SlideShare une entreprise Scribd logo

Digital Forensics Workshop

Télécharger en tant que PPTX, PDF
Tim Fletcher
Tim Fletcher

Slides from my workshop on Digital Forensics at the FLOSSUK DevOps conference 2015 in York

Technologie
1  sur  40
Digital Forensics Practical Workshop
Who am I? Tim Fletcher @TimJDFletcher http://blog.night-shade.org.uk
What are we going to cover? Brief legal overview Where can you find digital evidence Collecting and preserving digital evidence Examining digital evidence Documenting the process
What am I not going to cover Digital Forensics is a massive area and this workshop only scratches the surface Windows commercial tools Network forensics Report writing
So what, why do I care about this? Understanding the landscape, what information can be retrieved Forensics Readiness, eg collecting FDE keys Incident response Ever been asked to “have a look at” what someone has been doing?
Legal Overview First I’m not a lawyer, but I have studied some of the key acts involved. Respect other people’s privacy Have a plan if you find something unexpected eg child pornography or terrorist material
ACPO Guidelines Who are they - Association of Chief Police Officers Set guidelines on procedures for all police forces in England and Wales The guidelines are well thought out
Principle 1 No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 2
Principle 3 An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4 The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Collecting Evidence If you are examining digital evidence in a workplace, consult HR and get permission in writing. If you are doing this professionally make sure you have advice and support from a real lawyer.
Chain of evidence It is absolutely critical to be able to account for what happened to an exhibit such as a computer from the moment it was seized to the moment it was examined by a forensic examiner. Fear the words “I’ve had a quick look…..”
Training For learning and training purposes the key point is that you should only examine kit you own, and if in doubt seek advice from a real lawyer. Today you will get an iPhone and a Windows system image to examine
Attribution Digital evidence proves “a computer” did something Proving who was using the computer at the time can be challenging. Digital evidence can be considered “hearsay”
Where do you find digital evidence? Desktops / Laptops Embedded devices, eg home routers Servers / Home NAS units Cell phones The Cloud Public Internet / Social Media
Tools for collecting Disk imaging - depends on your budget Write blockers - hardware is expensive Software can work Collect to a blank disk - SSDs help here otherwise 4 pass badblocks test Key point - practice and test
How do you gather evidence? Pull the power, ship it to the lab…... When would this work? When wouldn’t this work? What about cloud storage? What about Mobile devices? What about full disk encryption?
Imaging normal computers If the computer is active Document the screen / gather artifacts Assess if there is encryption Do you need to image the RAM? Secure the system and plan investigation
Imaging FDE computers Who has the password? Gather evidence without powering off? Other evidence sources, logs or backups? Exploit firewire or thunderbolt? Cold boot attack - only get 1 go
Mobile devices Passcodes / PINs Backups? Cloud storage? Hardware flaws? Remember - Faraday bags to stop remote wipe
NAS units and servers Vast amounts of data How do you find what matters? Are you invading others privacy? What is the business impact of seizure? Where are they and who owns them? Mostly just normal computers
Examining Digital Evidence Understand the context Consider what you are looking for Build and understand a timeline
Digital Triage - what is the context? Understand your adversary Examine what matters Reduce the evidence you have Eliminate noise - eg NIST hash DB
What are you looking for? Image files Geolocation Emails / Messages Meta data Content Browser history
Timelines What happened when? Who or what caused it to happen? What order did things happen in? Correlation with other sources System logs, Social Media Can often point to new sources of evidence
Tool selection There are 100s of tools that let you examine systems, pick those you are comfortable with. Autopsy - web front end to “the sleuthkit” Standard unix tools find, strings and etc Other tools - exiftool, sqlitebrowser Windows tools - nirsoft and sysinternals Volatility - Memory forensics
Mobile devices Is the device jailbroken or joined to a MDM Can you get the PIN? Specialist software tools iOS - Elcomsoft Older Apple hardware - Limera1n Android - ADB
Training - II Virtualisation is very powerful for learning and training Resettable state - test your tool or technique and then reset the VM Dump RAM contents without complex tools
Documentation Remember ACPO principle 3 Contemporaneous notes, paper or electronic Video and photographic evidence is powerful Log system sessions eg ssh
Your evidence bags 32GB memory stick containing iPhone4 image - raw nand, key bag and encrypted disk image Windows XP disk image 1GB memory stick image Remember - chain of evidence
Windows XP Simple unencrypted computer
iOS exploitation demo Using iphone-dataprotection https://code.google.com/p/iphone-dataprotection/ iPhone 4 - note this doesn’t work on newer models Exploits the bootloader, uploads a ramdisk Lets you bruteforce the PIN and extract the NAND
What do you know? Fluffy the dog has been dognapped! The owner has been told to meet at a pub The dognapper might have scouted the area An iPhone and laptop have been seized Can you find evidence that the owner of them was involved?
What you are looking for Photos Emails SMS messages Documents Internet History
Tools to use sha1sum - check your images Autopsy - apt-get install autopsy Exiftool - apt-get install perl-exiftool SQLitebrowser - apt-get install….. Kali Linux - Bootable from the Memory Stick
Autopsy Perl based web front end to The SleuthKit Allows file browsing of disk images Search for text strings Build file timelines Extract raw disk sectors
Interesting files on the memory stick Memory Stick: MemoryStick.raw.gz Windows: WindowsXP.raw.gz iPhone: d0c3eaaaa2/d0c3eaaaa2-data.dd.gz Checksums: sha1sums
Starting points Most user files in iOS are under /var/mobile iOS includes lots of SQLite databases The memory stick might tell you where to look Recycle Bin and Web history
How would I do this? Copy disk images to high speed storage Import into Autopsy Timeline the disk images Catch low hanging fruit first Photos Web history Email

Recommandé

Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
Digital forensics
Digital forensics Digital forensics
Digital forensics Adriana Backman
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 

Recommandé

Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
Digital forensics
Digital forensics Digital forensics
Digital forensics Adriana Backman
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideAntonio Sanz Alcober
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Computer forensic
Computer forensicComputer forensic
Computer forensicSinggih Prasetya
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowPankaj Choudhary
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsNeilg42
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
cyber Forensics
cyber Forensicscyber Forensics
cyber ForensicsMuzzammil Wani
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
computer forensics
computer forensicscomputer forensics
computer forensicsVaibhav Tapse
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
N.sai kiran IIITA AP
N.sai kiran IIITA APN.sai kiran IIITA AP
N.sai kiran IIITA APsai Nagaragiri
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 

Contenu connexe

Tendances

Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideAntonio Sanz Alcober
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowPankaj Choudhary
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsNeilg42
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 

Tendances (20)

Computer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hideComputer Forensics: You can run but you can't hide
Computer Forensics: You can run but you can't hide
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 

Similaire à Digital Forensics Workshop

Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPDDavide Gabrini
 
Computer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdfComputer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdffeetshoemart
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...pable2
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
Evidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docxEvidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docxgitagrimston
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Computer forensics basics
Computer forensics basicsComputer forensics basics
Computer forensics basicsJarle Thorsen
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Webrazzi
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsMariano Amartino
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Teaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence FilesTeaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence Filesamiable_indian
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsDaksh Verma
 

Similaire à Digital Forensics Workshop (20)

N.sai kiran IIITA AP
N.sai kiran IIITA APN.sai kiran IIITA AP
N.sai kiran IIITA AP
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD
 
Computer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdfComputer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdf
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
Evidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docxEvidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docx
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Computer forensics basics
Computer forensics basicsComputer forensics basics
Computer forensics basics
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
 
iPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanisms
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Teaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence FilesTeaching Computer Forensics Using Student Developed Evidence Files
Teaching Computer Forensics Using Student Developed Evidence Files
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 

Dernier

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfUK Journal
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 

Dernier (20)

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 

Digital Forensics Workshop

  • 2. Who am I? Tim Fletcher @TimJDFletcher http://blog.night-shade.org.uk
  • 3. What are we going to cover? Brief legal overview Where can you find digital evidence Collecting and preserving digital evidence Examining digital evidence Documenting the process
  • 4. What am I not going to cover Digital Forensics is a massive area and this workshop only scratches the surface Windows commercial tools Network forensics Report writing
  • 5. So what, why do I care about this? Understanding the landscape, what information can be retrieved Forensics Readiness, eg collecting FDE keys Incident response Ever been asked to “have a look at” what someone has been doing?
  • 6. Legal Overview First I’m not a lawyer, but I have studied some of the key acts involved. Respect other people’s privacy Have a plan if you find something unexpected eg child pornography or terrorist material
  • 7. ACPO Guidelines Who are they - Association of Chief Police Officers Set guidelines on procedures for all police forces in England and Wales The guidelines are well thought out
  • 8. Principle 1 No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
  • 9. In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 2
  • 10. Principle 3 An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
  • 11. Principle 4 The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
  • 12. Collecting Evidence If you are examining digital evidence in a workplace, consult HR and get permission in writing. If you are doing this professionally make sure you have advice and support from a real lawyer.
  • 13. Chain of evidence It is absolutely critical to be able to account for what happened to an exhibit such as a computer from the moment it was seized to the moment it was examined by a forensic examiner. Fear the words “I’ve had a quick look…..”
  • 14. Training For learning and training purposes the key point is that you should only examine kit you own, and if in doubt seek advice from a real lawyer. Today you will get an iPhone and a Windows system image to examine
  • 15. Attribution Digital evidence proves “a computer” did something Proving who was using the computer at the time can be challenging. Digital evidence can be considered “hearsay”
  • 16. Where do you find digital evidence? Desktops / Laptops Embedded devices, eg home routers Servers / Home NAS units Cell phones The Cloud Public Internet / Social Media
  • 17. Tools for collecting Disk imaging - depends on your budget Write blockers - hardware is expensive Software can work Collect to a blank disk - SSDs help here otherwise 4 pass badblocks test Key point - practice and test
  • 18. How do you gather evidence? Pull the power, ship it to the lab…... When would this work? When wouldn’t this work? What about cloud storage? What about Mobile devices? What about full disk encryption?
  • 19. Imaging normal computers If the computer is active Document the screen / gather artifacts Assess if there is encryption Do you need to image the RAM? Secure the system and plan investigation
  • 20. Imaging FDE computers Who has the password? Gather evidence without powering off? Other evidence sources, logs or backups? Exploit firewire or thunderbolt? Cold boot attack - only get 1 go
  • 21. Mobile devices Passcodes / PINs Backups? Cloud storage? Hardware flaws? Remember - Faraday bags to stop remote wipe
  • 22. NAS units and servers Vast amounts of data How do you find what matters? Are you invading others privacy? What is the business impact of seizure? Where are they and who owns them? Mostly just normal computers
  • 23. Examining Digital Evidence Understand the context Consider what you are looking for Build and understand a timeline
  • 24. Digital Triage - what is the context? Understand your adversary Examine what matters Reduce the evidence you have Eliminate noise - eg NIST hash DB
  • 25. What are you looking for? Image files Geolocation Emails / Messages Meta data Content Browser history
  • 26. Timelines What happened when? Who or what caused it to happen? What order did things happen in? Correlation with other sources System logs, Social Media Can often point to new sources of evidence
  • 27. Tool selection There are 100s of tools that let you examine systems, pick those you are comfortable with. Autopsy - web front end to “the sleuthkit” Standard unix tools find, strings and etc Other tools - exiftool, sqlitebrowser Windows tools - nirsoft and sysinternals Volatility - Memory forensics
  • 28. Mobile devices Is the device jailbroken or joined to a MDM Can you get the PIN? Specialist software tools iOS - Elcomsoft Older Apple hardware - Limera1n Android - ADB
  • 29. Training - II Virtualisation is very powerful for learning and training Resettable state - test your tool or technique and then reset the VM Dump RAM contents without complex tools
  • 30. Documentation Remember ACPO principle 3 Contemporaneous notes, paper or electronic Video and photographic evidence is powerful Log system sessions eg ssh
  • 31. Your evidence bags 32GB memory stick containing iPhone4 image - raw nand, key bag and encrypted disk image Windows XP disk image 1GB memory stick image Remember - chain of evidence
  • 33. iOS exploitation demo Using iphone-dataprotection https://code.google.com/p/iphone-dataprotection/ iPhone 4 - note this doesn’t work on newer models Exploits the bootloader, uploads a ramdisk Lets you bruteforce the PIN and extract the NAND
  • 34. What do you know? Fluffy the dog has been dognapped! The owner has been told to meet at a pub The dognapper might have scouted the area An iPhone and laptop have been seized Can you find evidence that the owner of them was involved?
  • 35. What you are looking for Photos Emails SMS messages Documents Internet History
  • 36. Tools to use sha1sum - check your images Autopsy - apt-get install autopsy Exiftool - apt-get install perl-exiftool SQLitebrowser - apt-get install….. Kali Linux - Bootable from the Memory Stick
  • 37. Autopsy Perl based web front end to The SleuthKit Allows file browsing of disk images Search for text strings Build file timelines Extract raw disk sectors
  • 38. Interesting files on the memory stick Memory Stick: MemoryStick.raw.gz Windows: WindowsXP.raw.gz iPhone: d0c3eaaaa2/d0c3eaaaa2-data.dd.gz Checksums: sha1sums
  • 39. Starting points Most user files in iOS are under /var/mobile iOS includes lots of SQLite databases The memory stick might tell you where to look Recycle Bin and Web history
  • 40. How would I do this? Copy disk images to high speed storage Import into Autopsy Timeline the disk images Catch low hanging fruit first Photos Web history Email