DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed ›...
Transcript of DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed ›...
![Page 1: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/1.jpg)
DIGITAL FORENSICS:CLUES IN THE HARD DRIVE
BY: PAMELA KING
COMPUTER SCIENCE & INFORMATION TECHNOLOGY DEPARTMENT
DIGITAL FORENSICS & CYBERSECURITY PROGRAM
CHESTNUT HILL COLLEGE
![Page 2: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/2.jpg)
WHAT IS DIGITAL FORENSICS• Intersection of Law and Digital Technology
LAW and LEGAL SYSTEM
(Policy, Regulatory)
COMPUTER SCIENCE& TECHNOLOGY
![Page 3: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/3.jpg)
Private Industry
Incident Response
Internal Investigations
Law Firms
Litigation Support
E-Discovery
Government
Law Enforcement
Regulatory
Infrastructure Protection
DIGITAL FORENSICS JOB SECTORS
![Page 4: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/4.jpg)
DIGITAL FORENSICS
•There are six steps:• Collect • Acquire• Verify• Analyze• Report• Testify
![Page 5: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/5.jpg)
ANALYSIS – CLUES IN THE HARD DRIVE
•Useful Artifacts
•Some overlooked
•Case Scenarios
•Technical
![Page 6: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/6.jpg)
TOPICS
•Disk Logical Serial Numbers
•Windows Registry
•Hardware Log Events
•Search literals and strings
![Page 7: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/7.jpg)
HARD DISK – LOGICAL SERIAL NUMBERS
•Hard drives have hardware serial numbers.
•Found in System Area/Partition Table • MBR – creates a disk serial number
• Signature is written by Windows Operating System
• GPT – Disk GUID
• Also Each partition has a GUID assigned when created.
![Page 8: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/8.jpg)
LOGICAL SERIAL NUMBER
MBR – SECTOR 0 GPT – SECTOR 1 (HEADER)
![Page 9: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/9.jpg)
SCENARIO
• Employees quit.
• Start new company.
• Solicit clients.
• Marketing materials/engineering diagrams.
• Claimed they “invented” them.
• Files had been “wiped”
• Hashes of the two drives were different.
• But…serial numbers were the same (among other evidence).
![Page 10: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/10.jpg)
WINDOWS REGISTRY
• Moved Keys
• ntuser.dat to usrclass.dat
• New keys
• More data in usrclass.dat
• Backup copies
• Tools• Paraben Registry Analyzer
• AccessData Registry Viewer
• Magnet Axiom
• TZworks Sbag.exe
![Page 11: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/11.jpg)
![Page 12: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/12.jpg)
VSS & WINDOWS REGISTRY
![Page 13: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/13.jpg)
SCENARIO
•Employees left for competitor
•Took proprietary data
•Company laptop analyzed
•Archived copies of registry showed•Attached to competitor’s wifi
•Attached 250GB external hard drive
•Dated prior to exiting company
![Page 14: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/14.jpg)
GHOST IN THE MACHINE?
• Homicide Case
• Victim found murdered
• Coroner establish time of death between 6pm and 7pm June 7th.
• Defense argues that there was computer activity after that and until 11:30pm on June 8th - so time of death is wrong. Dead men don’t type…
![Page 15: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/15.jpg)
• Software
• Applications
• System
• Firewall
• And more...
• Information/Warning/Error
• Power on/off
• Change date/time
• Update Software
• Backups
• And more...
WINDOWS HAS LOGGING
![Page 16: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/16.jpg)
![Page 17: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/17.jpg)
SO MUCH MORE
• RAM Analysis• Private Browsing Mode
• Attached Devices• Setupapi.log & MTP entries
• Time Line Analysis• Using $MFT/Directory
• Malware Analysis• keyloggers
• Prefetch Analysis
• Software use
• Lnk File Analysis
• File use
![Page 18: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/18.jpg)
4TH ANNUAL CYBER SECURITY & FORENSICS CONFERENCE
• Sponsored by CHC and HTCIA.
• October is National Cyber Security Month!
• October 26 at Chestnut Hill College
![Page 19: DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed › it...DIGITAL FORENSICS: CLUES IN THE HARD DRIVE BY: PAMELA KING COMPUTER SCIENCE & INFORMATION](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c8c507e708231d435f41d/html5/thumbnails/19.jpg)
THANK YOU!
Pamela King
Chestnut Hill College
Computer Science & Information Technology
Digital Forensics & Cyber Security B.S.Degrees
215-248-7145
www.chc.edu