Where is computer forensics used?



Similar documents
Design and Implementation of a Live-analysis Digital Forensic System

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Hands-On How-To Computer Forensics Training

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Open Source Data Recovery

Introduction to The Sleuth Kit (TSK) By Chris Marko. Rev1 September, Introduction to The Sleuth Kit (TSK) 1

Digital Forensic Techniques

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Linux in Law Enforcement

Incident Response and Computer Forensics

Lab III: Unix File Recovery Data Unit Level

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

MSc Computer Security and Forensics. Examinations for / Semester 1

Digital Forensics with Open Source Tools

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

System i and System p. Customer service, support, and troubleshooting

Getting Physical with the Digital Investigation Process

COMPREHENSIVE STUDY OF DIGITAL FORENSICS

Security Incident Investigation

Computer Forensics using Open Source Tools

Unix/Linux Forensics 1

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Analysis of Evidence in Cloud Storage Client Applications on the Windows Platform

EC-Council Ethical Hacking and Countermeasures

Incident Response and Forensics

information security and its Describe what drives the need for information security.

Paraben s P2C 4.1. Release Notes

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014

Digital Forensics. Larry Daniel

Concepts of digital forensics

How To Be A Computer Forensics Examiner

Overview of Computer Forensics

Practice Exercise March 7, 2016

Digital Forensics For Unix. The SANS Institute

Computer Forensic Tools. Stefan Hager

Using Open Source Digital Forensics Software for Digital Archives Workshop

Lab V: File Recovery: Data Layer Revisited

Is the Open Way a Better Way? Digital Forensics using Open Source Tools

Open Source Digital Forensics Tools

Digital Forensic Tool for Decision Making in Computer Security Domain

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Impact of Digital Forensics Training on Computer Incident Response Techniques

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Freeware Live Forensics tools evaluation and operation tips

Disk and File System Analysis

IT Networking and Security

FALSE ALARM? Incident Management Case Study. Carlos Villalba

{ecasey,

Computer Forensics as an Integral Component of the Information Security Enterprise

Cloud Storage Client Application Evidence Analysis on UNIX/Linux

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

DoD Cyber Crime Center

State of the art of Digital Forensic Techniques

The Role of Digital Forensics within a Corporate Organization

Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

Digital Forensics for Attorneys Overview of Digital Forensics

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

Course Title: Computer Forensic Specialist: Data and Image Files

Digital Forensics for Attorneys - Part 2

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Chapter 14 Analyzing Network Traffic. Ed Crowley

Digital forensic techniques for static analysis of NTFS images

A Day in the Life of a Cyber Tool Developer

CCE Certification Competencies

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Digital Forensics & e-discovery Services

Computer Forensic Capabilities

Live System Forensics

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Computing forensics: a live analysis

Developing Computer Forensics Solutions for Terabyte Investigations

Introduction to File Carving

An overview of IT Security Forensics

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Microsoft Vista: Serious Challenges for Digital Investigations

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

RECOVERING DELETED DATA FROM FAT PARTITIONS WITHIN MOBILE PHONE HANDSETS USING TRADITIONAL IMAGING TECHNIQUES

Transcription:

What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. Where is computer forensics used? Criminal and civil investigations Divorce cases Insurance investigation Corporate investigations Principles of computer forensic investigations 1. Your actions should not affect the integrity of the evidence a. You should minimize any changes to the evidence. If changes are made, make sure the reason and impacts are documented. 2. Take notes on everything 3. Analyze all evidence collected 4. Report your findings Tools A case for open source Verifiable Available Scriptable Large community support Cutting edge Opportunity to give back to the community Linux Linux makes an extremely powerful forensic workstation and acquisition environment. In addition to all the reasons listed above, Linux has the following advantages: Support many file systems natively Forensic community heavily uses Linux and much of what you can find or read will be based on Linux Linux is very powerful and utilizes all the assets of your computer system Helix Helix is maintained by e-fense and is a customized distribution of Ubuntu Linux that has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix has both a live side for Incident Response as well as a forensic environment. Copyright 2008 Chicago Electronic Discovery http://chicago-ediscovery.com 1

The Sleuth Kit and Autopsy Forensic Browser TSK and Autopsy are authored by Brian Carrier. He is also the author of File System Forensic Analysis, a very important book for any forensic analyst. TSK 3.0 and Autopsy 2.20 were released on October 2008. Open source/free tools The following is a list of some of the most used and important open source/free tool for computer forensic: dd/dcfld/dc3dd (http://dcfldd.sourceforge.net/ http://dc3dd.sourceforge.net/) o Disk Duplicator and/or Disk Destroyer and various updates versions Foremost (http://foremost.sourceforge.net/) o File/data carving o Built-in file types, can be expanded with configuration file (i.e. iphone forensics) Lazarus (http://www.porcupine.org/forensics/tct.html) o Part of TCT, attempts to reconstruct files or data from raw data o Very slow but very powerful Sorter (http://www.sleuthkit.org/) o Runs file command on all files, deleted and undeleted o Sorts based on file type, looks for mismatched extensions o Can utilize hash databases for known good or known bad files nc/cryptcat (http://netcat.sourceforge.net/ http://sourceforge.net/projects/cryptcat/) o networking utility which reads and writes data across network connections, using the TCP/IP protocol. Sysinternals (http://technet.microsoft.com/en-us/sysinternals/default.aspx) o suite of utilities to help you manage, troubleshoot and diagnose Windows systems and applications o Company was bought by Microsoft in 1996 and the tools remain free and ever expanding VMWare workstation Liveview (http://liveview.sourceforge.net/) o Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk Wireshark (http://www.wireshark.org/) o Formerly Ethereal, allow for network capture (via pcap) and analysis of network traffic Volatility Framework (https://www.volatilesystems.com/default/volatility) o Emerging project for the analysis of memory dumps Commercial Tools EnCase (http://www.guidancesoftware.com/) FTK (http://www.accessdata.com/) Concepts Cryptographic hashing Purpose Hashes o MD5 Copyright 2008 Chicago Electronic Discovery http://chicago-ediscovery.com 2

o SHA1 Collision concerns Hash databases NSRL/Hashkeeper Roll your own Child Pornography Live vs. dead analysis Incident response Encrypted file systems Technical introduction Physical media (hard drives, usb drives, etc.) Big-Endian vs. Little-Endian Sectors and clusters Blocks and inodes Layers of a file systems Physical Layer (fsstat) File System Layer (mmls,mmstat) Data Content Layer (dls) o Sectors -> Clusters/blocks o Allocated or unallocated, addressable Meta Data Layer (ils) o Add structure to the data, like a card catalog o Inodes/MFT Entry/FAT Directory Entry o Allocated or unallocated, addressable o Points to Data Content Layer File Name Layer (fls) HPA Host Protect Area explained disk_stat, disk_sreset, dmesg o # disk_stat /dev/hdb o Maximum Disk Sector: 120103199 o Maximum User Sector: 118006047 o ** HPA Detected (Sectors 118006048-120103199) ** Disk images vs. partitions Special considerations for raw/unstructured data Swap space Memory Copyright 2008 Chicago Electronic Discovery http://chicago-ediscovery.com 3

Volatility of data CPU registers Memory Network connections Processes Hard drive Removable media Basic methodology for a computer forensic investigation The US DOJ has many resources for digital forensics. Particularly useful is their document Forensic Examination of Digital Evidence: A Guide for Law Enforcement (http://www.ojp.usdoj.gov/nij/pubssum/199408.htm). This document contains their suggested methodology for digital forensics. 1. Verify the incident 2. Evidence Assessment 3. Evidence Acquisition 4. Evidence Examination o Physical Extraction Keyword searching File carving (foremost, lazarus) o Logical Extraction Extract slack space, unallocated space, allocated space and deleted files Identify known good or known bad via hash databases o Analysis of extracted data Timeline analysis Data hiding analysis Application and file analysis Ownership and possession 5. Documenting and Reporting o Document as you go! o Make notes with full context for further analysis later or reporting Live demonstration I will perform a step by step analysis of a USB drive. Suggestion for forensic education Image your own hard drive Purchase a hard drive from ebay and analyze Analyze your cell phone Areas of active development Memory analysis Copyright 2008 Chicago Electronic Discovery http://chicago-ediscovery.com 4

Mobile device forensics Encrypted file systems References/Resources Books o File System Forensic Analysis by Brian Carrier o Windows Forensics: The Field Guide for Corporate Computer Investigations by Chad Steel Websites o Forensics Wiki - http://www.forensicswiki.org/wiki/main_page o Forensic Incident Response - http://forensicir.blogspot.com/ o Windows Incident Response - http://windowsir.blogspot.com/ o The Electronic Evidence Information Center - http://e-evidence.info/ o Computer Forensics, Malware Analysis & Digital Investigations - http://www.forensickb.com/ o Forensic Focus - http://www.forensicfocus.com/ Copyright 2008 Chicago Electronic Discovery http://chicago-ediscovery.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information