Computer Forensics. Securing and Analysing Digital Information

Similar documents
EC-Council Ethical Hacking and Countermeasures

EnCase 7 - Basic + Intermediate Topics

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Computer Hacking Forensic Investigator v8

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

CLOUD STORAGE FORENSICS MATTIA EPIFANI SANS EUROPEAN DIGITAL FORENSICS SUMMIT PRAGUE, 7 OCTOBER 2013

Secure Storage. Lost Laptops

Course Title: Computer Forensic Specialist: Data and Image Files

Digital Forensic Techniques

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

EnCase Forensic Product Overview

Incident Response and Computer Forensics

Overview of Computer Forensics

Computer Forensic Capabilities

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Technical Procedure for Evidence Search

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

Presentation Title Presentation Subtitle. The Unique Alternative to the Big Four

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Developing Computer Forensics Solutions for Terabyte Investigations

Recovering Digital Evidence in a Cloud Computing Paradigm. Jad Saliba Founder and CTO

MAC/OSX - How to Encrypt Data using TrueCrypt. v

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Mac Marshal: A Tool for Mac OS X Operating System and Application Forensics

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

MSc Computer Security and Forensics. Examinations for / Semester 1

Guide to Computer Forensics and Investigations, Second Edition

Mobile memory dumps, MSAB and MPE+ Data collection Information recovery Analysis and interpretation of results

How To Be A Computer Forensics Examiner

Ricoh Legal. Live Data Acquisition: The New Default Standard for Capturing ESI?

Scientific Working Group on Digital Evidence

Digital Forensics. Module 4 CS 996

What is Digital Forensics?

How To Solve A Violent Home Invasion With A United Force

Research on Digital Forensics Based on Private Cloud Computing

Chapter 7 Securing Information Systems

Computing forensics: a live analysis

Carry it Easy. User Guide

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

10 Ways to Not Get Caught Hacking On Your Mac

Hands-On How-To Computer Forensics Training

Metadata in Microsoft Office and in PDF Documents Types, Export, Display and Removal

EnCase Portable Demo P A G E 0

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Full Drive Encryption Security Problem Definition - Encryption Engine

Using Computer Forensics in your Investigations

Impact of Digital Forensics Training on Computer Incident Response Techniques

Worksheet - Document management and Cloud Services on the ipad

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/ Fax: 802/

EnCase Endpoint Investigator Fundamentals 5/25/2016

Time Stamp. Instruction Booklet

Digital Forensics. Larry Daniel

Cloudifile: Frequently Asked Questions

Live System Forensics

SIMPLIFYING THE COMPLEXITY OF MOBILE DATA FORENSICS

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Computer Forensic Tools. Stefan Hager

EnCase v7 Essential Training. Sherif Eldeeb

How to create a portable encrypted USB Key using TrueCrypt


USB Portable Storage Device: Security Problem Definition Summary

Table of Contents. Introduction to MSAB Training Department Training Services Overview XRY Certification training...

Windows 8 Hacks O'REILLY* Preston Gralla. Beijing. Cambridge Famham. Koln Sebastopol Tokyo

Upon Installation, Soda

10 steps to better secure your Mac laptop from physical data theft

Digital Forensics, ediscovery and Electronic Evidence

Optum Patient Portal. 70 Royal Little Drive. Providence, RI Copyright Optum. All rights reserved. Updated: 3/7/13

Course Descriptions for Focused Learning Classes

Cloud Computing. What is Cloud Computing?

Acronis Backup & Recovery for Mac. Acronis Backup & Recovery & Acronis ExtremeZ-IP REFERENCE ARCHITECTURE

A Short Introduction to Digital and File System Forensics

Of the programs offered by IACIS, the Basic Computer Forensic Examiner (BCFE) Training Program is at the forefront.

Practical Methods for Dealing with Full Disk Encryption. Jesse Kornblum

How to Avoid The Biggest Electronic Evidence Mistakes. Ken Jones Senior Technology Architect Pileum Corporation

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

Forensics on the Windows Platform, Part Two

Restoring a Windows 8.1 system from complete HDD failure - drivesnapshot

CYBER FORENSICS (W/LAB) Course Syllabus

Introduction to Cloud Services

Certified Digital Forensics Examiner

IT Auditing and. Discussion Topics. What is IT Auditing?

Steven Kaplan, CISSP, CISA Accuvant Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station

Certified Digital Forensics Examiner

Transcription:

Computer Forensics Securing and Analysing Digital Information

Aims What is a computer? Where is the evidence? Why is digital forensics important? Seizing evidence Encryption Hidden files and folders Live acquisitions Dead box acquisitions Forensic image, processing analysis and results Forensic tools how they work File Structure, metadata, exif data Bookmarks and reports Lab costs

What is a computer? Laptops Desktops Tablets Phones Storage Date Arial 14pt

Where is the evidence? Properties Internet Cloud People Corporate Networks Companies International Jurisdictions

Why is digital forensics important? What can we recover? Word Pictures Excel PowerPoint Adobe PDF Location data Time and date Illegal content Associates Email Internet Contacts Calendar

Seizing evidence Switched on? Call an expert! Switched off? Bag it!

Encryption Encryption may prevent data recovery Specialist techniques and training is required Specialist software and hardware is required If the computer is switched on, call an expert Where is the password? This is why live acquisition is important!

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: Keyspace Demonstration

Hidden Files and Folders Hidden files are difficult to find Specialist software is required If the computer is switched on, call an expert What software is being used? This is why live acquisition is important!

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: Hidden Picture Demonstration

Live Acquisition Why not turn it off and bag it? Allows us to recover volatile data RAM (Random Access Memory) Triage the evidence Programs Which can contain How? Specialist forensic tools Hidden Files Decryption Passwords Evidence Recent activity

Live Acquisition Specialist Forensic Tools

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: EnCase Portable Demonstration

Deadbox Acquisition Switched off? Bag it! What do we do with it? Create forensic Image Computer may have special boot mode Image using forensic imagers How? Image using forensic software What if you can t remove Remove the Hard drive

Deadbox Acquisition Forensic Imagers Provides a bridge between media Provides write protection for the evidence

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: Memory Card Acquisition Demonstration

Forensic Image What is a forensic image? Protected data container Given a unique identifier (Hash) Consists off: File Name Text File Case Info Notes Data Blocks Hash Hash important for exhibit continuity Image file types.eo1.e01. L01.Lx01.Ex01.AD1

EnCase Examiner Processing Analysis and Results Forensic Tools

Forensic Tool Kit (FTK) Processing Analysis and Results Forensic Tools

Processing Analysis and Results Internet Evidence Finder (IEF) Forensic Tools

Forensic Tools How they work Examining file structures All file types have a formal data structure Information inside the file File Identifiers Headers Footers

Forensic Tools How they work Examining the Master File Table Record of all the files stored on a drive Size File Name File Type Location Created Accessed Modified Deleted

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: FTK Memory Card Demonstration

Metadata and Exif Data What do we get? Information within a Picture file Camera, Make, Model GPS Location Dates Times Author

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: Exif Data Demonstration

Processing Analysis and Results Bookmark and Reports Highlights Files Add Comments Attach files Export to Reports

Lab Costs Staff Equipment Versus Contractors Training

Summary What is a computer? Where is the evidence? Why is digital forensics important? Seizing evidence Encryption Hidden files and folders Live acquisitions Dead box acquisitions Forensic image, processing analysis and results Forensic tools how they work File Structure, metadata, exif data Bookmarks and reports Lab costs

Freedom of Information Act Protective Marking Title: Publication Scheme Y/N: Summary: Branch / OCU: Date created: Review date: Version: Author: