SlideShare une entreprise Scribd logo

Electornic evidence collection

Fakrul Alam
Fakrul Alam
Technologie
1  sur  29
Mohammad Fakrul Alam Manager, Computer Forensic BDCERT 26th June, 2009
Content • What is Computer/Electronic Forensic • Why Computer/Electronic Forensic • Collection Options • The Five Rules of Evidence • Steps of Computer Forensic • Method of Collection • Source of Evidence • Digital Evidence Types • Volatile Evidence Acquisition • Non-Volatile Evidence Acquisition • Toolkits & Tools
What is Computer Forensic • Finding information that support hypothesis. • Examination of related source of information – Hard Drives – Firewall Logs – Network packets – Portable storage
Why Computer Forensic
Collection Options
The Five Rules of Evidence
What does & doesn’t • Minimize Handling/Corruption of Original Data • Account for Any Changes and Keep Detailed Logs of Your Actions • Comply with the Five Rules of Evidence • Do Not Exceed Your Knowledge • Follow Your Local Security Policy and Obtain Written Permission • Capture as Accurate an Image of the System as Possible • Be Prepared to Testify • Ensure Your Actions are Repeatable • Work Fast • Proceed From Volatile to Persistent Evidence • Don’t Shutdown Before Collecting Evidence • Don’t Run Any Programs on the Affected System
Steps of Computer Forensic
Method of Collection
Source of Evidence • Evidence can reside on the computers, network equipment and on servers. • Various tools are available to extract evidence from these sources.
Evidence on Workstations & Servers • Locations (Disks) – Disk partitions – Master Boot Record (MBR) – Boot sector – File Allocation Tables (FAT) – Volume slack (space between end of file system and end of the partition) – File slack (space allocated for files but not used) – Unallocated space
Evidence on Workstations & Servers • Locations (Memory or RAM) – Registers & Cache – RAM – Swap space (on disk)
Evidence on Servers & Network Equipment • Router systems logs • Firewall logs of successful and unsuccessful attempts • Syslogs in /var/logs for unix systems • wmtp logs (accessed with last command) in unix systems
Digital Evidence Types
Volatile Evidence Acquisition • Process Listings • Service Listings • System Information • Logged on & Registered Users • Network Information • ARP Cache • Auto Start Information • Registry Information • A binary dump of memory
Steps Volatile Evidence Acquisition
Techniques of Volatile Evidence Acquisition • Memory Acquisition Windows • You can image the memory using HELIX GUI interface. • dd can be used to copy the memory of windows 3k/XP/2003 but not Vista/2003 SP1: • dd if=.PhysicalMemory of=C:mem.img conv=noerror,sync • Until the end of memory error displayed “The parameter is incorrect.” Linux • Multiple tools can be used such as • dd • Memdump • e.g.: ./memdump > mem.img • You can use netcat (nc) to send the image over network.
Non Volatile Evidence Acquisition • Physical Volumes vs. Logical Volumes
Hard Drives Acquisition Physical Windows Linux Physical .PhysicalDrive0 .PhysicalDrive1 IDE /dev/hda /dev/hdb . . SATA/Scsi /dev/sda /dev/sdb Logical .C: .D: /dev/sda1 /dev/sda2
Hard Drives Acquisition • Hardware based Acquisition – Remove the hard drive from the machine and use a standalone toolkit to image the entire disk - Mostly suitable for dead system acquisition - Built-in write blocking, and no need for write blockers - More efficient and expensive
Hard Drives Acquisition • Software Based Acquisition – Live System • Using Helix CD with external storage or over network – Dead System • Booting using Helix CD and attach storage “USB” to acquire hard drives • Drive can be disassembled from the case and copied using forensics workstation with write blocker (SW or HW) – Imaging software • dd • dcfldd • HELIX GUI imaging
Tools & Toolkit • dd : Command line tools to copy bit-by-bit • dcfldd : Enhanced version of dd. • Memdump : unix tools to image the momory
Tools & Toolkit • The Sleuth Kit (TSK) – Command line tools for file system analysis – It work on Unix and windows – 24 different tools that support all file system layers except the physical layer – Free and open source • Autopsy – The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit – Very Useful and provide great functionality – Free and open source
Tools & Toolkit • HELIX – A collection of forensics and Incident Response tools – Bootable Linux CD, you can boot dead system and preserve hard drive – You can use it on live system for forensics and IR purposes – It contains tools such as TSK – GUI tools and command line tools
Tools & Toolkit • HELIX
Tools & Toolkit • WFT (Windows Forensic Toolchest) – Memory information – Logins – MAC Time – Event Logins – System Information – File system – Processes – Auto start – Services – Registry – Drivers – Network Information – IE Activity
Conclusion • Open source and free tools are available and can help any investigator to achieve his mission. • Using open source tools will give the investigator better understanding of what really happen during the investigation. • Tools can lie, so it better to use more than one tool to check the results.
Thank You
Question

Recommandé

Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsOne97 Communications Limited
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 

Recommandé

Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsOne97 Communications Limited
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsNeilg42
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics pptRoshiniVijayakumar1
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensic
Computer forensicComputer forensic
Computer forensicbhavithd
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
Evidence based policy
Evidence based policy Evidence based policy
Evidence based policy pasicUganda
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtCell Site Analysis (CSA)
 

Contenu connexe

Tendances

Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsNeilg42
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensic
Computer forensicComputer forensic
Computer forensicbhavithd
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 

Tendances (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 

En vedette

Evidence based policy
Evidence based policy Evidence based policy
Evidence based policy pasicUganda
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtCell Site Analysis (CSA)
 
What Is Evidence?
What Is Evidence?What Is Evidence?
What Is Evidence?nikkiec89
 
Identifying and Collecting Digital Evidence Webinar
Identifying and Collecting Digital Evidence WebinarIdentifying and Collecting Digital Evidence Webinar
Identifying and Collecting Digital Evidence WebinarCase IQ
 
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateBangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateFakrul Alam
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI statusFakrul Alam
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoSFakrul Alam
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Fakrul Alam
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstationsjkvr100
 
MattockFS Computer Forensic File-System
MattockFS Computer Forensic File-SystemMattockFS Computer Forensic File-System
MattockFS Computer Forensic File-SystemRob Meijer
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptOnkar1431
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Forensic Science - 01 What is forensic science?
Forensic Science - 01 What is forensic science?Forensic Science - 01 What is forensic science?
Forensic Science - 01 What is forensic science?Ian Anderson
 
Elements Of Forensic Science
Elements Of Forensic ScienceElements Of Forensic Science
Elements Of Forensic Scienceannperry09
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller
 
Computer Forensics in Fighting Crimes
Computer Forensics in Fighting CrimesComputer Forensics in Fighting Crimes
Computer Forensics in Fighting CrimesIsaiah Edem
 

En vedette (20)

Evidence based policy
Evidence based policy Evidence based policy
Evidence based policy
 
Digital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the courtDigital Evidence - the defence, prosecution, & the court
Digital Evidence - the defence, prosecution, & the court
 
What Is Evidence?
What Is Evidence?What Is Evidence?
What Is Evidence?
 
Identifying and Collecting Digital Evidence Webinar
Identifying and Collecting Digital Evidence WebinarIdentifying and Collecting Digital Evidence Webinar
Identifying and Collecting Digital Evidence Webinar
 
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT UpdateBangladesh Cyber Incident Trends 2013 & bdCERT Update
Bangladesh Cyber Incident Trends 2013 & bdCERT Update
 
A week with analysing RPKI status
A week with analysing RPKI statusA week with analysing RPKI status
A week with analysing RPKI status
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstations
 
MattockFS Computer Forensic File-System
MattockFS Computer Forensic File-SystemMattockFS Computer Forensic File-System
MattockFS Computer Forensic File-System
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Email investigation
Email investigationEmail investigation
Email investigation
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Capturing forensics image
Capturing forensics imageCapturing forensics image
Capturing forensics image
 
File000173
File000173File000173
File000173
 
Forensic Science - 01 What is forensic science?
Forensic Science - 01 What is forensic science?Forensic Science - 01 What is forensic science?
Forensic Science - 01 What is forensic science?
 
Elements Of Forensic Science
Elements Of Forensic ScienceElements Of Forensic Science
Elements Of Forensic Science
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer Forensics in Fighting Crimes
Computer Forensics in Fighting CrimesComputer Forensics in Fighting Crimes
Computer Forensics in Fighting Crimes
 

Similaire à Electornic evidence collection

Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows SystemsConferencias FIST
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdfKblblkb
 
parts of computers
parts of computersparts of computers
parts of computersDani Sh
 
Guide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdfGuide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdfLaceyTatum1
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 

Similaire à Electornic evidence collection (20)

ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
3871778
38717783871778
3871778
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
 
parts of computers
parts of computersparts of computers
parts of computers
 
Guide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdfGuide to Computer Forensics'.pdf
Guide to Computer Forensics'.pdf
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Introduction to computing
Introduction to computingIntroduction to computing
Introduction to computing
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Introduction to computing Chapter 1(B) by asad saleem
Introduction to computing Chapter 1(B) by asad saleemIntroduction to computing Chapter 1(B) by asad saleem
Introduction to computing Chapter 1(B) by asad saleem
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Ch 2
Ch 2Ch 2
Ch 2
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 

Plus de Fakrul Alam

bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015Fakrul Alam
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshFakrul Alam
 
Bangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global PerspectiveBangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global PerspectiveFakrul Alam
 
Bangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT UpdateBangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT UpdateFakrul Alam
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)Fakrul Alam
 
bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)Fakrul Alam
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationFakrul Alam
 
IPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshIPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshFakrul Alam
 

Plus de Fakrul Alam (8)

bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015bdNOG Update in APRICOT 2015
bdNOG Update in APRICOT 2015
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Bangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global PerspectiveBangladesh Cyber Security Status in Global Perspective
Bangladesh Cyber Security Status in Global Perspective
 
Bangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT UpdateBangladesh Cyber Incident Trends 2012 & bdCERT Update
Bangladesh Cyber Incident Trends 2012 & bdCERT Update
 
RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
 
bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)bdNOG Update (APRICOT 2014)
bdNOG Update (APRICOT 2014)
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
 
IPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshIPv6 deployment status in Bangladesh
IPv6 deployment status in Bangladesh
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Electornic evidence collection

  • 1. Mohammad Fakrul Alam Manager, Computer Forensic BDCERT 26th June, 2009
  • 2. Content • What is Computer/Electronic Forensic • Why Computer/Electronic Forensic • Collection Options • The Five Rules of Evidence • Steps of Computer Forensic • Method of Collection • Source of Evidence • Digital Evidence Types • Volatile Evidence Acquisition • Non-Volatile Evidence Acquisition • Toolkits & Tools
  • 3. What is Computer Forensic • Finding information that support hypothesis. • Examination of related source of information – Hard Drives – Firewall Logs – Network packets – Portable storage
  • 6. The Five Rules of Evidence
  • 7. What does & doesn’t • Minimize Handling/Corruption of Original Data • Account for Any Changes and Keep Detailed Logs of Your Actions • Comply with the Five Rules of Evidence • Do Not Exceed Your Knowledge • Follow Your Local Security Policy and Obtain Written Permission • Capture as Accurate an Image of the System as Possible • Be Prepared to Testify • Ensure Your Actions are Repeatable • Work Fast • Proceed From Volatile to Persistent Evidence • Don’t Shutdown Before Collecting Evidence • Don’t Run Any Programs on the Affected System
  • 8. Steps of Computer Forensic
  • 10. Source of Evidence • Evidence can reside on the computers, network equipment and on servers. • Various tools are available to extract evidence from these sources.
  • 11. Evidence on Workstations & Servers • Locations (Disks) – Disk partitions – Master Boot Record (MBR) – Boot sector – File Allocation Tables (FAT) – Volume slack (space between end of file system and end of the partition) – File slack (space allocated for files but not used) – Unallocated space
  • 12. Evidence on Workstations & Servers • Locations (Memory or RAM) – Registers & Cache – RAM – Swap space (on disk)
  • 13. Evidence on Servers & Network Equipment • Router systems logs • Firewall logs of successful and unsuccessful attempts • Syslogs in /var/logs for unix systems • wmtp logs (accessed with last command) in unix systems
  • 15. Volatile Evidence Acquisition • Process Listings • Service Listings • System Information • Logged on & Registered Users • Network Information • ARP Cache • Auto Start Information • Registry Information • A binary dump of memory
  • 16. Steps Volatile Evidence Acquisition
  • 17. Techniques of Volatile Evidence Acquisition • Memory Acquisition Windows • You can image the memory using HELIX GUI interface. • dd can be used to copy the memory of windows 3k/XP/2003 but not Vista/2003 SP1: • dd if=.PhysicalMemory of=C:mem.img conv=noerror,sync • Until the end of memory error displayed “The parameter is incorrect.” Linux • Multiple tools can be used such as • dd • Memdump • e.g.: ./memdump > mem.img • You can use netcat (nc) to send the image over network.
  • 18. Non Volatile Evidence Acquisition • Physical Volumes vs. Logical Volumes
  • 19. Hard Drives Acquisition Physical Windows Linux Physical .PhysicalDrive0 .PhysicalDrive1 IDE /dev/hda /dev/hdb . . SATA/Scsi /dev/sda /dev/sdb Logical .C: .D: /dev/sda1 /dev/sda2
  • 20. Hard Drives Acquisition • Hardware based Acquisition – Remove the hard drive from the machine and use a standalone toolkit to image the entire disk - Mostly suitable for dead system acquisition - Built-in write blocking, and no need for write blockers - More efficient and expensive
  • 21. Hard Drives Acquisition • Software Based Acquisition – Live System • Using Helix CD with external storage or over network – Dead System • Booting using Helix CD and attach storage “USB” to acquire hard drives • Drive can be disassembled from the case and copied using forensics workstation with write blocker (SW or HW) – Imaging software • dd • dcfldd • HELIX GUI imaging
  • 22. Tools & Toolkit • dd : Command line tools to copy bit-by-bit • dcfldd : Enhanced version of dd. • Memdump : unix tools to image the momory
  • 23. Tools & Toolkit • The Sleuth Kit (TSK) – Command line tools for file system analysis – It work on Unix and windows – 24 different tools that support all file system layers except the physical layer – Free and open source • Autopsy – The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit – Very Useful and provide great functionality – Free and open source
  • 24. Tools & Toolkit • HELIX – A collection of forensics and Incident Response tools – Bootable Linux CD, you can boot dead system and preserve hard drive – You can use it on live system for forensics and IR purposes – It contains tools such as TSK – GUI tools and command line tools
  • 26. Tools & Toolkit • WFT (Windows Forensic Toolchest) – Memory information – Logins – MAC Time – Event Logins – System Information – File system – Processes – Auto start – Services – Registry – Drivers – Network Information – IE Activity
  • 27. Conclusion • Open source and free tools are available and can help any investigator to achieve his mission. • Using open source tools will give the investigator better understanding of what really happen during the investigation. • Tools can lie, so it better to use more than one tool to check the results.