SlideShare une entreprise Scribd logo

Preserving and recovering digital evidence

Online
Online

Click Here http://www.eacademy4u.com/ Online Educational Website For You

FormationTechnologie
1  sur  33
Preserving And Recovering Digital Evidence
Introduction • Digital Evidence – encompasses any and all digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. • This presentation will explore collection, preservation and identification of digital evidence.
Overview • Introduction to Intrusion Detection Systems • The rules and guidelines surrounding the gathering and use of digital evidence. • Digital evidence on the target machine. • Digital evidence on the network.
Intrusion Detection • A brief overview Intrusion detection systems collect information from a variety of system and network sources, then analyze the information for signs of intrusion and misuse.
Intrusion Detection: • Intrusion Detection – 2 Types • Host-Based • Network-Based
Intrusion Detection – Host-Based • Host-based intrusion detection systems .The system is used to analyze data that originates on computers (hosts). • Examines events like what files are accessed and what applications were executed. - Logs are used to gather this data • Resides on every system and usually reports to a central command console. • Uses signatures or predefined patterns that have been defined as suspicious by the security officer.
Intrusion Detection – Host-Based - cont • Used primarily for detecting insider attacks. - For example an employee who abuses their privileges, or students changing their grades. • Audit policy - Defines which end-user actions will result in an event record being written to an event log. For example accesses of mission-critical files.
Intrusion Detection – Network-Based Network-Based • The system is used to analyze network packets. • Used to detect access attempts and denial of service attempts originating outside the network. • Consists of sensors deployed throughout a network. • Sensors then report to a central command console
Intrusion Detection – Network- Based • Uses packet content signatures - Based on the contents of packets. - Patterns are detected in the headers and flow of traffic. • Encryption prevents detection of any patterns.
Digital Evidence vs. Physical Evidence • It can be duplicated exactly and a copy can be examined as if it were the original. - Examining a copy will avoid the risk of damaging the original. • With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.
Digital Evidence vs. Physical Evidence • It is relatively difficult to destroy. • Even if it is “deleted,” digital evidence can be recovered. • When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
Collecting and Preserving Digital Evidence • The focus of digital evidence is on the contents of the computer as opposed to hardware. • Two kinds of copies: - Copy everything. - Just copy the information needed. • When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.
Collecting and Preserving Digital Evidence • When collecting the entire contents of a • computer, the general concept is the same • in most situations:
Collecting and Preserving Digital Evidence • All related evidence should be taken out of RAM. • The computer should be shut down. • Document the hardware configuration of the system. • Document the time and date of the CMOS. • The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). • A copy of the digital evidence from the hard • drive(s) should be made.
Collecting and Preserving Digital Evidence • When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable. • In short, a bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.
Agenda for Duplication and Preservation of Evidence • Make bit stream back-ups of hard disks and floppy disks cont. Tools to accomplish this: • Encase • DD • Byte back • Safeback Note the tool used • When making the bit stream image, note and • document how the image was created. Also note the date, time, and the examiner.
Empirical Law • Empirical Law of Digital Collection and Preservation: • If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
Computer Image Verification • At least two copies are taken of the evidential computer. • One of these is sealed in the presence of the computer owner and then placed in secure storage. • This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.
The important to locate and recover all graphics files on a drive and determine which ones are pertinent to your case.. • Because these files aren’t always stored in standard graphics file formats, we should examine all files our computer forensics tools find, even if they aren’t identified as graphics files. • A graphic file contains a header with instructions for displaying the image. • Each type of graphics file has its own header that helps to identify the file format. • Because the header is complex and difficult to remember, we can compare a known good file header with that of a suspect file.
Collecting and Preserving Digital Evidence • Collecting evidence out of RAM on a Unix machine is not a simple task. • The ‘ps’ command is used to list programs that a machine is running but one must specify that one wants to see all the processes. • “ps –aux”
Collecting and Preserving Digital Evidence • Some types of Unix allow one to save and view the contents of RAM that is associated with a particular program using the “gcore” program. • There are also programs that provide a list of files and sockets that a particular program is running – “lsof” • Investigators can use the “dd” command to make a bit stream backup
Collecting and Preserving Digital Evidence • Whenever digital evidence is copied onto a floppy disk, compact disk, tape or any other form of storage media, an indelible felt-tipped pen should be used to label it with the following information:
Collecting and Preserving Digital Evidence • Current date and time and the date/time on the computer (any discrepancy should be noted). • The initials of the person who made the copy. • The name of the operating system. • The program(s) and/or command(s) used to copy the files. - Retain copies of software used. • The information believed to be contained in the files.
Collecting and Preserving Digital Evidence • Since the evidence has been collected, it is important to ensure the integrity of the evidence.
How To Handle Digital Evidence Steps to guide the responder in handling the Digital evidence at an electronic crime scene. 3. Recognize, identify, seize, and secure all digital evidence at the scene. 4. Document the entire scene and the specific location of the evidence found. 5. Collect, label, and preserve the digital evidence. 6. Package and transport digital evidence in a secure manner.
The Primary Steps to Conduct a Forensic Investigation. Step 1: Isolate the System and Data • Collect information by interviewing all system administrators and anyone else who might have come into contact with the system.
The Primary Steps to Conduct a Forensic Investigation. Step 2: Collect Non-Technical Information • The purpose of this step is to ensure that the required minimum information is recorded in paper note form, such as developing a timeline of events. The premise here is to start a log book using a fresh pad of paper to gather information from the system administration staff and any other persons involved.
The Primary Steps to Conduct a Forensic Investigation. Step 3: Preserve Evidence and Create Copies for Analysis • Memory and /proc. • Create a duplicate of the system. • Validate copies.
The Primary Steps to Conduct a Forensic Investigation. Step 4: Prepare for an Analysis • At this point, the information collected in the preceding steps is ready for inspection. • The following steps can also be performed by a third party or at another physical location.
The Primary Steps to Conduct a Forensic Investigation. Step 5: Perform the Analysis • The purpose of the analysis step is to determine whether a compromise has occurred, what exactly was damaged, and to obtain any evidence indicating who the culprit(s) might be, as well as the methods they used to attack the system. • Tools are needed to complete the analysis phase.
The Primary Steps to Conduct a Forensic Investigation. Step 6: Perform Recovery • The recovery efforts that ensue after the forensic analysis is a standard process that should be defined in your organization
The Primary Steps to Conduct a Forensic Investigation. How to acquire data from removable media?
How to acquire data from removable media? 1.Document the scene Use static-proof container and label container with a.Type of media b.Where media was found c.Type of reader required for the media 2.Transport directly to lab 3.Do not leave any media in a hot vehicle or environment 4.Store media in a secure and organized area 5.Once at the lab, make a working copy of the drive a.Make sure the media is write-protected b.Make a hash of the original drive and the duplicate c.Make a copy of the duplicate to work from d.Store the original media in a secure location

Recommandé

Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
Dipika Sengupta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 

Recommandé

Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
Dipika Sengupta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
university of Gujrat, pakistan
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics
sunanditaAnand
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
Sonu Sunaliya
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
Prof. (Dr.) Tabrez Ahmad
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Shreya Singireddy
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Nicholas Davis
 

Contenu connexe

Tendances

Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
Sonu Sunaliya
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 

Tendances (20)

Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 

Similaire à Preserving and recovering digital evidence

Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
Gnanavi2
 

Similaire à Preserving and recovering digital evidence (20)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime scene
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
CF.ppt
CF.pptCF.ppt
CF.ppt
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 

Plus de Online

Plus de Online (20)

Philosophy of early childhood education 3
Philosophy of early childhood education 3Philosophy of early childhood education 3
Philosophy of early childhood education 3
 
Philosophy of early childhood education 2
Philosophy of early childhood education 2Philosophy of early childhood education 2
Philosophy of early childhood education 2
 
Philosophy of early childhood education 1
Philosophy of early childhood education 1Philosophy of early childhood education 1
Philosophy of early childhood education 1
 
Philosophy of early childhood education 4
Philosophy of early childhood education 4Philosophy of early childhood education 4
Philosophy of early childhood education 4
 
Operation and expression in c++
Operation and expression in c++Operation and expression in c++
Operation and expression in c++
 
Functions
FunctionsFunctions
Functions
 
Formatted input and output
Formatted input and outputFormatted input and output
Formatted input and output
 
Control structures selection
Control structures selectionControl structures selection
Control structures selection
 
Control structures repetition
Control structures repetitionControl structures repetition
Control structures repetition
 
Introduction to problem solving in c++
Introduction to problem solving in c++Introduction to problem solving in c++
Introduction to problem solving in c++
 
Optical transmission technique
Optical transmission techniqueOptical transmission technique
Optical transmission technique
 
Multi protocol label switching (mpls)
Multi protocol label switching (mpls)Multi protocol label switching (mpls)
Multi protocol label switching (mpls)
 
Lan technologies
Lan technologiesLan technologies
Lan technologies
 
Introduction to internet technology
Introduction to internet technologyIntroduction to internet technology
Introduction to internet technology
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocols
 
Internet protocol
Internet protocolInternet protocol
Internet protocol
 
Application protocols
Application protocolsApplication protocols
Application protocols
 
Addressing
AddressingAddressing
Addressing
 
Transport protocols
Transport protocolsTransport protocols
Transport protocols
 
Leadership
LeadershipLeadership
Leadership
 

Dernier

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Dernier (20)

Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 

Preserving and recovering digital evidence

  • 1. Preserving And Recovering Digital Evidence
  • 2. Introduction • Digital Evidence – encompasses any and all digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. • This presentation will explore collection, preservation and identification of digital evidence.
  • 3. Overview • Introduction to Intrusion Detection Systems • The rules and guidelines surrounding the gathering and use of digital evidence. • Digital evidence on the target machine. • Digital evidence on the network.
  • 4. Intrusion Detection • A brief overview Intrusion detection systems collect information from a variety of system and network sources, then analyze the information for signs of intrusion and misuse.
  • 5. Intrusion Detection: • Intrusion Detection – 2 Types • Host-Based • Network-Based
  • 6. Intrusion Detection – Host-Based • Host-based intrusion detection systems .The system is used to analyze data that originates on computers (hosts). • Examines events like what files are accessed and what applications were executed. - Logs are used to gather this data • Resides on every system and usually reports to a central command console. • Uses signatures or predefined patterns that have been defined as suspicious by the security officer.
  • 7. Intrusion Detection – Host-Based - cont • Used primarily for detecting insider attacks. - For example an employee who abuses their privileges, or students changing their grades. • Audit policy - Defines which end-user actions will result in an event record being written to an event log. For example accesses of mission-critical files.
  • 8. Intrusion Detection – Network-Based Network-Based • The system is used to analyze network packets. • Used to detect access attempts and denial of service attempts originating outside the network. • Consists of sensors deployed throughout a network. • Sensors then report to a central command console
  • 9. Intrusion Detection – Network- Based • Uses packet content signatures - Based on the contents of packets. - Patterns are detected in the headers and flow of traffic. • Encryption prevents detection of any patterns.
  • 10. Digital Evidence vs. Physical Evidence • It can be duplicated exactly and a copy can be examined as if it were the original. - Examining a copy will avoid the risk of damaging the original. • With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.
  • 11. Digital Evidence vs. Physical Evidence • It is relatively difficult to destroy. • Even if it is “deleted,” digital evidence can be recovered. • When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
  • 12. Collecting and Preserving Digital Evidence • The focus of digital evidence is on the contents of the computer as opposed to hardware. • Two kinds of copies: - Copy everything. - Just copy the information needed. • When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.
  • 13. Collecting and Preserving Digital Evidence • When collecting the entire contents of a • computer, the general concept is the same • in most situations:
  • 14. Collecting and Preserving Digital Evidence • All related evidence should be taken out of RAM. • The computer should be shut down. • Document the hardware configuration of the system. • Document the time and date of the CMOS. • The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). • A copy of the digital evidence from the hard • drive(s) should be made.
  • 15. Collecting and Preserving Digital Evidence • When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable. • In short, a bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.
  • 16. Agenda for Duplication and Preservation of Evidence • Make bit stream back-ups of hard disks and floppy disks cont. Tools to accomplish this: • Encase • DD • Byte back • Safeback Note the tool used • When making the bit stream image, note and • document how the image was created. Also note the date, time, and the examiner.
  • 17. Empirical Law • Empirical Law of Digital Collection and Preservation: • If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
  • 18. Computer Image Verification • At least two copies are taken of the evidential computer. • One of these is sealed in the presence of the computer owner and then placed in secure storage. • This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.
  • 19. The important to locate and recover all graphics files on a drive and determine which ones are pertinent to your case.. • Because these files aren’t always stored in standard graphics file formats, we should examine all files our computer forensics tools find, even if they aren’t identified as graphics files. • A graphic file contains a header with instructions for displaying the image. • Each type of graphics file has its own header that helps to identify the file format. • Because the header is complex and difficult to remember, we can compare a known good file header with that of a suspect file.
  • 20. Collecting and Preserving Digital Evidence • Collecting evidence out of RAM on a Unix machine is not a simple task. • The ‘ps’ command is used to list programs that a machine is running but one must specify that one wants to see all the processes. • “ps –aux”
  • 21. Collecting and Preserving Digital Evidence • Some types of Unix allow one to save and view the contents of RAM that is associated with a particular program using the “gcore” program. • There are also programs that provide a list of files and sockets that a particular program is running – “lsof” • Investigators can use the “dd” command to make a bit stream backup
  • 22. Collecting and Preserving Digital Evidence • Whenever digital evidence is copied onto a floppy disk, compact disk, tape or any other form of storage media, an indelible felt-tipped pen should be used to label it with the following information:
  • 23. Collecting and Preserving Digital Evidence • Current date and time and the date/time on the computer (any discrepancy should be noted). • The initials of the person who made the copy. • The name of the operating system. • The program(s) and/or command(s) used to copy the files. - Retain copies of software used. • The information believed to be contained in the files.
  • 24. Collecting and Preserving Digital Evidence • Since the evidence has been collected, it is important to ensure the integrity of the evidence.
  • 25. How To Handle Digital Evidence Steps to guide the responder in handling the Digital evidence at an electronic crime scene. 3. Recognize, identify, seize, and secure all digital evidence at the scene. 4. Document the entire scene and the specific location of the evidence found. 5. Collect, label, and preserve the digital evidence. 6. Package and transport digital evidence in a secure manner.
  • 26. The Primary Steps to Conduct a Forensic Investigation. Step 1: Isolate the System and Data • Collect information by interviewing all system administrators and anyone else who might have come into contact with the system.
  • 27. The Primary Steps to Conduct a Forensic Investigation. Step 2: Collect Non-Technical Information • The purpose of this step is to ensure that the required minimum information is recorded in paper note form, such as developing a timeline of events. The premise here is to start a log book using a fresh pad of paper to gather information from the system administration staff and any other persons involved.
  • 28. The Primary Steps to Conduct a Forensic Investigation. Step 3: Preserve Evidence and Create Copies for Analysis • Memory and /proc. • Create a duplicate of the system. • Validate copies.
  • 29. The Primary Steps to Conduct a Forensic Investigation. Step 4: Prepare for an Analysis • At this point, the information collected in the preceding steps is ready for inspection. • The following steps can also be performed by a third party or at another physical location.
  • 30. The Primary Steps to Conduct a Forensic Investigation. Step 5: Perform the Analysis • The purpose of the analysis step is to determine whether a compromise has occurred, what exactly was damaged, and to obtain any evidence indicating who the culprit(s) might be, as well as the methods they used to attack the system. • Tools are needed to complete the analysis phase.
  • 31. The Primary Steps to Conduct a Forensic Investigation. Step 6: Perform Recovery • The recovery efforts that ensue after the forensic analysis is a standard process that should be defined in your organization
  • 32. The Primary Steps to Conduct a Forensic Investigation. How to acquire data from removable media?
  • 33. How to acquire data from removable media? 1.Document the scene Use static-proof container and label container with a.Type of media b.Where media was found c.Type of reader required for the media 2.Transport directly to lab 3.Do not leave any media in a hot vehicle or environment 4.Store media in a secure and organized area 5.Once at the lab, make a working copy of the drive a.Make sure the media is write-protected b.Make a hash of the original drive and the duplicate c.Make a copy of the duplicate to work from d.Store the original media in a secure location