6. What is forensics
Why to forensics
Anti-Forensics
How To Become Forensics Expert
Some terms
Computer Forensics
Memory analysis
Volatile/non-volatile
Encryption/stegnography
N/w Analysis
Hands on Challenges
8. Forensic is Related to Court and Trials or To Answer
Questions Related to Legal System
Computer Forensics Helps answering If a Digital
Device is part of cyber crime or victim of cybercrime
purpose Is to find evidence which can prove things
done on the system in court of case
Five Aspects:
IF WHO WHAT WHEN WHY
10. A set of techniques used as countermeasures to forensic analysis
Ex. Full-Disk Encryption
Truecrypt on Linux,Windows and OSX
Filevault 2 on OSX
BitLocker Windows
File Eraser
AbsoluteShield File Shredder
Heidi Eraser
Permanent Eraser
15. Collect
evidence
and present
in the court
Search and
seize the
equipment
Conduct
preliminary
assessment
to search for
evidence
Find and
interpret the
clues left
behind
Determine if
an incident
had
occurred
17. Branch of digital forensic
science pertaining to legal
evidence found in computers
and digital storage media.
The goal of computer
forensics is to examine digital
media in a forensically sound
manner with the aim of
identifying, preserving,
recovering, analysing and
presenting facts and opinions
about the digital information.
Computer
ForensicsMemory
Analysis
Network
Data
Analysis
Document
or file
analysis
OS
Analysis
Mobile
Analysis
Database
Analysis
18. Hardware
Removable HD enclosures or connectors with different plugs
Write blockers
A DVD burner
External disks
USB2, firewire, SATA and e-SATA controllers, if possible
Software
Multiple operating systems
Linux: extensive native file system
support
VMs running various Windows
versions (XP,Vista, 7, 8)
Forensics
toolkits
E.g., SleuthKit http://www.sleuthkit.org
Winhex
Internet Evidence Finder
19. Non-Volatile Memory
• Stored Data Does not gets erased
when powered off
• Ex. Hdd, SDD,CD,DVD, USB Sticks
Volatile Memory
• requires power to maintain the
stored
• Ex. Ram, pagefiles, Swap, caches,
processes
20. It’s extremely important to understand this
Trying to obtain the data may alter them
Simply doing nothing is also not good
A running system continuously evolves
The Heisenberg Uncertainty Principle of data gathering and system analysis
As you capture data in one part of the computer you are changing data in another
use write blockers
21. Data type Lifetime
Registers, peripheral memory,
caches, etc.
nanoseconds
Main Memory nanoseconds
Network state milliseconds
Running processes seconds
Disk minutes
Floppies, backup media, etc. years
CD-ROMs, printouts, etc. tens of years
22. RAM contains the most recent data such as processes, Open Files, Network
Information, recent chat conversations,social network communications, currently
open Web pages, and decrypted content of files that are stored encrypted on the
hard disk. Live RAM/volatile memory analysis reveals information used by various
applications during their operation, including Facebook,Twitter, Gmail and other
communications.
Tools to be used:-
Belkasoft Live RAM Capturer
Memory DD
MANDIANT Memoryze
23. Data is stored permanently on the disk.
Shift + Delete will NOT remove it
If data is deleted there ARE tools to recover it.
It all based on type of file format being used
NTFS, FAT, ext, HFS….
24. dd
dd if = /dev/sda1 of /dev/sdb1/root.raw
dcfldd
Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
ProDiscover
EnCase
FTk
Seluth kit(autopsy)
Winhex
25. After a clone or an image is made it is very important to make a hash of it.
After the complete analysis of the disk or an image we again calculate the hash.
This is important because we need to prove in the court that the evidence has not
been tampered.
Currently Indian courts accept SHA-256
Tools for calculating hashes:Winhex, Sleuthkit, ENCase.
26. The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so
that you could take a look at the files as they were on the machine.
This makes the entire task of analysis easier.
27. With tools like Live View it is even
possible to recreate the entire
scenario like the actual operating
system on a Virtual Machine.
Live view is only compatible until XP.
The tools to really looked upon for
this are:
Mount Image Pro and Virtual
Forensic Computing
30. While Imaging or cloning a disk
the exact copy is made and hence
the hidden data remains as it is.
There is no specific tool for the
extraction of the hidden data and
hence we need to perform manual
analysis on the image or the disk
using hex editors
Eg:Winhex
31. While performing analysis on disks and images there are very good chances that
we come across encrypted data.
This creates a problem for an forensic analyst.
Even though there are tools and techniques to break encryptions we sometimes fail
to do so.
32. A series of attacks are carried out to break encryptions:
Brute Force Attack
Dictionary Attack
Known Plain Text Attack
Rainbow Table Attack
Tools: A variety of stand-alone as well as online tools are
available which helps us cracking the encrypted files.
AZPR
AOPR
Decryptum(Online)
Passware kit
33. If we come across any type of encryption files or data
that have been encrypted with tools like PGP, True
Crypt etc., It becomes really difficult from the
forensics point of view to get through.
In such cases the farthest we can do is look for the
keys on the machine.
34. From a culprits point of view steganography is
something that would stand beyond cryptography.
This is because detecting steganography
manually is a big challenge to any individual.
And with not enough tools to detect
steganography in the market it makes the job
even more tiresome.
Different tools use different algorithms for hiding
data and one can easily develop a steganography
algorithm. Not a big task to achieve. That makes it
difficult in detection
Confidential
information
35. Speaking of the tools used for steganalysis, these tools may
sometimes give you false positives as well.
StegDetect
StegSecret
36. Network forensics is a sub-branch of digital forensics relating to the monitoring
and analysis of computer network traffic for the purposes of information gathering,
legal evidence, or intrusion detection.
Unlike other areas of digital forensics, network investigations deal with volatile and
dynamic information.
Why Network Forensics plays an important role?
Network Forensics can reveal if the network or a machine from which the crime has
occurred was compromised or not. Which can turn out to be really handy in some
cases.
