Digital forensics
-
Upload
nicholas-davis -
Category
Technology
-
view
790 -
download
1
description
Transcript of Digital forensics
![Page 1: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/1.jpg)
Information Systems 365/765Lecture 8
Digital Forensics
![Page 2: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/2.jpg)
Digital Forensics• Also known as
Computer Forensics• A system in your
enterprise has been compromised
• You want to track down suspicious activity
• Where do you begin?
![Page 3: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/3.jpg)
Digital Forensics• Defined: Pertains to legal
evidence found in computers and digital storage mediums.
• Goal: To explain the current state of a “digital artifact.”
• A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.
![Page 4: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/4.jpg)
Digital Forensics
• Can be as simple as retrieving a single piece of data
• Can be as complex as piecing together a trail of many digital artifacts
![Page 5: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/5.jpg)
Why Use Digital Forensics?
• In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
![Page 6: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/6.jpg)
Why Use Digital Forensics?
• To recover data in the event of a hardware or software failure.
• To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
![Page 7: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/7.jpg)
Why Use Digital Forensics?• To gather evidence against
an employee that an organization wishes to terminate.
• To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
![Page 8: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/8.jpg)
Chain of Custody• “Chain of Custody”
is a fancy way of saying “The ability to demonstrate who has had access to the digital information being used as evidence”
• Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law.
![Page 9: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/9.jpg)
Chain of Custody• One of the most important measures
is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court.
![Page 10: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/10.jpg)
5 Steps in Performing Digital Forensics
• Preparation (of the investigator, not the data)
• Collection (the data)
• Examination • Analysis • Reporting
![Page 11: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/11.jpg)
![Page 12: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/12.jpg)
Preparation
• The investigator must be properly trained to perform the specific kind of investigation that is at hand.
• Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
![Page 13: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/13.jpg)
Collecting Digital Evidence
• Digital evidence can be collected from many obvious sources, such as:
• Computers• Cell phones• Digital cameras • Hard drives • CD-ROM • USB storage flash drives
![Page 14: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/14.jpg)
Can You Think of Non-Obvious Sources?
• Non-obvious sources could include:• Settings of digital thermometers• Black boxes inside automobiles• RFID tags• Web pages (which must be
preserved as they are subject to change).
![Page 15: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/15.jpg)
!!BE CAREFUL!!• Special care must be taken when
handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.
![Page 16: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/16.jpg)
Create Proof of Non-Alteration
• For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
![Page 17: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/17.jpg)
Important Data Handling Practices
• Handle the original evidence as little as possible to avoid changing the data.
• Establish and maintain the chain of custody.
• Documenting everything that has been done.
• Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
![Page 18: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/18.jpg)
The Personal Interview• Some of the
most valuable information obtained in the course of a forensic examination will come from the computer user:
• System configuration
• Applications• Encryption keys
![Page 19: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/19.jpg)
Who Performs the Analysis
• Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data.
• One should not examine digital information unless one has the legal authority to do so.
![Page 20: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/20.jpg)
Live vs. Dead Analysis
• Traditionally computer forensic investigations were performed on data at rest---for example, the content of hard drives. This can be thought of as a dead analysis.
![Page 21: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/21.jpg)
Live vs. Dead Analysis• Investigators were
told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
![Page 22: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/22.jpg)
Live vs. Dead Analysis
• In recent years there has increasingly been an emphasis on performing analysis on live systems
• Why? -- Some attacks leave no trace on the hard drive
• Why? -- Cryptographic storage, with keys only stored in memory!
![Page 23: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/23.jpg)
Live Analysis -- Imaging Electronic Media
• The process of creating an exact duplicate of the original evidenciary media is often called Imaging
• Standalone hard-drive duplicator or software imaging tools ensure the entire hard drive is completely duplicated.
![Page 24: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/24.jpg)
Live Analysis -- Imaging Electronic Media
• During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
![Page 25: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/25.jpg)
Collecting Volatile Data
• If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded.
• If information stored solely in RAM is not recovered before powering down it may be lost.
![Page 26: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/26.jpg)
A Great Tool Which YOU Can Impress People With
• Knoppix• An OS which runs directly from
a CD• Will not alter data on hard disk• Great for grabbing copies of
files from a hard disk!• Can be loaded from a USB
flash drive
![Page 27: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/27.jpg)
Knoppix
• Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
![Page 28: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/28.jpg)
Knoppix
![Page 29: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/29.jpg)
Encase
![Page 30: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/30.jpg)
Freezing Memory• RAM can be analyzed
for prior content after power loss
• Freezing the memory to -60 degrees Celsius helps maintain the memory’s charge (state)
• How practical is this?
![Page 31: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/31.jpg)
Analysis • All digital evidence
must be analyzed to determine the type of information that is stored upon it
• FTK• Encase• Sleuth Kit
![Page 32: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/32.jpg)
Analysis of Data• Comprised of:• Manual review of material on the
media• Reviewing the Windows registry for
suspect information • Discovering and cracking
passwords• Keyword searches for topics
related to the crime• Extracting e-mail and images for
review.
![Page 33: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/33.jpg)
Reporting
• Written• Oral Testimony• Both• Subject matter
area specialists
![Page 34: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/34.jpg)
Examples of Digital Forensics Cases
• Chandra Levy• Washington
D.C. Intern for Representative Gary Condit
• Vanished April 30, 2001
![Page 35: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/35.jpg)
Examples of Digital Forensics Cases
• She had used the web and e-mail to make travel arrangements and communicate with her parents.
• Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.
![Page 36: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/36.jpg)
Examples of Digital Forensics Cases
• BTK Killer• Convicted of a string of
serial killings that occurred over a period of sixteen years
• Towards the end of this period, the killer sent letters to the police on a floppy dsk.
![Page 37: Digital forensics](https://reader033.fdocuments.in/reader033/viewer/2022051611/54b5eb9c4a795949388b45ca/html5/thumbnails/37.jpg)
Examples of Digital Forensics Cases
• Metadata is defined as “data about data”
• Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"
• This evidence helped lead to Dennis Rader's arrest.