Digital Forensic ppt
7,284 views
70 slides
May 22, 2023
Slide 1 of 70
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
About This Presentation
The presentation gives introduction to digital forensics
Slide Content
DIGITAL FORENSICS
Digital forensics dEFINITION
Different types of digital forensics Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these sub-disciplines are: 1) Computer Forensics: the identification, preservation, collection, analysis and reporting on evidence found on computers, laptops and storage media in support of investigations and legal proceedings. 2) Network Forensics: the monitoring, capture, storing and analysis of network activities or events in order to discover the source of security attacks, intrusions or other problem incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security breaches. 3) Mobile devises Forensics: the recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.
Different types of digital forensics Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these sub-disciplines are: 4) Digital Image Forensics: the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history. 5) Digital Video/Audio Forensics: the collection, analysis and evaluation of sound and video recordings . The science is the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally. 6) Memory forensics: the recovery of evidence from the RAM of a running computer , also called live acquisition. 7) Cloud Forensics: Cloud Forensics is actually an application within Digital Forensics which oversees the crime committed over the cloud and investigates on it .
TYPES OF INVESTIGATION
characteristics of a digital evidence:
TECHNIQUES OF DIGITAL FORENSICS
USES OF DIGITAL FORENSICS Intellectual Property theft Employment disputes
ROLE OF FORENSICS INVESTIGATORS Confirms or dispels whether a resource/network is compromised. Determine extent of damage due to intrusion. Answer the questions: Who, What, When, Where, How and Why. Gathering data in a forensically sound manner. Handle and analyze evidence. Prepare the report Present admissible evidence in court
Forensic readiness is the ability of an organization to maximize its potential to use digital evidence whilst minimizing the costs of an investigation.
Steps for Forensic Readiness Planning
SEARCH AND SEIZURE OF DIGITAL EVIDENCE
Equipment preparation The following is a list that the officer must take into account consisting of the minimum forensic tools needed for a successful search and seizure activity: Laptop with the necessary standard forensic tools installed
Equipment preparation Hardware write blockers Forensic tools dongle licenses Enough memory storage media (external HDDs) HD with extra forensic software or bootable devices
Tools to Dismantle Screwdrivers (flat, star, hexagonal and other specific for certain models) Pliers (standard and pointed) Clamps (for cutting cables) Small tweezers
Exhibit Documentation Photo or video camera (to take pictures of the scene and the screen content) Permanent markers (to encode and identify the investigated material) Labels (to mark and identify parts of the equipment, power supplies) Evidence tags
Resources needed for packaging and transport/Consumables Evidence bags and seal Evidence carton boxes for media storage devices such as USB devices, DVDs, or CDs; Anti-static zip-lock evidence bags Faraday Bags to inhibit signals to mobile phones and other devices that may receive data from mobile/Wi-Fi network Other items: Small torch with stand, Gloves, Large rubber bands, Magnifying glasses, Network cables (crossed and braided), Mask
SEARCH AND SEIZURE EXECUTION PHASE
Search and seizure of volatile
Some of the tools for the collection of volatile data are Srvcheck.exe: displays the shares locally or remotely. Kill.exe: A Windows Support tool for terminating a selected task or process. Rasusers.exe: lists all user accounts on a domain or server that have been granted permission to dial in to the network. Dumpel.exe: copy of the Event Viewer Logs . Filemon : displays all file system activity in real time . Regmon : displays all registry activity in real time .
Some of the tools for the collection of volatile data are Tokenmon : displays logons, logoff, privilege usage and impersonation. Handle: displays what files are open by which processes ListDLLs : lists all Dynamic-link library ( DLLs) that are currently loaded including the version and the full path names of the loaded modules , etc. Process Explorer: A tool that displays open files, object processes, registry keys, DLLs and owners of object processes . MD5sum: generates the checksum of a file and provides verification . Fport : maps application processes to the NETWORK ports they listen on . TCPView : shows the endpoints of all open TCP and UDP connections . Cmd.exe : The command prompt for Win NT/2000
TCP (Transmission Control Protocol) UDP (User Datagram Protocol)
A lost cluster , A bad sector , The boot sector
There are three types of partitions: primary partitions, extended partitions and logical drives.
First Incident Response A. Shut downed machines Tag every connection and take photo. Search for the physical evidence first. Open and find out the storage device Make enough documentation (serial no, size, manufacturer of disk, etc.) Seal it in a proper way and go for further operations.
B. Live machines with no harmful activity Take a photo of current activity first. Ensure that after shutting down the system, it will not harm the investigation. Hibernate option will be beneficial so after imaging we can directly resume the system. C. Live machine with harmful activity going on (destroying data etc.) Capture a snapshot As soon as possible, remove the power cord to avoid further damage. Then start with imaging of the disk
In disk imaging, we make exact copies of storage devices or its partition and then store it in a larger storage or directly burn it on another device. integrity of the evidence : Several standard algorithms like MD5 (message-digest algorithm) , SHA (Secure Hash Algorithm) etc The different tools available for Imaging and Cloning are: SOLO 4 Forensic Dossier SuperSonix WinHex FTK Imager EnCase Forensic Imager Acronis True Image Home CloneZilla DriveImage XML V2.50,
Precautions for Disk Imaging Cloning hardware has a built in write blocker so there is no need to connect any additional write blocker hardware. Original device is never connected directly to the investigation machine ; it may increase the possibility of damage. Source device should be used only once and that too for the imaging only. For further requirements, replicas are made from first copy .
the file system removes the file logically (the meta-data and stamps). However, the file still resides in the disk as a physical entity until it is overwritten. Retrieving cached files The cache file of an application can be searched by using typical keywords elated to the case or probable websites Software: Chrome cache viewer Retrieving files in unallocated space a deleted file can be searched sequentially or structurally by looking for file headers or extensions. Metadatatools : Meta Viewer, Metadata Analysis, iscrub .
Social media Forensics
Type of Social Networking Platforms Media Sharing Networks: Social Networks Discussion Forums Bookmarking and Content Curation Networks (E/S/E/D Trending content and media)
Consumer Review Networks S/R/S reviews/opinions Blogging and Publishing Networks Sharing Economy Networks Anonymous Social Networks
The Three Basic Stages of Social Media Forensics Manual documentation Screen scrape/Screenshot Open source tools ( HTTrack ) Commercial tool (X1) Web service (Page freezer) Forensic recovery Content subpoena social networking footprints ( Facebook Artifacts/Twitter Artifacts with timestamp)
Email forensics investigation
capturing, securing and analyzing, and reporting email evidence study the source and contents of e-mail messages for evidence identification of the actual sender and recipient date and time when it was sent, etc. also involves the investigation of clients or server computers suspected of being used or misused to carry out e-mail forgery.
Forensically important email parts EMAIL HEADER EMAIL HEADER
Forensically important email parts EMAIL BODY
EMAIL ATTACHMENTS
EMAIL FORENSIC TOOLS Various software tools have been developed to assist in e-mail forensic investigation. eMailTrackerPro ( http://www.emailtrackerpro.com/ ) EmailTracer ( http://www.cyber forensics. in) Adcomplain ( http://www.rdrop.com/users/billmc/adcomplain.html ) Aid4Mail Forensic( http://www.aid4mail.com/ ) AbusePipe ( http://www.datamystic.com/ abusepipe.html) AccessData’s FTK ( www.accessdata.com/ ) EnCase Forensic ( http://www.guidancesoftware.com ) FINALeMAIL (http://finaldata2. com) SawmillGroupWise ( http://www.sawmill.net ) Forensics Investigation Toolkit (FIT)( http://www.edecision4u . com/FIT.html) Paraben (Network) E-mail Examiner( http://www.paraben.com/email-examiner.html) ;
Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages, video, email, web browsing information, location information, and social networking messages and contacts.
• Storage capacity has increased • mobile devices are used constantly evolve. • Hibernation behavior
a) 802.11or WiFi : MOBILE COMMUNICATION b) Bluetooth: Infrared(IrDA):
EVIDENCES IN A MOBILE DEVICE
Mobile devices can be isolated in many ways; the following ways can be used to isolate a mobile on seizure Isolating its wireless features : By using a Faraday bag or a jamming device mobile phones can be isolated to the network till the battery drains completely. Switch off the device: This method is fine however, on switching on the phone lock or sim lock can be activated which can lead the phone unusable. Airplane mode: When the "airplane mode" is activated, it will disable all cellular services (GSM, UMTS, LTE) as well as other signal-transmitting technologies such as Wi-Fi and Bluetooth. Wi-Fi and Bluetooth can be enabled separately even while the device is in airplane mode.
Mobile FORENSIC ACQUISITION TOOLS There are two categories of forensics acquisition tools. They are: a) Hardware acquisition tools. b) Software acquisition tools. Acquisition involves: Identifying the type of cellular network Manufacture information is seen on the logo, serial number, and manufacturing code (IMEI: international mobile equipment identification) Phone characteristics such as Operating system, wireless access mode, camera, manufacturer application, internet access methods, messages etc.
Hardware acquisition tools Faraday bag SIM card reader SIM card reader read SIM and USIM cards USB cable with a mini-USB connection.
Software acquisition tools. a. www.MobileForensicsCentral.com This website provides access to a comprehensive database of phones supported by various software suppliers. A user of the website can enter a model of a phone and the site will return a detailed report of which software and cables support it, as well as what information can be retrieved from the device with the software.
CELLDEK: The revolutionary celldek has been developed in cooperation with the UK's forensic science service . The portable celldek acquires data from over 200 of the most popular cell phones and PDAs . Built to perform in the field (not just in the lab), investigators can immediately gain access to vital information, saving days of waiting for a report from a crime lab.
Cell Seizure: Cell seizure allows you to acquire, analyze, and report cell phone data for certain models of GsmSim Cards, Nokia, Samsung, Motorola, Sony-Ericsson, Lg, And Siemens cell phones. It can also acquire data from CDMA/TDMA phones . Designed for computer forensic examiners, cell seizure offers complete forensic examinations that can be presented in court with md5 & sha1 hash verification, write protection, HTML reporting, and full data dumps on some models .
Mobilyze : Mobilyze is a mobile data triage tool, designed to give users immediate access to data from iOS and Android devices.
Oxygen Phone Manager II (Forensic Version )5: A special software for police departments, law enforcement units, and all government service s that wish to use the power of Oxygen Phone Manager II for investigation purposes. The forensic edition secures phone data to remain unchanged during extraction and exporting . phonebook, call register, calendar, todo lists, SMS and MMS messages, logos, tones, profiles, phone dictionary, FM stations, Java games, and applications.
Paraben's SIM Card Seizure: SIM card seizure includes the software as well as a forensic SIM card reader. Paraben's PDASeizure : Paraben's PDA seizure is a commercially available forensic software toolkit that allows forensic examiners to acquire and examine information on PDAs for both the pocket pc (PPC) and palm OS platforms HotSync .
The forensics toolkit: The forensics toolkit gives today's law enforcement agencies the capability to safely and confidently recover digital evidence from GSM SIM and 3G USIM devices.
EVIDENCES IN A MOBILE DEVICE FOR ANALYSIS
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 7,284
- Slides 70
- Age 925 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views