Online , profile picture
Uploaded byOnline
9,768 views

Preserving and recovering digital evidence

Intrusion detection systems collect information from systems and networks to analyze for signs of intrusion. Digital evidence encompasses any digital data that can establish a crime or link a crime to a victim or perpetrator. It is important to properly collect, preserve, and identify digital evidence using forensically-sound procedures to avoid altering or destroying the original evidence. This involves creating bit-stream copies of storage devices, documenting the collection and examination process, and verifying the integrity of evidence.

Embed presentation

Preserving And Recovering Digital Evidence
Introduction • Digital Evidence – encompasses any and all digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. • This presentation will explore collection, preservation and identification of digital evidence.
Overview • Introduction to Intrusion Detection Systems • The rules and guidelines surrounding the gathering and use of digital evidence. • Digital evidence on the target machine. • Digital evidence on the network.
Intrusion Detection • A brief overview Intrusion detection systems collect information from a variety of system and network sources, then analyze the information for signs of intrusion and misuse.
Intrusion Detection: • Intrusion Detection – 2 Types • Host-Based • Network-Based
Intrusion Detection – Host-Based • Host-based intrusion detection systems .The system is used to analyze data that originates on computers (hosts). • Examines events like what files are accessed and what applications were executed. - Logs are used to gather this data • Resides on every system and usually reports to a central command console. • Uses signatures or predefined patterns that have been defined as suspicious by the security officer.
Intrusion Detection – Host-Based - cont • Used primarily for detecting insider attacks. - For example an employee who abuses their privileges, or students changing their grades. • Audit policy - Defines which end-user actions will result in an event record being written to an event log. For example accesses of mission-critical files.
Intrusion Detection – Network-Based Network-Based • The system is used to analyze network packets. • Used to detect access attempts and denial of service attempts originating outside the network. • Consists of sensors deployed throughout a network. • Sensors then report to a central command console
Intrusion Detection – Network- Based • Uses packet content signatures - Based on the contents of packets. - Patterns are detected in the headers and flow of traffic. • Encryption prevents detection of any patterns.
Digital Evidence vs. Physical Evidence • It can be duplicated exactly and a copy can be examined as if it were the original. - Examining a copy will avoid the risk of damaging the original. • With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.
Digital Evidence vs. Physical Evidence • It is relatively difficult to destroy. • Even if it is “deleted,” digital evidence can be recovered. • When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
Collecting and Preserving Digital Evidence • The focus of digital evidence is on the contents of the computer as opposed to hardware. • Two kinds of copies: - Copy everything. - Just copy the information needed. • When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.
Collecting and Preserving Digital Evidence • When collecting the entire contents of a • computer, the general concept is the same • in most situations:
Collecting and Preserving Digital Evidence • All related evidence should be taken out of RAM. • The computer should be shut down. • Document the hardware configuration of the system. • Document the time and date of the CMOS. • The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). • A copy of the digital evidence from the hard • drive(s) should be made.
Collecting and Preserving Digital Evidence • When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable. • In short, a bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.
Agenda for Duplication and Preservation of Evidence • Make bit stream back-ups of hard disks and floppy disks cont. Tools to accomplish this: • Encase • DD • Byte back • Safeback Note the tool used • When making the bit stream image, note and • document how the image was created. Also note the date, time, and the examiner.
Empirical Law • Empirical Law of Digital Collection and Preservation: • If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
Computer Image Verification • At least two copies are taken of the evidential computer. • One of these is sealed in the presence of the computer owner and then placed in secure storage. • This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.
The important to locate and recover all graphics files on a drive and determine which ones are pertinent to your case.. • Because these files aren’t always stored in standard graphics file formats, we should examine all files our computer forensics tools find, even if they aren’t identified as graphics files. • A graphic file contains a header with instructions for displaying the image. • Each type of graphics file has its own header that helps to identify the file format. • Because the header is complex and difficult to remember, we can compare a known good file header with that of a suspect file.
Collecting and Preserving Digital Evidence • Collecting evidence out of RAM on a Unix machine is not a simple task. • The ‘ps’ command is used to list programs that a machine is running but one must specify that one wants to see all the processes. • “ps –aux”
Collecting and Preserving Digital Evidence • Some types of Unix allow one to save and view the contents of RAM that is associated with a particular program using the “gcore” program. • There are also programs that provide a list of files and sockets that a particular program is running – “lsof” • Investigators can use the “dd” command to make a bit stream backup
Collecting and Preserving Digital Evidence • Whenever digital evidence is copied onto a floppy disk, compact disk, tape or any other form of storage media, an indelible felt-tipped pen should be used to label it with the following information:
Collecting and Preserving Digital Evidence • Current date and time and the date/time on the computer (any discrepancy should be noted). • The initials of the person who made the copy. • The name of the operating system. • The program(s) and/or command(s) used to copy the files. - Retain copies of software used. • The information believed to be contained in the files.
Collecting and Preserving Digital Evidence • Since the evidence has been collected, it is important to ensure the integrity of the evidence.
How To Handle Digital Evidence Steps to guide the responder in handling the Digital evidence at an electronic crime scene. 3. Recognize, identify, seize, and secure all digital evidence at the scene. 4. Document the entire scene and the specific location of the evidence found. 5. Collect, label, and preserve the digital evidence. 6. Package and transport digital evidence in a secure manner.
The Primary Steps to Conduct a Forensic Investigation. Step 1: Isolate the System and Data • Collect information by interviewing all system administrators and anyone else who might have come into contact with the system.
The Primary Steps to Conduct a Forensic Investigation. Step 2: Collect Non-Technical Information • The purpose of this step is to ensure that the required minimum information is recorded in paper note form, such as developing a timeline of events. The premise here is to start a log book using a fresh pad of paper to gather information from the system administration staff and any other persons involved.
The Primary Steps to Conduct a Forensic Investigation. Step 3: Preserve Evidence and Create Copies for Analysis • Memory and /proc. • Create a duplicate of the system. • Validate copies.
The Primary Steps to Conduct a Forensic Investigation. Step 4: Prepare for an Analysis • At this point, the information collected in the preceding steps is ready for inspection. • The following steps can also be performed by a third party or at another physical location.
The Primary Steps to Conduct a Forensic Investigation. Step 5: Perform the Analysis • The purpose of the analysis step is to determine whether a compromise has occurred, what exactly was damaged, and to obtain any evidence indicating who the culprit(s) might be, as well as the methods they used to attack the system. • Tools are needed to complete the analysis phase.
The Primary Steps to Conduct a Forensic Investigation. Step 6: Perform Recovery • The recovery efforts that ensue after the forensic analysis is a standard process that should be defined in your organization
The Primary Steps to Conduct a Forensic Investigation. How to acquire data from removable media?
How to acquire data from removable media? 1.Document the scene Use static-proof container and label container with a.Type of media b.Where media was found c.Type of reader required for the media 2.Transport directly to lab 3.Do not leave any media in a hot vehicle or environment 4.Store media in a secure and organized area 5.Once at the lab, make a working copy of the drive a.Make sure the media is write-protected b.Make a hash of the original drive and the duplicate c.Make a copy of the duplicate to work from d.Store the original media in a secure location

More Related Content

PPT
Collecting and preserving digital evidence
byOnline
 
PPTX
Processing Crimes and Incident Scenes
byprimeteacher32
 
PPTX
Analysis of digital evidence
byrakesh mishra
 
PDF
Cyber Forensics Module 2
byManu Mathew Cherian
 
PDF
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
PDF
Search & Seizure of Electronic Evidence by Pelorus Technologies
byurjarathi
 
PDF
Digital Evidence in Computer Forensic Investigations
byFilip Maertens
 
PDF
06 Computer Image Verification and Authentication - Notes
byKranthi
 
Collecting and preserving digital evidence
byOnline
 
Processing Crimes and Incident Scenes
byprimeteacher32
 
Analysis of digital evidence
byrakesh mishra
 
Cyber Forensics Module 2
byManu Mathew Cherian
 
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
byurjarathi
 
Digital Evidence in Computer Forensic Investigations
byFilip Maertens
 
06 Computer Image Verification and Authentication - Notes
byKranthi
 

What's hot

PPTX
Memory forensics.pptx
by9905234521
 
PPTX
mobile forensic.pptx
byAmbuj Kumar
 
PPTX
Cyber Forensics Overview
byYansi Keim
 
PPTX
First Responder Officer in Cyber Crime
byApplied Forensic Research Sciences
 
PPTX
Computer forensics
bydeaneal
 
PPTX
Difference between Cyber and digital Forensic.pptx
byApplied Forensic Research Sciences
 
PPT
Digital Forensic
byCleverence Kombe
 
PPTX
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
PPTX
Digital forensics
byvishnuv43
 
PDF
04 Evidence Collection and Data Seizure - Notes
byKranthi
 
PPTX
Computer forensics toolkit
byMilap Oza
 
PPTX
Network Forensics
byprimeteacher32
 
PPTX
Network forensic
byManjushree Mashal
 
PPTX
Forensic imaging
byDINESH KAMBLE
 
PPTX
Legal aspects of digital forensics
byKakshaPatel3
 
PDF
Digital forensic principles and procedure
bynewbie2019
 
PPTX
Mobile Forensics
byprimeteacher32
 
PPTX
Memory forensics
bySunil Kumar
 
PPTX
Crime Scene Reconstruction.
byLauren Cook-Brown
 
PPT
Searching the crime scene
byBlancoScience
 
Memory forensics.pptx
by9905234521
 
mobile forensic.pptx
byAmbuj Kumar
 
Cyber Forensics Overview
byYansi Keim
 
First Responder Officer in Cyber Crime
byApplied Forensic Research Sciences
 
Computer forensics
bydeaneal
 
Difference between Cyber and digital Forensic.pptx
byApplied Forensic Research Sciences
 
Digital Forensic
byCleverence Kombe
 
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
Digital forensics
byvishnuv43
 
04 Evidence Collection and Data Seizure - Notes
byKranthi
 
Computer forensics toolkit
byMilap Oza
 
Network Forensics
byprimeteacher32
 
Network forensic
byManjushree Mashal
 
Forensic imaging
byDINESH KAMBLE
 
Legal aspects of digital forensics
byKakshaPatel3
 
Digital forensic principles and procedure
bynewbie2019
 
Mobile Forensics
byprimeteacher32
 
Memory forensics
bySunil Kumar
 
Crime Scene Reconstruction.
byLauren Cook-Brown
 
Searching the crime scene
byBlancoScience
 

Similar to Preserving and recovering digital evidence

PPT
Digital forensics
byNicholas Davis
 
PPTX
Digital Forensic ppt
bySuchita Rawat
 
PPT
Digital Forensics
byNicholas Davis
 
PPT
Introduction to computer forensic
byOnline
 
PPTX
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
PDF
Cyber forensics and auditing
bySweta Kumari Barnwal
 
PPT
CS426_forensics.ppt
byPrabithGupta1
 
PPTX
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
PPTX
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
PPTX
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
byFORnSECSolutions
 
PDF
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
PPTX
Most promising cyber forensic solution providers from india forn sec solut...
byFORnSECSolutions
 
PPTX
ppt for Module 5 cybersecuirty_023501.pptx
byMayuraD1
 
PPTX
cyberforensicsv2-191113184409.pptx
byPrasannaKumarpanda2
 
PPT
CS426_forensics.ppt
byOkviNugroho1
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
PDF
Post-Genesis Digital Forensics Investigation
byUniversitas Pembangunan Panca Budi
 
PPTX
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
PPT
CS426_forensics_tools to analyse and deve
byvikashagarwal874473
 
PDF
180 184
byEditor IJARCET
 
Digital forensics
byNicholas Davis
 
Digital Forensic ppt
bySuchita Rawat
 
Digital Forensics
byNicholas Davis
 
Introduction to computer forensic
byOnline
 
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
Cyber forensics and auditing
bySweta Kumari Barnwal
 
CS426_forensics.ppt
byPrabithGupta1
 
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
byFORnSECSolutions
 
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
Most promising cyber forensic solution providers from india forn sec solut...
byFORnSECSolutions
 
ppt for Module 5 cybersecuirty_023501.pptx
byMayuraD1
 
cyberforensicsv2-191113184409.pptx
byPrasannaKumarpanda2
 
CS426_forensics.ppt
byOkviNugroho1
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
Post-Genesis Digital Forensics Investigation
byUniversitas Pembangunan Panca Budi
 
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
CS426_forensics_tools to analyse and deve
byvikashagarwal874473
 
180 184
byEditor IJARCET
 

More from Online

PPT
Introduction to internet technology
byOnline
 
PPT
Transport protocols
byOnline
 
PPT
Lan technologies
byOnline
 
PPT
Philosophy of early childhood education 2
byOnline
 
PPT
Philosophy of early childhood education 1
byOnline
 
PPT
Control structures selection
byOnline
 
PPT
Formatted input and output
byOnline
 
PPT
Introduction to problem solving in c++
byOnline
 
PPT
Philosophy of early childhood education 4
byOnline
 
PPT
Internet standard routing protocols
byOnline
 
PPT
Philosophy of early childhood education 3
byOnline
 
PPT
Control structures repetition
byOnline
 
PPT
Application protocols
byOnline
 
PPT
Functions
byOnline
 
PPT
Operation and expression in c++
byOnline
 
PPT
Multi protocol label switching (mpls)
byOnline
 
PPT
Internet protocol
byOnline
 
PPT
Optical transmission technique
byOnline
 
PPT
Addressing
byOnline
 
PPT
Leadership
byOnline
 
Introduction to internet technology
byOnline
 
Transport protocols
byOnline
 
Lan technologies
byOnline
 
Philosophy of early childhood education 2
byOnline
 
Philosophy of early childhood education 1
byOnline
 
Control structures selection
byOnline
 
Formatted input and output
byOnline
 
Introduction to problem solving in c++
byOnline
 
Philosophy of early childhood education 4
byOnline
 
Internet standard routing protocols
byOnline
 
Philosophy of early childhood education 3
byOnline
 
Control structures repetition
byOnline
 
Application protocols
byOnline
 
Functions
byOnline
 
Operation and expression in c++
byOnline
 
Multi protocol label switching (mpls)
byOnline
 
Internet protocol
byOnline
 
Optical transmission technique
byOnline
 
Addressing
byOnline
 
Leadership
byOnline
 

Recently uploaded

PDF
Fever & Fragment Uncovering the Plague in The Waste Land
byNidhi Pandya
 
PPTX
OCCULTISM IN JEHOVAH'S WITNESSES' ARTWORK
byDaniel Barnea
 
PDF
GDGoC TAE Orientation presentation for WOW-Verse hackathon
bymayurpatiltae
 
PPTX
CHAPTER NO. 05 BIOLOGICAL SOURCE,CHEMICAL CONSTITUENTS AND THERAPEUTIC EFFICA...
byGanu Gavade
 
PDF
Gaming Quiz 2025- 27th October 2025, Quiz Club NITW
byQuiz Club NITW
 
PPTX
Salesforce Spring 26` Release Key Features.pptx
byMehediHasan939830
 
PPT
Clotting time - Practical - Hematology Physiology
bykishorkumar396
 
PPTX
Open to All Quiz Final Bagula Pathbhabana.pptx
bySourav Kr Podder
 
PPTX
Structure and function of Integumentary system (skin).pptx
byAshish Umale
 
PPTX
Cultivation practice of Cucumber, Pumpkin and summer squash in Nepal.pptx
byUmeshTimilsina1
 
PPTX
4. Nursery raising of vegetable crops.pptx
byUmeshTimilsina1
 
PDF
• Reinforcing the Human Firewall: Moving From Awareness to Applied Skill
byAdityarajsinh Gohil
 
PDF
The Industrialisation of Deception: An Analysis of the 2024 Cybercrime Landscape
bykrutivyas2005
 
PPT
Blood Grouping.ppt - Hematology -Physiology
bykishorkumar396
 
PPTX
1. Importance, scope and constraints of vegetable and spice crop production i...
byUmeshTimilsina1
 
PDF
Life-Processes-in-Animals PPT/7TH CLASS NEW NCERT /CURIOSITY SCIENCE /BY K SA...
bySandeep Swamy
 
PPTX
All Things 2025 - A Year in Review Quiz!
byShashank Jogani
 
PPTX
Introduction to Mendelian inheritance.pptx
bypramodphirke1
 
PPTX
Non aqueous titration First Year B. Pharm.pptx
byMs. Ashatai Patil
 
PDF
Teaching and Learning (BD1TL) - B.Ed TNTEU
byDr Raja Mohammed T
 
Fever & Fragment Uncovering the Plague in The Waste Land
byNidhi Pandya
 
OCCULTISM IN JEHOVAH'S WITNESSES' ARTWORK
byDaniel Barnea
 
GDGoC TAE Orientation presentation for WOW-Verse hackathon
bymayurpatiltae
 
CHAPTER NO. 05 BIOLOGICAL SOURCE,CHEMICAL CONSTITUENTS AND THERAPEUTIC EFFICA...
byGanu Gavade
 
Gaming Quiz 2025- 27th October 2025, Quiz Club NITW
byQuiz Club NITW
 
Salesforce Spring 26` Release Key Features.pptx
byMehediHasan939830
 
Clotting time - Practical - Hematology Physiology
bykishorkumar396
 
Open to All Quiz Final Bagula Pathbhabana.pptx
bySourav Kr Podder
 
Structure and function of Integumentary system (skin).pptx
byAshish Umale
 
Cultivation practice of Cucumber, Pumpkin and summer squash in Nepal.pptx
byUmeshTimilsina1
 
4. Nursery raising of vegetable crops.pptx
byUmeshTimilsina1
 
• Reinforcing the Human Firewall: Moving From Awareness to Applied Skill
byAdityarajsinh Gohil
 
The Industrialisation of Deception: An Analysis of the 2024 Cybercrime Landscape
bykrutivyas2005
 
Blood Grouping.ppt - Hematology -Physiology
bykishorkumar396
 
1. Importance, scope and constraints of vegetable and spice crop production i...
byUmeshTimilsina1
 
Life-Processes-in-Animals PPT/7TH CLASS NEW NCERT /CURIOSITY SCIENCE /BY K SA...
bySandeep Swamy
 
All Things 2025 - A Year in Review Quiz!
byShashank Jogani
 
Introduction to Mendelian inheritance.pptx
bypramodphirke1
 
Non aqueous titration First Year B. Pharm.pptx
byMs. Ashatai Patil
 
Teaching and Learning (BD1TL) - B.Ed TNTEU
byDr Raja Mohammed T
 

Preserving and recovering digital evidence

  • 1.
    Preserving And RecoveringDigital Evidence
  • 2.
    Introduction • Digital Evidence– encompasses any and all digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. • This presentation will explore collection, preservation and identification of digital evidence.
  • 3.
    Overview • Introduction toIntrusion Detection Systems • The rules and guidelines surrounding the gathering and use of digital evidence. • Digital evidence on the target machine. • Digital evidence on the network.
  • 4.
    Intrusion Detection • Abrief overview Intrusion detection systems collect information from a variety of system and network sources, then analyze the information for signs of intrusion and misuse.
  • 5.
    Intrusion Detection: • IntrusionDetection – 2 Types • Host-Based • Network-Based
  • 6.
    Intrusion Detection –Host-Based • Host-based intrusion detection systems .The system is used to analyze data that originates on computers (hosts). • Examines events like what files are accessed and what applications were executed. - Logs are used to gather this data • Resides on every system and usually reports to a central command console. • Uses signatures or predefined patterns that have been defined as suspicious by the security officer.
  • 7.
    Intrusion Detection –Host-Based - cont • Used primarily for detecting insider attacks. - For example an employee who abuses their privileges, or students changing their grades. • Audit policy - Defines which end-user actions will result in an event record being written to an event log. For example accesses of mission-critical files.
  • 8.
    Intrusion Detection –Network-Based Network-Based • The system is used to analyze network packets. • Used to detect access attempts and denial of service attempts originating outside the network. • Consists of sensors deployed throughout a network. • Sensors then report to a central command console
  • 9.
    Intrusion Detection –Network- Based • Uses packet content signatures - Based on the contents of packets. - Patterns are detected in the headers and flow of traffic. • Encryption prevents detection of any patterns.
  • 10.
    Digital Evidence vs.Physical Evidence • It can be duplicated exactly and a copy can be examined as if it were the original. - Examining a copy will avoid the risk of damaging the original. • With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.
  • 11.
    Digital Evidence vs.Physical Evidence • It is relatively difficult to destroy. • Even if it is “deleted,” digital evidence can be recovered. • When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
  • 12.
    Collecting and PreservingDigital Evidence • The focus of digital evidence is on the contents of the computer as opposed to hardware. • Two kinds of copies: - Copy everything. - Just copy the information needed. • When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.
  • 13.
    Collecting and PreservingDigital Evidence • When collecting the entire contents of a • computer, the general concept is the same • in most situations:
  • 14.
    Collecting and PreservingDigital Evidence • All related evidence should be taken out of RAM. • The computer should be shut down. • Document the hardware configuration of the system. • Document the time and date of the CMOS. • The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). • A copy of the digital evidence from the hard • drive(s) should be made.
  • 15.
    Collecting and PreservingDigital Evidence • When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable. • In short, a bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.
  • 16.
    Agenda for Duplicationand Preservation of Evidence • Make bit stream back-ups of hard disks and floppy disks cont. Tools to accomplish this: • Encase • DD • Byte back • Safeback Note the tool used • When making the bit stream image, note and • document how the image was created. Also note the date, time, and the examiner.
  • 17.
    Empirical Law • EmpiricalLaw of Digital Collection and Preservation: • If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
  • 18.
    Computer Image Verification •At least two copies are taken of the evidential computer. • One of these is sealed in the presence of the computer owner and then placed in secure storage. • This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.
  • 19.
    The important tolocate and recover all graphics files on a drive and determine which ones are pertinent to your case.. • Because these files aren’t always stored in standard graphics file formats, we should examine all files our computer forensics tools find, even if they aren’t identified as graphics files. • A graphic file contains a header with instructions for displaying the image. • Each type of graphics file has its own header that helps to identify the file format. • Because the header is complex and difficult to remember, we can compare a known good file header with that of a suspect file.
  • 20.
    Collecting and PreservingDigital Evidence • Collecting evidence out of RAM on a Unix machine is not a simple task. • The ‘ps’ command is used to list programs that a machine is running but one must specify that one wants to see all the processes. • “ps –aux”
  • 21.
    Collecting and PreservingDigital Evidence • Some types of Unix allow one to save and view the contents of RAM that is associated with a particular program using the “gcore” program. • There are also programs that provide a list of files and sockets that a particular program is running – “lsof” • Investigators can use the “dd” command to make a bit stream backup
  • 22.
    Collecting and PreservingDigital Evidence • Whenever digital evidence is copied onto a floppy disk, compact disk, tape or any other form of storage media, an indelible felt-tipped pen should be used to label it with the following information:
  • 23.
    Collecting and PreservingDigital Evidence • Current date and time and the date/time on the computer (any discrepancy should be noted). • The initials of the person who made the copy. • The name of the operating system. • The program(s) and/or command(s) used to copy the files. - Retain copies of software used. • The information believed to be contained in the files.
  • 24.
    Collecting and PreservingDigital Evidence • Since the evidence has been collected, it is important to ensure the integrity of the evidence.
  • 25.
    How To HandleDigital Evidence Steps to guide the responder in handling the Digital evidence at an electronic crime scene. 3. Recognize, identify, seize, and secure all digital evidence at the scene. 4. Document the entire scene and the specific location of the evidence found. 5. Collect, label, and preserve the digital evidence. 6. Package and transport digital evidence in a secure manner.
  • 26.
    The Primary Stepsto Conduct a Forensic Investigation. Step 1: Isolate the System and Data • Collect information by interviewing all system administrators and anyone else who might have come into contact with the system.
  • 27.
    The Primary Stepsto Conduct a Forensic Investigation. Step 2: Collect Non-Technical Information • The purpose of this step is to ensure that the required minimum information is recorded in paper note form, such as developing a timeline of events. The premise here is to start a log book using a fresh pad of paper to gather information from the system administration staff and any other persons involved.
  • 28.
    The Primary Stepsto Conduct a Forensic Investigation. Step 3: Preserve Evidence and Create Copies for Analysis • Memory and /proc. • Create a duplicate of the system. • Validate copies.
  • 29.
    The Primary Stepsto Conduct a Forensic Investigation. Step 4: Prepare for an Analysis • At this point, the information collected in the preceding steps is ready for inspection. • The following steps can also be performed by a third party or at another physical location.
  • 30.
    The Primary Stepsto Conduct a Forensic Investigation. Step 5: Perform the Analysis • The purpose of the analysis step is to determine whether a compromise has occurred, what exactly was damaged, and to obtain any evidence indicating who the culprit(s) might be, as well as the methods they used to attack the system. • Tools are needed to complete the analysis phase.
  • 31.
    The Primary Stepsto Conduct a Forensic Investigation. Step 6: Perform Recovery • The recovery efforts that ensue after the forensic analysis is a standard process that should be defined in your organization
  • 32.
    The Primary Stepsto Conduct a Forensic Investigation. How to acquire data from removable media?
  • 33.
    How to acquiredata from removable media? 1.Document the scene Use static-proof container and label container with a.Type of media b.Where media was found c.Type of reader required for the media 2.Transport directly to lab 3.Do not leave any media in a hot vehicle or environment 4.Store media in a secure and organized area 5.Once at the lab, make a working copy of the drive a.Make sure the media is write-protected b.Make a hash of the original drive and the duplicate c.Make a copy of the duplicate to work from d.Store the original media in a secure location