Modern Digital Forensics!!

Similar documents
EC-Council Ethical Hacking and Countermeasures

Hands-On How-To Computer Forensics Training

MSc Computer Security and Forensics. Examinations for / Semester 1

Overview of Computer Forensics

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Computer Hacking Forensic Investigator v8

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

Digital Forensic Techniques

Certified Digital Forensics Examiner

Digital Forensics. Larry Daniel

Scene of the Cybercrime Second Edition. Michael Cross

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Certified Cyber Security Analyst VS-1160

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

CERTIFIED DIGITAL FORENSICS EXAMINER

information security and its Describe what drives the need for information security.

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Digital Forensics for Attorneys Overview of Digital Forensics

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Where is computer forensics used?

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics

Case Study: Hiring a licensed Security Provider

Computer Forensics as an Integral Component of the Information Security Enterprise

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

The Role of Digital Forensics within a Corporate Organization

CDFE Certified Digital Forensics Examiner (CFED Replacement)

Certified Cyber Security Analyst VS-1160

BDO CONSULTING FORENSIC TECHNOLOGY SERVICES

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Term Report. Forensics for IT

Case Study: Mobile Device Forensics in Texting and Driving Cases

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Incident Response. Six Best Practices for Managing Cyber Breaches.

e-discovery Forensics Incident Response

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Fostering Incident Response and Digital Forensics Research

Chapter 7 Securing Information Systems

Getting Physical with the Digital Investigation Process

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Incident Response and Computer Forensics

Case Study: Smart Phone Deleted Data Recovery

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Digital Forensics & e-discovery Services

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

(b) slack file space.

EnCase Forensic Product Overview

Digital Forensics, ediscovery and Electronic Evidence

Incident Response and Forensics

Computer Forensics. Securing and Analysing Digital Information

Guidelines on Digital Forensic Procedures for OLAF Staff

Big Data, Big Risk, Big Rewards. Hussein Syed

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Open Source Digital Forensics Tools

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Click to edit Master title style

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

Bellevue University Cybersecurity Programs & Courses

Journal of Digital Forensic Practice

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Computer Forensics US-CERT

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Ten Deadly Sins of Computer Forensics

Loophole+ with Ethical Hacking and Penetration Testing

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

How To Get A Computer Hacking Program

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Taxonomy of Anti-Computer Forensics Threats

Build Your Own Security Lab

Scientific Working Group on Digital Evidence

GUJARAT TECHNOLOGICAL UNIVERSITY MASTER OF COMPUTER APPLICATIONS (MCA) SEMESTER: V

Detection of Data Hiding in Computer Forensics. About Your Presenter

Master of Science in Information Systems & Security Management. Courses Descriptions

Impact of Digital Forensics Training on Computer Incident Response Techniques

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Design and Implementation of a Live-analysis Digital Forensic System

Regional Computer Forensic Laboratory & Digital Forensics. Presented By: D. Justin Price FBI - Philadelphia Computer Analysis Response Team

Guide to Computer Forensics and Investigations, Second Edition

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Investigation Techniques

Digital Forensics for Attorneys - Part 2

Security Overview. BlackBerry Corporate Infrastructure

Cloud Computing Architecture and Forensic Investigation Challenges

Guide to Computer Forensics and Investigations, Second Edition

Transcription:

ISA 785 Research in Digital Forensics Modern Digital Forensics!! ISA 785! Angelos Stavrou, George Mason University!

Modern Digital Forensics What s New 2! New Intellectual property concerns! IP/Brand related abuse! File sharing and copyright violations"! Corporate reliance on Internet technology! Attacks over the Network! Technology-assisted Insider Threats! Internet fraud, phishing, infrastructure attacks!! Computer related employee misconduct"! Corporate accounting scandals! Enron, Andersen, WorldCom, and others! Sarbanes Oxley Act of 2002 (SOX) requiring digital evidence collection capability, investigation and incident response processes!

Modern Digital Forensics 3! A formal scientific discipline! Theory, Abstractions, Models, Frameworks! Corpus of literature and professional practice! Practical tools, methods, procedures! Confidence and trust in results"! Professional community! International peer reviewed journals and conferences! Practitioner best practice! Formal standards and procedures!

Modern Digital Forensics 4! Expanded scope of Digital Forensics: now includes! Software forensics (malware/code analysis)! Live system forensics (memory, running processes)! Network forensics (captured traffic, remote collection)! Host/Network Log & Data Correlation! Smart & Embedded devices! Smart & mobile phones,! Pads, PDAs,! New capabilities Camera, GPS, WiFi, Motion sensors! Arrival of anti-forensics or counter-forensics!

Digital Forensics Today 5! The current state of digital forensics! Thriving scientific research community! Experienced and professional community of practitioners! Rigorous and formalized processes and methodology! Well established fundamental tools and techniques! Significant growth in the corporate sector"! The coming decade: beyond 2010! What existing problems need solving?! What new expectations and requirements will be demanded?! Which challenges we must face and overcome?! How must digital forensics change and adapt?!

Real World Challenges 6! Forensic Readiness! Less reliance on accidentally found evidence, more preparedness and planning for evidence collection! Building forensic capability into IT infrastructure and applications as a standard component, from the initial design phase! Having processes, tools and trained staff available in advance, for performing forensic work! Information Security! Forensic tools can be powerful and invasive! Must be carefully controlled and responsibly used! Policies to ensure access is restricted to authorized investigators and forensic analysts! Adequate protection of copied data during storage and transfer, in the short term as well as the long term!

Real World Challenges 7! Legal and Regulatory Compliance! Jurisdiction differences and forensic requirements are different around the world, complex to implement globally! Some forensic activity may be restricted: privacy law, wiretapping law, etc.! Some forensic activity may be mandated: data retention, evidence collection process, etc.! Risk sensitive forensics! Balancing the cost and effort of forensic work with the likelihood of finding evidence! Technical depth: you can always dig deeper, but when do you stop?!

Real World Challenges 8! Adopting new cost effective and efficient solutions! Moving data to the tools vs. moving the tools to the data (for example: integrating e-discovery tools into backup systems! Replacing suspect hard disks, instead of forensic imaging in the field! Separating forensic acquisition role from forensic analysis role"! New Technologies! VoIP vs Mobile vs Land-lines! Devices become more personal, privacy a concern" Increase in electronic data devices and storage which cannot be easily analyzed: iphone, ipad, and other restricted access devices! Social networking sites, blogs, external public applications!

Real World Challenges 9! External ownership of corporate IT Infrastructure! Complex, multi-party infrastructure outsourcing! Externally hosted/shared applications! Cloud computing! Certain aspects of technical forensic computing may not be feasible or sensible in these environments"! Shift in evidence location! Less reliance on client PC disks as a regular evidence source, more! reliance on server logs and archived data! Evidence increasingly found on external infrastructure, requiring cooperation with external parties!

Real World Challenges 10! Ever Increasing data volume! Large amounts of data can be collected from large corporate IT! Infrastructures! Modern hard disk sizes: TBs are common, working with forensic images this size is cumbersome and time consuming! Large data sets require scalable and stable forensic tools! Improved reliance statistical analysis, anomaly detection, data mining, correlation! Data retention is a challenge: how long? how much detail?!

Real World Challenges 11! Complexity of finding evidence! Hard to maintain up-to-date forensic capability for rapidly changing technology! Many layers of data encapsulation and abstraction, increasing levels of technical detail! Difficulty analyzing proprietary, undocumented technologies! Encryption: secure email, protected files and file systems, key escrow/recovery processes!!!!!!!!anything more?!

Introduction to Forensic Evidence 12!!!! Overview of Forensics Process!

Managing the Life-Cycle of a Case 13! A defensible (objective, unbiased) approach is:! Performed in accordance with forensic science principles! Based on standard or current best practices! Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence! Conducted by individuals who are certified in the use of verified tools, if such certification exists! Documented thoroughly!

Managing the Life-Cycle of a Case (Cont.) 14! Preserving the chain of custody for e-evidence requires proving that:! No information has been added, deleted, or altered in the copying process or during analysis! A complete copy was made and verified! A reliable copying process was used! All media were secured! All data that should have been copied have been copied!

Managing the Life-Cycle of a Case(Cont.) 15! Many factors affect the choice of tools " selected for a case:"! Type of device (What Types?)! Operating system (Options?)! Software applications (Why?)! Hardware platforms (Why does it matter?)! State of the data (What state can it be?)! Domestic and international laws! Concerns about bad publicity or liability!

In Practice: Easy Access to Criminal Tools 16! Many tools are freely available that help criminals hide evidence of cybercrimes! Nuker! Anonymous remailers! Password cracker! Scanner! Spoofer! Steganography! Trojan horse! 16!

Investigation Objectives & Chain of Custody Practices 17! Investigation Objectives Document the scene, evidence, activities, and findings Acquire the evidence Authenticate the copy Chain of Custody Practices Document everything that is done; keep detailed records and photographs, etc. Collect and preserve the original data, and create an exact copy Verify that the copy is identical to the original (Continued)! 17!

Investigation Objectives & Chain of Custody Practices 18! Investigation Objectives Analyze and filter the evidence Be objective and unbiased Present the evidence/evaluation in a legally acceptable manner Chain of Custody Practices Perform the technical analysis while retaining its integrity Ensure that the evaluation is fair and impartial to the person or people being investigated Interpret and report the results correctly 18!

Document and Collect Data 19! Documentation needs to be precise and organized! Document each of the following:! Location, date, time, witnesses! System information, including manufacturer, serial number, model, and components! Status of the computer, such as whether it was running and what was connected to it! Physical evidence collected! 19!

Power Down or Unplug? 20! If a PC is running, the decision has to be made as to how to power it down! Using the operating system to power down is risky because temporary files might be deleted and date/ time stamps changed! Current best practice is to unplug the PC from its power source, preserving the data environment! Is this Correct Practice?! 20!

Exceptions to the Copy Rule 21! Best practice is to work with a copy of the original data! Exceptions to this rule may occur when it is more important to contain an attack or stop a crime! It may also be impossible to copy an entire system! 21!

In Practice: Write Blocking and Protection 22! Never turn on a PC without having writeblocking software or devices in place! Write-blocking devices prevent any writes to a drive such as may occur when simply turning on a system! What about Flash Drives?! What about Network Drives?! What about Memory?! 22!

Creating a Drive Image 23! Original data must be protected from any type of alteration! To protect original data, work from a forensic copy of the original drive or device! Ways to make forensic copies! Drive imaging or mirror imaging! Sector-by-sector or bit-stream imaging! Is This Enough?! 23!

Residual Data 24! Residual data is data that has been deleted but not erased! Residual data may be found in unallocated storage or file slack space! File slack consists of:! RAM slack area from the end of a file to the end of the sector! Drive slack additional sectors needed to fill a cluster! How can we Wipe a disk?! 24!

Acquiring a Forensic Copy 25! Use a forensically clean hard drive for copying! Simple format does not meet acceptable or best practices! Verify the accuracy of the copy! Cyclic redundancy check! Cryptographic hash verification! Message digest (MD5)! 25!

Identify Data Types 26! Active data! Deleted files! Hidden, encrypted, and passwordprotected files! Automatically stored data! E-mail and instant messages! Background information! 26!

Investigative Environments and Analysis Modes 27! Trusted environments! Dead analysis or postmortem analysis! Nonvolatile data or persistent data! Untrusted environments! Live analysis! Includes both Network and Host Analysis! 27!

Forensic Tools and Toolkits 28! Tools support the investigator by helping to:! Recreate a specific chain of events or sequence of user activities! Search for key words and dates and determine which of the data is relevant! Search for copies of previous document drafts! Search for potentially privileged information! Search for the existence of certain programs! Authenticate data files and their date and time stamps! 28!

Forensic Tools and Toolkits (Cont.) 29! EnCase Forensic (see DoJ Guide on course site)! A DOD-approved tool for gathering and evaluating electronic information! Supports the following e-mail investigation file types:! MSN Hotmail! Outlook and Outlook Express! Yahoo!! AOL 6, 7, 8, and 9! Netscape! mbox (Unix)! 29!

Forensic Tools and Toolkits (Cont.) 30! EnCase Cybercrime Arsenal is a customizable package of software, hardware, and training! Available in three packaged solutions! Offers four views of collected data:! Table view displays files in a spreadsheet-style format! Gallery view provides a view of all images! Timeline view provides a calendar-style picture of file activity! Report view helps create tailored reports! 30!

Forensic Tools and Toolkits (Cont.) 31! Other toolkits for Windows:! Forensic Toolkit (FTK ) used for finding and examining computer evidence! Ultimate Toolkit contains FTK plus other modules for recovering passwords, analyzing registry data, and wiping hard drives! WinHex used for forensics, data recovery and processing, and IT security! 31!

Forensic Tools and Toolkits (Cont.) 32! Toolkits for UNIX and Linux:! Autopsy and Sleuth Kit for investigating file systems and volumes of suspect computers! dtsearch for combing through large amounts of data for up to 250 different file types! 32!

Forensic Tools and Toolkits (Cont.) 33! Macintosh forensic software:! BlackBag a set of 19 tools for examining Macintosh computers, including! Directory Scan! FileSpy! HeaderBuilder! MacQuisition forensic acquisition tool used to safely image Macintosh systems! 33!

Forensic Tools and Toolkits (Cont.) 34! PDA Seizure! A comprehensive forensic tool from Paraben for investigating Palm, Pocket PCs, and BlackBerry devices! Can produce forensic images and perform data searches as well as crack passwords for Palm! Mobile & Smart-Phone tools! There are a few out there, most recent prototypes! We will discuss more during class.! 34!

Forensics Equipment (Cont.) 35! Type Tool or Toolkit Free Demo Web Site Password cracker Passware kit Yes www.lostpassword.com/kit.htm Password cracker John the Ripper Yes www.openwall.com/john Portable hard disk duplicator Disk Jockey www.diskology.com Portable hard drive and media duplicator Logicube www.logicube.com Forensic intrusion detection, and scanning tools Foundstone Yes www.foundstone.com/ resources/forensics.htm 35!

Certification and Training Programs 36! EnCE EnCase Certified Examiner! Global Information Assurance Certification (GIAC)! Computer Hacking Forensic Investigator (CHFI)! Computer Forensic External Certification (CCE)! 36!

37! Certification and Training Programs (Cont.) TruSecure ICSA Certified Security Associate! Computer Forensic Training Center Online! Certified International Information Systems Forensics Investigator (CIFI)! 37!

Summary 38! Quality of e-evidence depends on skilled investigators! Maintaining the integrity of e-evidence requires a defensible approach! There can be no weak links in the investigative process! It is vital for the investigator to be able to extract and analyze data quickly and present the evidence in an understandable format! 38!

Summary (Cont.) 39! Investigators frequently have to defend their findings, methods, tools, and techniques! Technologies and methodologies must be well documented and repeatable! Specialized software and hardware tools are needed for documentation, collection, authentication, analysis, preservation, and production and reporting of findings and e-evidence! 39!

Summary (Cont.) 40! There are several certification and training programs that computer forensics investigators can complete to help them become credible in the field! 40!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information