. 47
Gmail:
Technical
Details
• Gmail
makes
a
number
of
efforts
to
avoid
disk
forensics
of
messages
read
and
sent
– Puts
messages
in
separate
iframes
– Uses
SSL
and
no-‐cache
browser
direc&ves
• Uses
similar
techniques
for
other
parts
of
the
Gmail
interface
– Contacts,
labels,
searches,
etc.
• Essen9ally,
simple
examina9on
of
browser
cache
isn’t
going
to
yield
much
48. 48
Scalpel
Overview
• File
carving
is
typically
used
to
recover
deleted
files,
based
on
the
structure
of
file
types
• Scalpel
is
a
file
carver
[3],
but
can
also
be
used
as
a
very
efficient
indexer
for
specific
search
terms
– Latest
version
is
mul9threaded
and
can
use
GPUs
(CUDA)
for
high
performance
opera9on
• The
audit
file
created
by
Scalpel
(audit.txt)
contains
loca9ons
of
every
discovered
instance
of
every
search
term
49. 49
Using
Scalpel
• We
ran
Scalpel
to
find
all
instances
of
the
new
employer’s
email
domain
• We
then
used
the
Sleuthkit
to
quickly
map
these
offsets
to
files
within
the
filesystem
– See
[2]
for
an
updated
method
on
how
to
do
this
• Produced
hits
in
both
web
cache
files
and
pagefile.sys,
the
Windows
swap
file
50. 50
pagefile.sys
Analysis
• Hits
in
pagefile
are
on
previously
viewed
Gmail
Inbox
indices
(illustrated
on
the
next
slide)
• These
indices
contain
a
number
of
useful
ar9facts
about
email
messages:
– Time
received
– Message
fragment
– Sender
– Aaachment
names
(if
any)
51. 51
Gmail
Inbox
View
• The
image
above
is
a
screenshot
of
the
Inbox
view
• The
default
view
shows
50
messages
• We
were
able
to
recover
a
number
of
instances
of
these
using
Scalpel
on
the
pagefile
52. 52
U&lizing
Message
Fragments
• Aber
gathering
all
message
indices
discovered
in
the
pagefile…
• …We
created
a
new
Scalpel
config
file
and
carved
again
on
the
pagefile
to
try
to
recover
message
fragments
• This
produced
fragments
of
en9re
message
bodies
sent
through
Gmail
by
the
rogue
employee
– This
is
where
it
got
interes9ng!
53. 53
Message
Fragments:
Gold
Mine
• The
recovered
message
bodies
revealed
the
employee
under
inves9ga9on
had
contacted
his
new
employer
a
number
of
months
before
leaving
the
company
• Well
before
our
client
had
suspected
• The
uncovered
messages
were
par9cularly
damaging
• Revealed
precise
details
of
plan
to
steal
and
later
u9lize
our
client’s
data
54. 54
Gmail
Aeachments
• Aber
discovering
aaachment
names
in
the
fragments,
we
used
this
data
to
discover
which
files
were
transferred
• Analysis
revealed
a
number
of
files
were
emailed
from
the
user’s
local
Outlook
installa9on
to
his
Gmail
account
• Filenames
were
matched
to
those
in
LNK
files
and
MRU
lists
(discussed
later)
56. 56
Three
Components
of
Browser
Ac&vity
• History
– Gives
a
list
of
sites
visited,
including
when
and
specific
URLs
• Cache
– Copies
of
files
downloaded
from
webservers
(HTML,
javascript,
images,
etc)
– MAC
9mes
can
be
used
in
9meline
analysis
• Cookies
– Provide
addi9onal
informa9on
about
user’s
interac9on
with
a
web
site
60. 60
Flash
Cookies
• Flash
applica9ons
are
provided
client
storage
through
local
shared
objects
(LSOs)
• Browsers
are
only
recently
giving
users
the
ability
to
delete
them
– Previously
had
to
find
LSOs
within
the
filesystem
and
manually
delete
• Stored
outside
of
the
normal
cookie/cache
storage
subsystem
– “Private”
browsing
modes
DO
NOT
affect
flash
cookies!
• Analysis
leads
to
informa9on
about
websites
visited,
when
they
were
visited,
etc.
61. 61
Analyzing
Flash
Cookies
• The
loca9on
of
the
files
is
opera9ng
system
dependent:
– hap://en.wikipedia.org/wiki/
Local_Shared_Object#File_loca9ons
• A
few
tools
exist
for
analysis,
but
none
seem
completely
stable:
– Minerva
-‐
hap://blog.coursevector.com/
minerva
– SOLReader
-‐
hap://www.sephiroth.it/python/
solreader.php
62. 62
Using
Browser
Analysis
• Browser
analysis
revealed
many
accesses
to
Gmail
as
well
as
informa9on
related
to
the
new
employer
• “9tle”
and
other
URL
informa9on
recorded
in
the
history
file
helped
in
analysis
discussed
later
64. Inves&ga&ng
Coordinated
Data
Exfiltra&on
(2nd
Hour)
Golden
G.
Richard
III
University
of
New
Orleans
and
Digital
Forensics
Solu9ons,
LLC
&
Andrew
Case
Digital
Forensics
Solu9ons,
LLC
65. 65
Inves&ga&ng
Files
Transferred
During
the
Exfiltra&on
66. 66
Recap
• At
this
point
in
the
inves9ga9on
we
have:
– Shown
that
a
number
of
thumb
drives
were
previously
aaached
to
the
computer
under
inves9ga9on
– That
files
were
sent
to
an
external
Gmail
address
from
a
company
Email
address
– That
the
target
employee
had
contacted
his
new
employer
many
months
before
leaving
our
client
67. 67
Updated
Workflow
• We
now
had
two
goals:
– Find
out
which
files
were
accessed
by
the
user
– Find
out
which
were
then
transferred
onto
USB
drives
– Determine
the
loca9on
of
the
files
sent
via
Gmail
68. 68
Finding
Accessed
Files
• Windows
provides
a
number
of
forensics
ar9facts
related
to
historical
file
access
• Three
main
ones
were
used
in
this
inves9ga9on:
– LNK
Files
– MRU
Lists
– File
Access
History
70. 70
LNK
Files
• Link
files
(.lnk)
are
Windows
shortcut
files
• Similar
to
symbolic
links
under
Unix
• The
metadata
contained
in
these
files
is
very
useful
during
forensics
inves9ga9ons
– MAC
9mes
of
target
file
– Full
path
to
target
file
– Whether
target
is/was
local
or
on
the
network
– Network
share
informa9on
– Volume
serial
number
(used
to
match
to
specific
drive)
71. 71
lnk-‐parse
[10]
on
a
Local
File
MAC
Times
of
Target
File
Target
Hard
Drive
Target
File
72. 72
parse-‐lnk
Output
for
Network
Share
MAC
Time
of
Target
File
Size
of
File
The
network
share
related
to
the
file,
including
path
73. 73
Using
LNK
Files
• The
target
computer
had
a
large
number
of
relevant
LNK
files
• (Some)
LNK
files
are
backed
up
within
System
Restore
Points!
• These
files
were
helpful
for
two
purposes:
1. Iden9fying
which
files
were
moved
to
which
USB
drives
2. Iden9fying
which
files
were
downloaded
from
which
network
shares
• More
on
this
in
a
minute…
74. 74
Automa&ng
LNK
File
Analysis
• Since
there
were
so
many
LNK
files,
we
needed
to
automate
the
process
• Wrote
a
script
to
parse
lnk-‐parse
output
and
write
contents
to
an
Excel
sheet
• Could
then
quickly
determine
which
files,
network
shares,
and
9mes
were
involved
in
the
exfiltra9on
75. 75
LNK
File
Research
• There
a
few
very
good
resources
on
LNK
file
analysis:
– “The
Meaning
of
Life”
[9]
• 21
page
research
paper
on
analysis
with
LNK
files
– Forensics
Wiki
Page
[7]
– Forensics
Focus
Ar9cle
[8]
77. 77
Most
Recently
Used
(MRU)
Lists
• MRU
lists
store
informa9on
about
the
documents
most
recently
accessed
by
a
user
for
a
par9cular
applica9on
• Stored
in
the
Windows
Registry
– Again,
System
Restore
Points
give
us
access
to
historical
MRU
lists
as
well
as
current
ones
• Common
examples
are
when
you
click
‘File’
in
an
applica9on’s
menu
and
see
a
list
of
previously
opened
documents
78. 78
Popular
MRU
Lists
• Microsob
Office
– For
all
applica9ons
(Word,
Excel,
PPT,
etc)
• Internet
Explorer
– Recently
typed
URLS
(The
URL
dropdown)
• Adobe
– Recently
accessed
PDF
files
• An
extensive
list
of
over
30
MRU
loca9ons
and
associated
applica9ons
can
be
found
at
[12]
79. 79
Using
MRU
Lists
• Gathered
the
current
and
historical
SOFTWARE
registry
files
• Used
Regripper
to
acquire
all
of
the
relevant
MRU
lists
– Most
important
were
Office
and
Adobe
• (Again)
we
wrote
a
script
to
parse
output
and
write
to
an
Excel
sheet
80. 80
Analyzing
the
MRU
lists
• The
combined
MRU
lists
provided
filenames
and
paths
to
numerous
files
of
interest
to
the
case
– Spread
out
across
the
local
drive,
thumb
drives,
and
network
shares
• A
number
of
these
files
were
also
duplicates
of
those
found
in
the
LNK
files
– Great
for
correla9on
and
soundness
of
findings
82. 82
More
File
Accesses
• Web
browser
history
also
revealed
access
to
a
number
of
internal
web
applica9ons
that
create
reports
• The
filename
of
these
reports
contained
the
parameters
(date,
search,
etc)
used
to
create
them
– This
was
visible
in
the
URL
(GET
parameter)
83. 83
Web
Applica&on
Reports
• We
then
found
copies
of
these
reports
on
the
local
machine
• Contained
informa9on
on
other
employees
that
the
target
user
was
not
officially
authorized
to
view
84. 84
“File”
Accesses
• The
“browser”
history
files
also
keep
records
of
access
to
specific
files
(file:///)
– Including
full
path
name
and
MAC
9me
type
informa9on
• Analysis
of
these
files
on
the
target
machine
revealed
access
to
more
unauthorized
files
– Beyond
what
was
found
through
LNK
and
MRU
analysis
86. 86
Recycle
Bin
Forensics
• Windows
trash
can
facility
for
dele9ng
files
• Files
maintained
in
a
hidden
directory
un9l
the
user
emp9es
the
Recycle
Bin,
then
insecurely
deleted
• The
Recycle
Bin
maintains
a
history
of
files
deleted
within
INFO2
files
• INFO2
files
contain:
– The
fullpath
of
the
deleted
file
– The
date
the
file
was
moved
to
the
recycle
bin
– The
sequence
in
which
files
were
moved
to
the
recycle
bin
• A
great
resource
on
INFO2
analysis
can
be
found
at
[14]
87. 87
Analyzing
the
Recycle
Bin
• Analysis
of
INFO2
files
found
on
the
target
machine
revealed
that
many
of
the
files
found
through
previous
analysis
had
been
deleted
by
the
user
• The
9mestamps
of
the
dele9on
were
very
close
to
the
exfiltra9on
9mes
• Very
damaging
evidence
89. 89
Network
Share
Access
• In
many
corporate
environments,
including
the
one
in
this
case,
departments
store
all
informa9on
on
network
shares
• Employees
should
technically
only
have
access
to
specific
files,
but
implemen9ng
this
properly
is
painful
• This
makes
inves9ga9ng
network
share
access
a
must
in
data
exfiltra9on
cases
90. 90
Analyzing
Network
Shares
• CurrentControlSetServicesLanManagerShares
contains
informa9on
about
network
shares
on
the
computer
– Again,
historical
records
were
also
available
through
restore
points
– Allowed
quick
mapping
of
drive
names
to
places
on
the
network
91. 91
Using
Network
Shares
• Aber
determining
which
drive
leaers
corresponded
to
which
network
shares,
we
gathered
the
filenames
that
were
accessed
• We
then
sent
this
informa9on
to
the
IT
security
team
– They
were
able
to
find
all
these
files
and
we
subsequently
used
this
informa9on
in
our
report
93. 93
Results
So
Far
• At
this
point
we
had
a
wealth
of
informa9on:
– We
knew
exfiltra9on
occurred
over
USB
devices
and
Gmail
– We
knew
which
files
were
transferred
and
the
9me/date
of
transfer
for
some
of
them
– We
knew
that
contact
was
made
with
the
future
employer
and
exact
details
94. 94
Data
to
Correlate
• We
had
drive
leaers,
filenames,
and
access
9mes
from
our
evidence
sources
• Needed
to
create
a
9meline
of
user
ac9vity
for
each
file
of
interest
– File
Access
– File
Transfer
(if
any)
– File
Dele9on
(if
deleted)
95. 95
Performing
the
Correla&on
• Used
access
9mes
from
LNK
files,
browser
history,
etc.
to
determine
when
interac9on
with
a
file
started
• Used
LNK
files
related
to
USB
drives
to
determine
when
copied
• Used
browser
history
and
Gmail
view
index
to
determine
when
a
file
was
emailed
• Used
INFO2/Recycle
Bin
to
determine
if/when
a
file
was
deleted
96. 96
Correla&on
Results
• For
many
files
of
interest,
we
could
show
that,
within
a
5
minute
9me
period,
the
file
was
accessed,
exfiltrated,
and
then
deleted
• We
could
also
which
files
were
simply
viewed
and
then
discarded
• Made
for
compelling
(and
hard
to
refute)
evidence
98. 98
Next
Steps
• Our
last
step
was
to
determine
if
other
employees
were
involved
• We
requested
a
list
of
first
and
last
names,
user
logins,
and
email
addresses
from
IT
security
for:
– Close
co-‐workers
of
the
target
– Other
people
who
recently
leb
the
company
• We
used
this
informa9on
as
our
star9ng
point…
99. 99
Inves&ga&on
Process
• We
took
the
informa9on
given
from
IT
to
build
a
Scalpel
configura9on
file
as
previously
described
• This
would
(hopefully)
find
all
informa9on
related
to
these
other
employees…
100. 100
First
Clue
• Emails
were
found
between
the
suspect
and
his
secretary,
related
to
the
new
company
• We
then
requested
the
computer
of
the
secretary
• Analysis
of
her
computer
revealed
sharing
of
USB
thumb
drives
– Based
on
USB
serial
numbers
and
inves9ga9on
of
USBSTOR
in
the
registries
101. 101
Further
Analysis
of
the
Second
PC
• Similar
evidence
was
found
on
the
secretary’s
PC
as
on
the
ini9al
targets
– Use
of
removable
media
– Downloading
of
unauthorized
files
from
fileservers
– Emailing
of
files
to
outside
accounts
•
Also
found
emails
to
a
third
person
within
the
organiza9on
101
102. 102
Analyzing
Employee
Three
• Aber
finding
emails
from
secretary
to
employee
three,
we
requested
his
computer
as
well
• Analysis
of
this
computer
revealed
sharing
of
USB
drives
by
all
three
employees
• Also
revealed
contact
by
employee
three
to
new
company
104. 104
Mortal
Sins
of
Repor&ng
• Do
NOT:
• Include
opinions
(especially
legal
ones)
– You
weren’t
asked
to
be
a
lawyer
– Will
hurt
your
credibility
• Include
informa9on
you
could
not
verify
– Will
come
up
in
tes9mony
and
can
hurt
your
credibility
105. 105
Report
Outline
• Every
report
should
contain
at
least
these
sec9ons:
– Execu9ve
Summary
– Evidence
Catalogue
– Findings
Sec9ons
– Conclusion
– Aaachments
106. 106
Report
-‐
Execu&ve
Summary
• Should
contain
a
high
level
overview
of
the
case
results
and
be
less
than
one
page
• Purpose
is
to
allow
execu9ves
to
quickly
understand
the
outcome
of
the
inves9ga9on
• Should
answer
three
ques9ons:
– Was
data
exfiltrated?
– If
so,
were
you
able
to
conclude
who
was
responsible
for
the
exfiltra9on?
– If
so,
what
data
was
taken
and
how
much
of
it?
107. 107
Report
-‐
Evidence
Catalogue
• The
rest
of
the
report
should
be
for
managers
and
IT
staff
who
need
technical
details
• The
evidence
catalogue
should
contain
these:
– A
descrip9on
of
all
evidence
analyzed
– A
picture
of
each
piece
of
evidence
– Any
unique
informa9on
(serial
numbers)
– Hashes
of
the
data,
if
applicable
– How
copies
of
the
evidence
was
acquired
108. 108
Report
-‐
Findings
Sec&ons
• The
bulk
of
the
report
should
be
your
findings
• Should
be
broken
into
logical
sec9ons
– Similar
to
how
this
presenta9on
flowed
• Needs
to
include:
– Your
exact
inves9ga9on
methodology
– A
lis9ng
of
tool(s)
used
– The
relevance
of
each
finding
to
the
case
109. 109
Report
-‐
Conclusion
• The
conclusion
should
be
a
factual
summary
of
the
case
– Again
-‐
NO
opinions
• Can
include
recommenda9ons
for
further
inves9ga9on
– For
example,
our
ini9al
report
recommended
acquiring
the
computer
of
the
secretary
110. 110
Report
-‐
Aeachments
• All
processed
data
from
the
case,
such
as
the
Excel
sheets
we
men9oned,
should
be
included
as
aaachments
to
the
report
– On
digital
media
(CDs,
DVDs,
etc.)
– Or
printed,
as
appropriate
• This
makes
handling
the
files
(prin9ng,
searching,
etc)
much
easier
for
everyone
involved
111. 111
Conclusions
• Data
exfiltra9on
inves9ga9on
is
a
labor-‐
intensive
process
• Requires
a
wide
range
of
skills
on
part
of
the
inves9gator
– We
only
inves9gated
Windows
machines
during
this
case,
and
s9ll
needed
a
number
of
tools
and
skillsets
• The
resul9ng
report
must
be
carefully
wriaen