Cyber Forensics Overview

Overview of Cyber Forensics Yansi Keim Ph.D. Student Purdue University, USA For Infosec girls Nov 16 th , 2019

Contents Primer: Cyber Forensics Glossary States of Data Network Forensics Event Log Analysis and Sources Anti-Forensics Detection Timeline Analysis © Yansi Keim

PRIMER © Yansi Keim

What is Cybersecurity? What? Cybersecurity tends to focus on how malicious actors use electronic assets (Internet, WAN, LAN, routers, printers, network appliances) to attack information. Why? To prevent individuals, organizations, financial institutions and universities from cyber attacks including kill chains, zero-day attacks, ransomware, malware etc. How? Running the assets safely with security implementations of databases, networks, hardware, firewalls and encryption. © Yansi Keim

What is Cyber Forensics? What ? The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. How? Through the digital forensics investigation process including: I dentification, P reservation, A nalysis, and P resentation (IPAP). Why? Used in criminal investigations to identify what happened, how it happened, when it happened and the people involved. © Yansi Keim

Relationship between Cybersecurity and Cyber Forensics Cybersecurity aims to protect electronic assets from breaches; whereas, cyber forensics explains how a policy became violated and who was responsible for it. 6 Fig. 1 Feedback cycle of Cybersecurity and Cyber Forensics © Yansi Keim

Edmond Locard’s Principle 7 Locard’s Principle - Perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence; thus, every Cyber Fraud or Cyber Crime will have evidence. Example: 10 people decide to go hunting and all shoot at the same deer at the same time. The group takes the deer’s life; however there is only 1 entry wound. Which hunter killed the deer? © Yansi Keim

Digital Forensics Investigation Process Model 8 At crime scene In lab © Yansi Keim

Stage 1: Identification 9 In this stage, potential sources of relevant evidence and/or information (devices) as well as key custodians and location of data are identified. determine the scope of the incident assess the case, nature of case : internal, civil or criminal characteristics of case © Yansi Keim

Stage 2: Collection Collecting digital information that may be relevant to the investigation. Collection may involve removing the electronic device(s) from the crime or incident scene and then taking photos, imaging, copying or printing out its (their) content. *Important Note*: As collection begins, those persons doing the collecting should keep the Chain of Custody in mind. 10 © Yansi Keim

Step 2: Collection: Chain of Custody ( CoC ) The CoC is a printed or electronic document in which the acquisition, custody and transfers of any piece of evidence are recorded. It must include all basic information regarding: Acquisition: Who, when, where and how. Who acquired the evidence, when and where the evidence was acquired, and what method was used. Custody: Who, where, how and how long. Who had possession of the evidence, where it was kept, what method was used to store it, and how long it was kept. Processing: What was done to the evidence (cloning, analysis, etc.) Transfer: Transfer of the evidence from one possessor to another, recorded along with the signature of the new keeper. Final Fate: Destruction, secure deletion of evidence, return of evidence to owner, etc. 11 © Yansi Keim

Collecting Evidence: What is the most important thing? Document, document, document Lawfully capture evidence Make cryptographically verifiable copies Setup secure storage of collected evidence Establish chain of custody Analyze copies only Use legally obtained, reputable tools Document every step 12 © Yansi Keim

Stage 3: Preservation The process of preserving relevant electronically stored information (ESI) by protecting the crime or incident scene, capturing visual images of the scene and documenting all relevant information about the evidence and how it was acquired. It’s an important step because information may be lost upon lack of care on volatile electronic devices. 13 © Yansi Keim

Stage 4: Examination The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. *Important Note* Before dealing with the data, it’s imperative to know Types of Data which is discussed in later slides. 14 © Yansi Keim

Stage 5: Analysis An in-depth systematic search of evidence relating to the incident being investigated. The outputs of examination are data objects found in the collected information; this may include system- and user-generated files. Note: Timeline Analysis aims to draw conclusions based on the evidence found. 15 © Yansi Keim

Stage 6: Presentation Begins with reports based on proven techniques and methodologies. Also includes the aspect that other competent forensic examiners should be able to duplicate and reproduce the same results. 16 © Yansi Keim

States of Data © Yansi Keim

Data at Rest, in Use, & in Transit 18 © Yansi Keim

Forensically Analyzing Data at Rest: Disk Imaging 19 It is defined as the processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. This copy does not just include files which are visible to the operating system but every bit of data, every sector, partition, files, folders, master boot records, deleted files and un-allocated spaces. The image is an identical copy of all the drive structures and contents. Note: Imaging is not Copy and Paste | Tool: EnCase Forensics © Yansi Keim

Disk cloning: Analyzing Data at Rest Disk cloning creates a copy of the original drive and includes all the information that will enable the duplicate (cloned) drive to boot the operating system, accessing all the files as if it were the original. The Disk Cloning process creates what is known as a 'one-to-one' copy . This duplicate is fully functional and in the event that it is swapped to replace the original drive, will work just like the original. The computer, when booted using the cloned drive, has its operations and data, identical to the original drive. 20 © Yansi Keim

Forensically Analyzing Data in Use : Techniques Cross-drive analysis C orrelation of information found on multiple hard drives. Techniques : multi-drive correlation creation of timelines Application: identifying social networks and performing anomaly detection Live Analysis Examination of computers’ operating systems using custom forensics to extract evidence in real time. Techniques: Acquisition of RAM (Ram dump) and capture PageFile Crash Dump VM Snapshot Application: Identifying and quantifying the threat, collecting artifacts – running processes, suspicious mutexes, prefetch files, registry keys, open network connections, system accounts 21 © Yansi Keim

Network Forensics Data in Transit © Yansi Keim

Network Forensics What? Process of collecting and analyzing raw network data and tracking network traffic . Why? Intruders leave a trail behind; thus, this trail leaves a data record for the incident responder(s). It’s also important for daily security operations workflow. How? Through alerts, network log analysis, threat hunting and intelligence, SIEM. © Yansi Keim

Network based Evidence: Methods of acquisition Ethernet Eavesdropping via sniffers Popular packet analyzers: Wireshark (Win/Linux/MacOS), TCPdump (Unix), Tshark , Netflow Sysinternals RegMon shows registry data in real time Process explorer shows what is loaded Handle shows open files and processes using them Filemon shows file system activity 24 © Yansi Keim

Network based Evidence: Methods of acquisition 3. PsTools ( SysInternals ) PsExec - execute processes remotely PsFile - shows files opened remotely PsGetSid - display the SID of a computer or a user PsInfo - list information about a system PsPing - measure network performance PsKill - kill processes by name or process ID PsList - list detailed information about processes 25 © Yansi Keim

Network based Evidence : Methods of acquisition 4. Intrusion Detection System Host based IDS Network based IDS 5. Intrusion Prevention System Host based IPS Network based IPS 6. Honey Pots Low Interaction High Interaction 7. Firewalls 26 Fig. Types of Firewalls © Yansi Keim

Network based Evidence: Logs…where can you find them? Most network traffic leaves an audit trail. Routers, firewalls, servers, maintain logs DHCP log Firewalls offer logging. IDS can capture part of an attack Host-based sensors detect alteration of libraries Login attempts are logged Note: Chain of Custody: captured files need to be authenticated 27 © Yansi Keim

Event Log Analysis and Sources © Yansi Keim

Event Log Analysis © Yansi Keim

Event Log Sources Malware Web-Based Attacks Web Application Attacks Phishing Spam Denial of Service DDoS (Distributed) Ransomware Botnet Insider Threat 31 © Yansi Keim

System Auditing Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. Auditing helps in to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor ( gpedit.msc ) or Local Security Policy ( secpol.msc ). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking. 32 © Yansi Keim

Threat Hunting Threat Hunting – A focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks. It’s a method of searching though networks and datasets to find APTs that evade existing security defense. (SANS) Note: It’s not a set of tools. It requires human intervention on every step. 33 © Yansi Keim

Types of Threat Hunting Statistical Anomaly – Threats can be detected by taking note of abnormal behavior in a system or network. You may notice this intuitively, but it is better to have a performance “baseline” for comparison. Open Source Intelligence (OSINT) – Monitoring media sources: social media, e-mail, gossip around the “water cooler” Situational Awareness – You’re monitoring specific assets, performing risk assessments, and finding threats. 34 © Yansi Keim

Threat Hunting Cycle 35 https://virtualizationandstorage.files.wordpress.com/2018/08/framework-for-threat-hunting-whitepaper.pdf © Yansi Keim

Source : File Systems and Hard Drives 37 Traditional hard drives store data as sector which is 512 bytes while Modern hard drives use what is called Advanced Format, which is 4096 byte sectors. However, file systems look at clusters, not sectors. A cluster can be from 1 to 128 sectors. To recover data, you must know which OS and File System is active on suspect machine. © Yansi Keim

Anti-Forensics Detection: Disk Data and Recovery Tools What all can be recovered? Known files Deleted files Slack Space Unallocated Space Compressed File and Sectors 38 Available Tools Hex Editor, Encase Forensics, Volatility Autopsy (Open Source) © Yansi Keim

Timeline Analysis Used in cybercrime investigation to answer questions like When a computer was used? What events occurred before or after an event? Any potential tool extracts timestamps and clusters similar events from the seized device. The places to find these timestamps are: Files on the disk Web or Internet Artefacts Tool specific data Tool used: Maltego and Autopsy 40 © Yansi Keim

41 Fig. Timeline like this communicates order of events to judge and other parties Src : Digital Archaeology, The Art and Science of Digital Forensics by Michael W. Graves © Yansi Keim

Identifying Preparators (Machines/Users) Check for live systems in NMAP, Kali Linux Connect Scan Half-open Scan XMAS Scan FIN Scan ACK Scan Null Scan Idle Scan 42 Banner Grabbing OS Version Check Services Running on the OS and their version Check for open ports Vulnerability Scanning Tool: Nessus, Accunetix © Yansi Keim

QUESTIONS?

Cyber Forensics Overview

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Cyber Forensics Overview

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx