2. #whoami
O Security enthusiast.
O For food and shelter, I work with ZEE TV
O For living, I learn 4N6, Malwares and Reverse
Engineering
O Recent developments:
O Chapter lead at Null, Mumbai chapter.
3. If you listen!!!!!
O Forensics Fundamentals
O Action Plan
O Order of Volatility
O Methodologies
O Dead Forensics
O Live Forensics
O Demo
5. Forensics Fundamentals
O Digital forensics (sometimes known as digital forensic
science) is a branch of forensic science encompassing the
recovery and investigation of material found in digital
devices, often in relation to computer crime.
O "Gathering and analysing data in a manner as free from
distortion or bias as possible to reconstruct data or what
happened in the past on a system [or a network]“
-Dan Farmer / Wietse Venema
6. Action Plan- First Response
Arrive on
Crime scene
Machine state = OFF
DEAD
FORENSICS
Machine state = ON
LIVE
FORENSICS
7. Order of Volatility
MOST
…..
LEAST
• CPU, cache and register content
• Routing table, ARP cache, process table,
kernel statistics
• Memory
• Temporary file system / swap space
•Data on hard disk
•Remotely logged data
•Raw Disk Blocks
9. DEAD FORENSICS
O The dead analysis is more common to acquire data.
O A dead acquisition copies the data without the
assistance of the suspect’s (operating) system.
O Analysing a “dead” system that has had it’s power
cord pulled.
10. DEAD FORENSICS
O During data acquisition an exact (typically bitwise)
copy of storage media is created.
O Least chance of modifying data on disk, but “live”
data is lost forever.
11. LIVE FORENSICS
O Focuses on extracting and examination of the
volatile forensic data that would be lost on power
off
O A live acquisition copies the data using the
suspect’s (operating) system
O Live forensics is not a “pure” forensic response as
it will have minor impacts to the underlying
machine’s operating state
– The key is the impacts are known
12. LIVE FORENSICS
O Often used in incident handling to determine if an
event has occurred
O May or may not proceed a full traditional forensic
analysis
O If you work on a suspect’s system you should
boot/use trusted tools (e.g. CD, USB stick):
14. Forensic Response Principles
– Maintain forensic integrity
– Require minimal user interaction
– Gather all pertinent information to
determine if an incident occurred for later
analysis
- Enforce sound data and evidence collection
16. In MEMORY data??
O Current running processes and terminated
processes.
O Open TCP/UDP ports/raw sockets/active
connections.
O Caches
O -Web addresses, typed commands, passwords,
clipboards, SAM databases, edited files.
O Memory mapped files
O -Executable, shared, objects(modules/drivers), text
files.
17. DEMO
O Collecting Memory dumps:
DUMPIT by MOONSOLS
O Analysing Memory dumps:
WinHex and Volatility Framework 2.3