A small introduction to computer forensics dedicaded to engineering student, organized by 'Club de Sécurité Informatique - Ecole Nationale des Sciences Informatique'
1. Ministère de l’Enseignement Supérieur
et de la Recherche Scientifique
Université de la Manouba
Ecole Nationale des Sciences de l’Informatique
Ghariani Tewfik
CSI
Année universitaire 2015/2016
Intro to Forensics
2. 2
Introduction
I. Uses of computer forensics
II. Stages of Examination
III. Computer Forensics Method
Conclusion
Demo
PlanPlan
3. 3
●
What is computer Forensics
To start, Forensic science is the
scientific method of gathering
and examining information about
the past which is then used in a
court of law. The word forensic
comes from the Latin forēnsis,
meaning "of or before the forum."
In Roman times, a criminal
charge meant presenting the case
before a group of public
individuals in the forum.
Another Definition:
Computer forensics is the practice of
collecting, analyzing and reporting
on digital data in a way that is
legally admissible. It can be used in
the detection and prevention of
crime and in any dispute where
evidence is stored digitally.
Computer forensics follows a similar
process to other forensic disciplines,
and faces similar issues.
Introduction
4. 4
I. Uses Of Computer Forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law
enforcement agencies have been among the earliest and heaviest users of computer forensics
and consequently have often been at the forefront of developments in the field.
More recently, commercial organizations have used computer forensics to their benefit in a
variety of cases such as;
* Intellectual Property theft
* Industrial espionage
* Employment disputes
* Fraud investigations
* Forgeries
* Bankruptcy investigations
* Inappropriate email and Internet use in the work place
6. 6
The computer forensic examination process is divided into six stages,
presented in their usual chronological order.
ReadinessReadiness:
For the forensic examiner himself, readiness will include appropriate training,
regular testing and verification of their software and equipment, familiarity
with legislation, dealing with unexpected issues
Evaluation:
The evaluation stage includes the receiving of instructions, the
clarification of those instructions if unclear or ambiguous, risk
analysis and the allocation of roles and resources
7. 7
Analysis:Analysis:
Analysis depends on the specifics of each job. The
examiner usually provides feedback to the client
during analysis and from this dialogue the
analysis may take a different path or be narrowed
to specific areas.
Collection:Collection:
If acquisition is to be carried out on-site rather than in a computer
forensic laboratory, then this stage would include identifying and
securing devices which may store evidence and documenting the scene.
8. 8
Presentation :
This stage usually involves the examiner producing a structured
report on their findings, addressing the points in the initial
instructions along with any subsequent instructions. It would
also cover any other information which the examiner deems
relevant to the investigation
Review:
As with the readiness stage, the review stage is often overlooked
or disregarded. This may be due to the perceived costs of doing
work that is not billable, or the need ‘to get on with the next
job’.
9. 9
-safe seizure of computer systems and files, to avoid contamination
and/or interference
-safe collection of data and software
-safe and non-contaminating copying of disks and other data media
-reviewing and reporting on data media
-sourcing and reviewing of back-up and archived files
-recovery / reconstruction of deleted files - logical methods
-recovery of material from "swap" and "cache" files
-recovery of deleted / damaged files - physical methods
III. Computer Forensic Methods
10. 10
-core-dump: collecting an image of the contents of the active memory of a
computer at a particular time
-estimating if files have been used to generate forged output
-reviewing of single computers for "proper" working during relevant period, including
service logs, fault records, etc.
-proving / testing of reports produced by complex client / server applications
-reviewing of complex computer systems and networks for "proper" working during
relevant period, including service logs, fault records, etc.
-review of system / program documentation for: design methods, testing, audit,
revisions, operations management.
11. 11
-reviewing of applications programs for "proper" working during relevant
period, including service logs, fault records, etc.
-identification and examination of audit trails
-identification and review of monitoring logs
-telecoms call path tracing (PTTs and telecoms utilities companies only)
-reviewing of access control services - quality and resilience of facilities (hardware
and software, identification / authentication services)
-reviewing and assessment of access control services - quality of security
management
-reviewing and assessment of encryption methods - resilience and implementation
12. 12 Conclusion
Well my friends, weather you heard about it before or not, I can
assure you that this field is so interesting and challenging. To keep it
simple, once again, Computer forensics is the practice of collecting,
analyzing and reporting on digital data in a way that is legally
admissible.
It is basicly like you saw in the movies, the main aspect is to gather
evidence which will help you solve any digital crimes that might
have occurred.
There are a lot of investigation technics which includes analyzing
memory dump , logs or network cache...
I have chosen few of the best potentiol tools that might help you
through your investigation.
14. 14 Volatility
A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows,
linux, mac, and android systems. Volatility's modular design allows it to easily
support new operating systems and architectures as they are released. All your
devices are targets...so don't limit your forensic capabilities to just windows
computers.
Note that the is an open source program written with python, you can access its
source code via github, or even if you still are a windows user, a stand-alone version
can be executed directly:
_ sudo apt-get install volatility
_https://volatility.googlecode.com/files/volatility-2.3.1.standalone.exe
it's a powerfull tool that allows you to extract data , register elements , list of network
connections, processus... from the memory dump. In fact, the memory dump is the
recorded state of the working memory of a computer program at a specific
time,generally when the program has crashed. The memory dump file is extracted
often with these possible extensions : dmp , .raw , .dd
15. 15
La première démonstration consiste à analyser un memory dump ( celui de hackmeif you
can )
Il s'agissait tout simplement de déterminer le nom d'utilisateur du Pc depuis lequel on a eu
ce fichier !
1) sudo apt-get install volatility
2) volatility -f username.raw imageinfo // les informtations générales
3)volatility -f Username.raw hivelist --profile=Win7SP0x64 //les registres
4) Parfait ! maintenant, nous pouvons utiliser cette information pour aller plus loin , par
exemple en obtenant la liste des programmes installés sur le système , qui peuvent être
extraites de la “ hive“ Software ( System32 Config SOFTWARE ) " en utilisant le "
hive- dump " option et spécifiant l'adresse de la mémoire virtuelle de la hive spécifiée
16. 16
TestDisk
is a powerful data recovery software ! It was originally designed to help recover
lost partitions , repair corrupted partitions tables when these symptoms are
caused by faulty software, certain types of viruses or human error such as
accidental deletion of Sheet of the table .
TestDisk is OpenSource software and is licensed under the GNU General
Public License (GPL v2 +).
PhotoRec
is file data recovery software designed to recover lost files including video,
documents and archives from hard disks, CD-ROMs, and lost pictures (thus
the Photo Recovery name) from digital camera memory. PhotoRec ignores the
file system and goes after the underlying