SlideShare a Scribd company logo
1 of 42
Download to read offline
© 2013 nCircle. All Rights Reserved.
Forensics Bootcamp
© 2013 nCircle. All Rights Reserved.
Introduction
© 2013 nCircle. All Rights Reserved.
What is Forensics?
• Scientific tests or techniques used in
the investigation of crimes
• The use of scientific methods and techniques,
such as genetic fingerprinting, to solve crimes
• Forensic science (often shortened to forensics)
is the application of a broad spectrum of
sciences to answer questions of interest to a
legal system. This may be in relation to a crime
or a civil action.
© 2013 nCircle. All Rights Reserved.
What is Computer Forensics?
Computer Forensics
A methodical series of techniques and
procedures for gathering evidence, from
computing equipment and various storage
devices and digital media, that can be
presented in a court of law in a coherent and
meaningful format
© 2013 nCircle. All Rights Reserved.
Types of Cyber Crime
• Theft of intellectual property
• Financial Fraud
• Damage of company service networks
• Distribution and execution of viruses and
worms
• Hacker system penetrations
• Distribution of child pornography
• Use of a computer to commit a traditional
crime (emails, data management, files.)
© 2013 nCircle. All Rights Reserved.
Legal Issues
© 2013 nCircle. All Rights Reserved.
Legal Issues
• 4th Amendment – Searches & Seizures
• 4th Amendment – Privacy
• 5th Amendment – Self Incrimination
• Chain-of-Custody
© 2013 nCircle. All Rights Reserved.
4th Amendment
• The Fourth Amendment (Amendment
IV) to the United States Constitution is the
part of the Bill of Rights which guards
against unreasonable searches and
seizures when the searched party has a
"reasonable expectation of privacy".
• Search warrants need probable cause and
need to describe the place to be searched,
and the persons or items to be seized.
© 2013 nCircle. All Rights Reserved.
Chain-of-Custody
(aka Chain of Evidence)
• Chain of Custody (CoC) refers to the
chronological documentation or paper
trail, showing the
seizure, custody, control, transfer, analysis, a
nd disposition of evidence, physical or
electronic.
• Because evidence can be used in court to
convict persons of crimes, it must be handled
in a scrupulously careful manner to avoid
later allegations of tampering or misconduct.
© 2013 nCircle. All Rights Reserved.
Question ?
As related to computer forensics, why is the
4th amendment an important
consideration?
a. Free speech
b. Defense against self incrimination
c. Search & seizure
d. Social rights
© 2013 nCircle. All Rights Reserved.
Digital Media
© 2013 nCircle. All Rights Reserved.
Two Types of Data
• Volatile - RAM
• Non-volatile
– ROM, PEOM, EEPROM
– Hard Drives (to include Solid State Drives (SSD))
– USB Devices
– Flash cards
– Optical Media – CDs, DVDs, Blue-ray (BD), ….
– Floppy disks, ZIP disks
– Cameras, mp3 players, tablets, game
consoles, GPS units, smart phones, smart
watches, …
© 2013 nCircle. All Rights Reserved.
Write Blockers
• Two types of write blockers:
hardware and software
• Prevention of data “spoilation” = the compromise
of data integrity by intentionally or inadvertently
altering the data from its “original” form.
• Reads Allowed and Writes Prevented!
• Another name for a write blocker is a “Forensic
Bridge”
© 2013 nCircle. All Rights Reserved.
Some Data Hiding Techniques
• Slack Space and Unallocated Space
• Rootkits
• Alternate Data Streams (ADS)
• File Signatures
• Steganography
© 2013 nCircle. All Rights Reserved.
Question ?
What function does a
Write Blocker perform?
a. Allows writes
b. Blocks reads
c. Prevents Reads
d. Prevents writes
© 2013 nCircle. All Rights Reserved.
The Forensic Process
© 2013 nCircle. All Rights Reserved.
The Forensic Process
• Preparation
• (Containment)
• Collection
• Examination
• Analysis
• Reporting
© 2013 nCircle. All Rights Reserved.
The Forensic Process
(Preparation)
• Training
• Policies & Procedures
• Equipment (Forensic Kit)
– Laptop computer w/ forensic software
– Boot disks and CDs of tools (forensically
sound)
– Digital cameras, pens, notepad
– Sterile media, write blockers, cables
– Anti-static bags, faraday bags, tags, stickers
– Chain-of-custody and other forms
© 2013 nCircle. All Rights Reserved.
The Forensic Process
(Containment)
• Establish immediate control
of the crime scene
– Limit and track physical access
– Limit network / remote access
• Detach computers of interest from wireless and
physical network cables
– Power off computers as necessary
© 2013 nCircle. All Rights Reserved.
The Forensic Process
(Collection)
• Photograph the scene to include monitor
screens. Get the system time
• Collect volatile data
• Image non-volatile data on site?
• Shut down the system safely
• Unplug the system and tag all cables
• Bag and tag all non volatile devices for transport.
Collect peripheral devices as necessary.
© 2013 nCircle. All Rights Reserved.
The Forensic Process
(Collection – Mobile devices)
• Photograph main screen
• Do not turn device off
• Find charger to keep device from losing
charge (example seizure kit)
• Place in a Faraday bag to prevent remote
access
© 2013 nCircle. All Rights Reserved.
The Forensic Process
(Examination & Analysis)
• Image the non-volatile media (i.e. make
exact bit-stream copies of the media using
imaging hardware or software)
• Images must be hashed
• Analyze the bit stream image using
forensic analysis software, e.g.:
EnCase, FTK,…
• Prepare a report of findings
© 2013 nCircle. All Rights Reserved.
Question ?
During the forensic process exact “bit
stream” images are made of non-volatile
media. Part of this process uses a
technique called _______ to verify the
integrity of the image?
a. read blocking
b. checksums
c. hashing
d. transforms
© 2013 nCircle. All Rights Reserved.
Forensic Analysis
Techniques
© 2013 nCircle. All Rights Reserved.
Forensic Analysis
Techniques
• Searching:
– Keyword, email, web, viewers
• File Signatures
• Slack Space and unallocated space
• Data carving
• Steganography
• Passwords (Dealing with encryption)
© 2013 nCircle. All Rights Reserved.
Searching: Keywords
• To effectively search through
a suspect’s media an investigator
needs to add relevant keywords
1) Add keywords
2) Specify keyword search criteria (e.g. what
and where tosearch – e.g. slack space)
3) Conduct keyword search
© 2013 nCircle. All Rights Reserved.
Searching: email & social media
• Most forensic analysis tools have built-in
email searching and viewing tools
• Tools to view various formats of email
– Outlook (.pst)
– Outlook Express (.dbx)
– Linux/Unix mbox format
– Macintosh: Safari
– Webmail formats:
Yahoo, AOL, Google, Hotmail
© 2013 nCircle. All Rights Reserved.
Searching: web artifacts
• Most forensic analysis tools
have web artifact search and viewing tools
• Web artifacts
– History
– Cached files and images (temporary files)
– Cookies
© 2013 nCircle. All Rights Reserved.
File Signature Analysis
• This type of analysis allows investigators to
verify file types
• A savvy suspect can change file extension in
order to attempt to avoid detection. Example:
Changing the .doc extension on a file to .dll
• A file signature analysis looks at the file header
in order to determine what type of file it actually
is
© 2013 nCircle. All Rights Reserved.
Data Carving (1 of 2)
• Data Carving is a technique used in the
field of Computer Forensics when data
can not be identified or extracted from
media by “normal” means due to the fact
that the desired data no longer has file
system allocation information available to
identify the sectors or clusters that belong
to the file or data.
© 2013 nCircle. All Rights Reserved.
Data Carving (2 of 2)
• Currently the most popular method of Data
Carving involves the search through raw
data for the file signature(s) of the file
types you wish to find and carve out.
© 2013 nCircle. All Rights Reserved.
Slack Space and Unallocated Space
• Most forensic analysis tools (e.g. EnCase)
have the ability to look at (view) and
search (keyword search) slack space and
unallocated space
• Viewing of slack space and unallocated
space is done by a hex/ASCII viewer.
Tools like EnCase and FTK have this type
of viewer built in.
© 2013 nCircle. All Rights Reserved.
Concealment cipher = Steganography (example)
Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm
Saint Olga planting Christianity in Russia
© 2013 nCircle. All Rights Reserved.
Steganography
• Detection techniques are crude
• Usually done by looking for
evidence of steganography use,
e.g. Steg programs on system
• Advanced analysis includes
Steg detection programs
(that typically use statistical
analysis techniques)
© 2013 nCircle. All Rights Reserved.
Question ?
A suspect changes a file extension of his MS
word file from .doc to .dll to attempt to hide
his file. The method used to detect this
type of activity is called?
a. Steganography
b. Data Carving
c. File signature analysis
d. Slack space analysis
© 2013 nCircle. All Rights Reserved.
Question ?
A criminal hides the contents of a
spreadsheet with the details of his illicit
financial activities in a JPEG image. This
is an example of which technique?
a. Data Carving
b. Cryptography
c. Data Blinking
d. Steganography
© 2013 nCircle. All Rights Reserved.
Incident Handling &
Forensics
© 2013 nCircle. All Rights Reserved.
Incident Response Process
• Identification
– Incident identification
– Notifying appropriate personnel
• Action
– Isolation and Containment
– Gathering Evidence
– Analysis and Reporting
• Closure
– Restoration
– Lessons Learned
© 2013 nCircle. All Rights Reserved.
The Response Team
• Cross-functional with a high level of authority
– Dedicated – with clearly defined roles & responsibilities
– Not just computer security: Management, Info sec,
IT/network, legal, public relations
• Well Trained
– Rehearsals and training appropriate to risk
– Trained in Forensics
– Forensics tools and equipment
• Policies and Procedures
– Appropriate to Risk (Risk Management)
– Lessons learned / constant refinement
© 2013 nCircle. All Rights Reserved.
When to Involve Law Enforcement
• Use forensic processes whenever
possible
• As a general rule: Involve law
enforcement when corporate policy or
the law says so
• You are compelled by law to report
certain incidents, e.g. disclosure of
credit card info.
• Establish and ongoing relationship
with corporate legal and appropriate
law enforcement agencies, e.g.
Infragard.
© 2013 nCircle. All Rights Reserved.
Make Sneaking Hard
• Detection systems -- appropriate with risk
• Logging, Logging, logging!!!
(Firewall, router, system…)
• Monitoring
– Intrusion detection systems
– File Integrity monitoring systems
– Vulnerability and Configuration management systems
– Attack Path Analysis
• Warning Banners, Expectations of use, Expectations of privacy
• Physical Security systems
© 2013 nCircle. All Rights Reserved.
Question
s?
http://connect.ncircle.com
Continue the conversation at

More Related Content

What's hot

Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensicshahhardik27
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityAung Thu Rha Hein
 
Computer forensics
Computer  forensicsComputer  forensics
Computer forensicsLalit Garg
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensikAgung Subroto
 

What's hot (20)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Computer forensics
Computer  forensicsComputer  forensics
Computer forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
 
Sujit
SujitSujit
Sujit
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensik
 

Viewers also liked

Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Frances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsFrances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsJoeAnd41
 
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sDerzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sgrechanik
 
componentes de una fórmula
componentes de una fórmula componentes de una fórmula
componentes de una fórmula Diego bejarano
 
Bluetooth 3 d glasses
Bluetooth 3 d glassesBluetooth 3 d glasses
Bluetooth 3 d glassesLinkDelight
 
EMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTEMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTROCÍO ROA CALVO
 
Andrew SAP4237
Andrew SAP4237Andrew SAP4237
Andrew SAP4237savomir
 

Viewers also liked (14)

File000118
File000118File000118
File000118
 
computer forensics
computer forensics computer forensics
computer forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Frances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsFrances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and Mills
 
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sDerzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
 
Pcm
PcmPcm
Pcm
 
Projekt EOD
Projekt EODProjekt EOD
Projekt EOD
 
componentes de una fórmula
componentes de una fórmula componentes de una fórmula
componentes de una fórmula
 
Bluetooth 3 d glasses
Bluetooth 3 d glassesBluetooth 3 d glasses
Bluetooth 3 d glasses
 
EMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTEMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENT
 
Boletim (14)
Boletim (14)Boletim (14)
Boletim (14)
 
Andrew SAP4237
Andrew SAP4237Andrew SAP4237
Andrew SAP4237
 

Similar to Computer Forensics Bootcamp

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...pable2
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 

Similar to Computer Forensics Bootcamp (20)

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
9780840024220 ppt ch12
9780840024220 ppt ch129780840024220 ppt ch12
9780840024220 ppt ch12
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Digital forensics.abdallah
Digital forensics.abdallahDigital forensics.abdallah
Digital forensics.abdallah
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 

More from nCircle - a Tripwire Company

More from nCircle - a Tripwire Company (9)

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security   webinar (v2012-05-30)Real world security   webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Recently uploaded (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

Computer Forensics Bootcamp

  • 1. © 2013 nCircle. All Rights Reserved. Forensics Bootcamp
  • 2. © 2013 nCircle. All Rights Reserved. Introduction
  • 3. © 2013 nCircle. All Rights Reserved. What is Forensics? • Scientific tests or techniques used in the investigation of crimes • The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes • Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.
  • 4. © 2013 nCircle. All Rights Reserved. What is Computer Forensics? Computer Forensics A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format
  • 5. © 2013 nCircle. All Rights Reserved. Types of Cyber Crime • Theft of intellectual property • Financial Fraud • Damage of company service networks • Distribution and execution of viruses and worms • Hacker system penetrations • Distribution of child pornography • Use of a computer to commit a traditional crime (emails, data management, files.)
  • 6. © 2013 nCircle. All Rights Reserved. Legal Issues
  • 7. © 2013 nCircle. All Rights Reserved. Legal Issues • 4th Amendment – Searches & Seizures • 4th Amendment – Privacy • 5th Amendment – Self Incrimination • Chain-of-Custody
  • 8. © 2013 nCircle. All Rights Reserved. 4th Amendment • The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy". • Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.
  • 9. © 2013 nCircle. All Rights Reserved. Chain-of-Custody (aka Chain of Evidence) • Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, a nd disposition of evidence, physical or electronic. • Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.
  • 10. © 2013 nCircle. All Rights Reserved. Question ? As related to computer forensics, why is the 4th amendment an important consideration? a. Free speech b. Defense against self incrimination c. Search & seizure d. Social rights
  • 11. © 2013 nCircle. All Rights Reserved. Digital Media
  • 12. © 2013 nCircle. All Rights Reserved. Two Types of Data • Volatile - RAM • Non-volatile – ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD)) – USB Devices – Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), …. – Floppy disks, ZIP disks – Cameras, mp3 players, tablets, game consoles, GPS units, smart phones, smart watches, …
  • 13. © 2013 nCircle. All Rights Reserved. Write Blockers • Two types of write blockers: hardware and software • Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form. • Reads Allowed and Writes Prevented! • Another name for a write blocker is a “Forensic Bridge”
  • 14. © 2013 nCircle. All Rights Reserved. Some Data Hiding Techniques • Slack Space and Unallocated Space • Rootkits • Alternate Data Streams (ADS) • File Signatures • Steganography
  • 15. © 2013 nCircle. All Rights Reserved. Question ? What function does a Write Blocker perform? a. Allows writes b. Blocks reads c. Prevents Reads d. Prevents writes
  • 16. © 2013 nCircle. All Rights Reserved. The Forensic Process
  • 17. © 2013 nCircle. All Rights Reserved. The Forensic Process • Preparation • (Containment) • Collection • Examination • Analysis • Reporting
  • 18. © 2013 nCircle. All Rights Reserved. The Forensic Process (Preparation) • Training • Policies & Procedures • Equipment (Forensic Kit) – Laptop computer w/ forensic software – Boot disks and CDs of tools (forensically sound) – Digital cameras, pens, notepad – Sterile media, write blockers, cables – Anti-static bags, faraday bags, tags, stickers – Chain-of-custody and other forms
  • 19. © 2013 nCircle. All Rights Reserved. The Forensic Process (Containment) • Establish immediate control of the crime scene – Limit and track physical access – Limit network / remote access • Detach computers of interest from wireless and physical network cables – Power off computers as necessary
  • 20. © 2013 nCircle. All Rights Reserved. The Forensic Process (Collection) • Photograph the scene to include monitor screens. Get the system time • Collect volatile data • Image non-volatile data on site? • Shut down the system safely • Unplug the system and tag all cables • Bag and tag all non volatile devices for transport. Collect peripheral devices as necessary.
  • 21. © 2013 nCircle. All Rights Reserved. The Forensic Process (Collection – Mobile devices) • Photograph main screen • Do not turn device off • Find charger to keep device from losing charge (example seizure kit) • Place in a Faraday bag to prevent remote access
  • 22. © 2013 nCircle. All Rights Reserved. The Forensic Process (Examination & Analysis) • Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software) • Images must be hashed • Analyze the bit stream image using forensic analysis software, e.g.: EnCase, FTK,… • Prepare a report of findings
  • 23. © 2013 nCircle. All Rights Reserved. Question ? During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image? a. read blocking b. checksums c. hashing d. transforms
  • 24. © 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques
  • 25. © 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques • Searching: – Keyword, email, web, viewers • File Signatures • Slack Space and unallocated space • Data carving • Steganography • Passwords (Dealing with encryption)
  • 26. © 2013 nCircle. All Rights Reserved. Searching: Keywords • To effectively search through a suspect’s media an investigator needs to add relevant keywords 1) Add keywords 2) Specify keyword search criteria (e.g. what and where tosearch – e.g. slack space) 3) Conduct keyword search
  • 27. © 2013 nCircle. All Rights Reserved. Searching: email & social media • Most forensic analysis tools have built-in email searching and viewing tools • Tools to view various formats of email – Outlook (.pst) – Outlook Express (.dbx) – Linux/Unix mbox format – Macintosh: Safari – Webmail formats: Yahoo, AOL, Google, Hotmail
  • 28. © 2013 nCircle. All Rights Reserved. Searching: web artifacts • Most forensic analysis tools have web artifact search and viewing tools • Web artifacts – History – Cached files and images (temporary files) – Cookies
  • 29. © 2013 nCircle. All Rights Reserved. File Signature Analysis • This type of analysis allows investigators to verify file types • A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll • A file signature analysis looks at the file header in order to determine what type of file it actually is
  • 30. © 2013 nCircle. All Rights Reserved. Data Carving (1 of 2) • Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.
  • 31. © 2013 nCircle. All Rights Reserved. Data Carving (2 of 2) • Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.
  • 32. © 2013 nCircle. All Rights Reserved. Slack Space and Unallocated Space • Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space • Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.
  • 33. © 2013 nCircle. All Rights Reserved. Concealment cipher = Steganography (example) Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm Saint Olga planting Christianity in Russia
  • 34. © 2013 nCircle. All Rights Reserved. Steganography • Detection techniques are crude • Usually done by looking for evidence of steganography use, e.g. Steg programs on system • Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)
  • 35. © 2013 nCircle. All Rights Reserved. Question ? A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called? a. Steganography b. Data Carving c. File signature analysis d. Slack space analysis
  • 36. © 2013 nCircle. All Rights Reserved. Question ? A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique? a. Data Carving b. Cryptography c. Data Blinking d. Steganography
  • 37. © 2013 nCircle. All Rights Reserved. Incident Handling & Forensics
  • 38. © 2013 nCircle. All Rights Reserved. Incident Response Process • Identification – Incident identification – Notifying appropriate personnel • Action – Isolation and Containment – Gathering Evidence – Analysis and Reporting • Closure – Restoration – Lessons Learned
  • 39. © 2013 nCircle. All Rights Reserved. The Response Team • Cross-functional with a high level of authority – Dedicated – with clearly defined roles & responsibilities – Not just computer security: Management, Info sec, IT/network, legal, public relations • Well Trained – Rehearsals and training appropriate to risk – Trained in Forensics – Forensics tools and equipment • Policies and Procedures – Appropriate to Risk (Risk Management) – Lessons learned / constant refinement
  • 40. © 2013 nCircle. All Rights Reserved. When to Involve Law Enforcement • Use forensic processes whenever possible • As a general rule: Involve law enforcement when corporate policy or the law says so • You are compelled by law to report certain incidents, e.g. disclosure of credit card info. • Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.
  • 41. © 2013 nCircle. All Rights Reserved. Make Sneaking Hard • Detection systems -- appropriate with risk • Logging, Logging, logging!!! (Firewall, router, system…) • Monitoring – Intrusion detection systems – File Integrity monitoring systems – Vulnerability and Configuration management systems – Attack Path Analysis • Warning Banners, Expectations of use, Expectations of privacy • Physical Security systems
  • 42. © 2013 nCircle. All Rights Reserved. Question s? http://connect.ncircle.com Continue the conversation at