digital forensics related to windows.pdf
muhammadosama0121
24 views
35 slides
Jun 09, 2024
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
this is related to forensics
Slide Content
Digital Forensics
Introduction
Anum Hasan
Introduction
Anum Hasan
Lec2
Lecture Outline
•Data Abstraction
•Forensic Process
•Use of Forensic Analysis
•Data Abstraction
•Forensic Process
•Use of Forensic Analysis
Data Abstraction Layers
4
When instructed to search for evidence related to murder on a
computer, an inexperienced examiner might search at the file system
(logical) level for files with a .GIF or .JPG extension
This approach will fail to uncover all the available evidence. It is a
simple matter to change a file extension from .JPG to .DOC or
conceal images in some other manner, thus foiling a search based
exclusively on this characteristic.
4
When instructed to search for evidence related to murder on a
computer, an inexperienced examiner might search at the file system
(logical) level for files with a .GIF or .JPG extension
This approach will fail to uncover all the available evidence. It is a
simple matter to change a file extension from .JPG to .DOC or
conceal images in some other manner, thus foiling a search based
exclusively on this characteristic.
Data Abstraction Layers
5
5
Data Abstraction Layers
6
6
Evidence Dynamics
•Evidence dynamics is any influence that changes, relocates,
obscuresthe evidence, regardless of the intent, from the time the
evidence is transferred and the time the case is decided/closed.
•For example
•Forensic Examiner (may accidently tempered with lack of
knowledge )
•Offender Covering Behavior (deleted files)
•Victim Actions (delete data to avoid embarrassment)
•Nature/Weather
•Decomposition (due to long duration, i.e. tap coating etc.)
•Witnesses: A system administrator deletes suspicious
accounts, hope to prevent intruder.
7
•Evidence dynamics is any influence that changes, relocates,
obscuresthe evidence, regardless of the intent, from the time the
evidence is transferred and the time the case is decided/closed.
•For example
•Forensic Examiner (may accidently tempered with lack of
knowledge )
•Offender Covering Behavior (deleted files)
•Victim Actions (delete data to avoid embarrassment)
•Nature/Weather
•Decomposition (due to long duration, i.e. tap coating etc.)
•Witnesses: A system administrator deletes suspicious
accounts, hope to prevent intruder.
7
Evidence Dynamics
8
8
Comparison & Identity of Source
•Compare items to determine if they are from the same
source. i.e. Camera footprints
•Emails from the same source.
•Whether the ransom e-mails were sent from the
suspect’s computer
•Identify the printer from the prints.
•Which printer was used to leak the documents
•Items are compared characteristics by characteristic to
eventually conclude that they are sufficiently similar or
dissimilar.
9
•Compare items to determine if they are from the same
source. i.e. Camera footprints
•Emails from the same source.
•Whether the ransom e-mails were sent from the
suspect’s computer
•Identify the printer from the prints.
•Which printer was used to leak the documents
•Items are compared characteristics by characteristic to
eventually conclude that they are sufficiently similar or
dissimilar.
9
Comparison & Identity of Source
10
10
Comparison & Identity of Source
•Evidence can be related to the source in the following
ways (not mutually exclusive)
•Production: physical propertiesof PC/Camera
embedded in the DE, email headers
•Segment: Parts of the whole are scattered, the goal is
to link a fragment to its source.
•Alteration: a process or an agent alters the evidence.
ToolMark. But have to proof.
•When an intruder exploits a vulnerability in an
application or operating system—the exploit
program leaves impressions on the altered system
•Location: a point in the space from where the evidence
originated. IP Addresses, GPS Info
11
•Evidence can be related to the source in the following
ways (not mutually exclusive)
•Production: physical propertiesof PC/Camera
embedded in the DE, email headers
•Segment: Parts of the whole are scattered, the goal is
to link a fragment to its source.
•Alteration: a process or an agent alters the evidence.
ToolMark. But have to proof.
•When an intruder exploits a vulnerability in an
application or operating system—the exploit
program leaves impressions on the altered system
•Location: a point in the space from where the evidence
originated. IP Addresses, GPS Info
11
Comparison & Identity of Source
12
12
Crime Reconstruction
•Crime reconstruction is the process that helps to gain complete
understanding of a crimeusing the available evidence.
•Every crime is different difficulties in standardization of Operating
Procedure
•Forensics science/Crime reconstruction gives us a methodical
approach to organize and analyze largeamounts of data.
•Evidence is used to:
•Sequence events
•Determine location
•Establish directions
•Actions, etc.
13
•Crime reconstruction is the process that helps to gain complete
understanding of a crimeusing the available evidence.
•Every crime is different difficulties in standardization of Operating
Procedure
•Forensics science/Crime reconstruction gives us a methodical
approach to organize and analyze largeamounts of data.
•Evidence is used to:
•Sequence events
•Determine location
•Establish directions
•Actions, etc.
13
Crime Reconstruction
•For crime reconstruction we use:
•Relational Analysis
•Functional Analysis
•Temporal Analysis
•For example, In a murder investigation we try to
determine how, when and where the victim was killed,
who was contacted by the victim before the death.
14
•For crime reconstruction we use:
•Relational Analysis
•Functional Analysis
•Temporal Analysis
•For example, In a murder investigation we try to
determine how, when and where the victim was killed,
who was contacted by the victim before the death.
14
Crime Reconstruction
•Relational Analysis
•Geo. info about people and computers as well as the
communications/transactionsthat occurred/relationbetween
them. e.g. generate diagram which computer connected with victim
system.
•Functional Analysis
•How a system/application works and how it was configured at the
time of crime. e.g. compromised web server was configured for a
fewer users/IP Addresses.
•Temporal Analysis
•It helps to create timelineto uncover other sources of evidence.
e.g. how and when the victim was killed, as well as where the victim
was and who the victim had contact with prior to the time of death
15
•Relational Analysis
•Geo. info about people and computers as well as the
communications/transactionsthat occurred/relationbetween
them. e.g. generate diagram which computer connected with victim
system.
•Functional Analysis
•How a system/application works and how it was configured at the
time of crime. e.g. compromised web server was configured for a
fewer users/IP Addresses.
•Temporal Analysis
•It helps to create timelineto uncover other sources of evidence.
e.g. how and when the victim was killed, as well as where the victim
was and who the victim had contact with prior to the time of death
15
Crime Reconstruction
16
16
Network and the Internet
•Challenges of preserving the integrity and the authenticity
of DE in network forensics.
•Obtain all the evidence e.g. practical and jurisdictional
problems
•Data on network is changed or deleted quickly.
•Heterogeneous networks.
•Vast amounts of data.
•Anonymity over the internet
•Encryption
•Anti-Forensic expertise
•Identifying activity on computer or network
•If multiple crimes associated to same network
17
•Challenges of preserving the integrity and the authenticity
of DE in network forensics.
•Obtain all the evidence e.g. practical and jurisdictional
problems
•Data on network is changed or deleted quickly.
•Heterogeneous networks.
•Vast amounts of data.
•Anonymity over the internet
•Encryption
•Anti-Forensic expertise
•Identifying activity on computer or network
•If multiple crimes associated to same network
17
NIST Performing Forensic Process
•Collection: During collection, to identify potential sources of data
and acquiredata from them, labeled, recorded, while preserving its
integrity.
•Examination: forensic tools and techniques appropriate to the types
of data are executed to identify and extract the relevant
information from the collected data while protecting its integrity.
Examination may use a combination of automated tools and manual
processes.
18
•Collection: During collection, to identify potential sources of data
and acquiredata from them, labeled, recorded, while preserving its
integrity.
•Examination: forensic tools and techniques appropriate to the types
of data are executed to identify and extract the relevant
information from the collected data while protecting its integrity.
Examination may use a combination of automated tools and manual
processes.
18
NIST Performing Forensic Process
•Analysis: derive useful information that addresses the
questions that were the impetus for performing the
collection and examination.
•Reporting: results of the analysis, which may include
describing the actions performed
19
•Analysis: derive useful information that addresses the
questions that were the impetus for performing the
collection and examination.
•Reporting: results of the analysis, which may include
describing the actions performed
19
Forensic Process
20
•Extended Abstract Digital Forensics Model with Preservation
and Protection as Umbrella Principles
20
•Extended Abstract Digital Forensics Model with Preservation
and Protection as Umbrella Principles
Introduction-Recap
•The forensic analysis process involves taking factual observations from available evidence
•Procedures and protocols are just guidelines
•Importance of forensic analysis to reconstruct the crime
•Evaluating source of digital objects
•Developing timeline
•Performing functional analysis
•Performing relational analysis
•Identify other potential sources of evidence (Cyclic)
•Conclude
•Proper forensic analysis can help to
•Apprehend offenders (arrest)
•Gain insight to the intent
•Assess alibi and statements (a certified excuse)
•Authenticate documents
•Corroborating/Supporting Evidence 21
•The forensic analysis process involves taking factual observations from available evidence
•Procedures and protocols are just guidelines
•Importance of forensic analysis to reconstruct the crime
•Evaluating source of digital objects
•Developing timeline
•Performing functional analysis
•Performing relational analysis
•Identify other potential sources of evidence (Cyclic)
•Conclude
•Proper forensic analysis can help to
•Apprehend offenders (arrest)
•Gain insight to the intent
•Assess alibi and statements (a certified excuse)
•Authenticate documents
•Corroborating/Supporting Evidence 21
Applying Scientific Method
1. Gather information and make observations
•Referred to Forensics Examination
•It involves:
•Verifying integrity and authenticity of DE
•Survey all the evidence to determine how to proceed most effectively
•Preprocessing to recover deleted data
•Handle special files
•Filter out irrelevant data
•Extract embedded metadata
•Performing keyword searching
•Review of system configuration and usage
•It can also be augmented with interview, witness statements and other
intelligence.
22
1. Gather information and make observations
•Referred to Forensics Examination
•It involves:
•Verifying integrity and authenticity of DE
•Survey all the evidence to determine how to proceed most effectively
•Preprocessing to recover deleted data
•Handle special files
•Filter out irrelevant data
•Extract embedded metadata
•Performing keyword searching
•Review of system configuration and usage
•It can also be augmented with interview, witness statements and other
intelligence.
22
Applying Scientific Method
2. Form hypothesis to explain observations
•Hypothesis should not be influenced by the investigator’s bias, but should base
on the observed facts.
•We must develop possible explanations for what we are seeing in the digital
evidence.
•Should keep away from FA knowledge and experience
•Sometime impossible to all knowledge, then scope reduced like.
•Was it possible to perform a givenaction using the subject computer, and
if so, what evidence of this action is leftbehind on the system?
•For example:
–H1: Laptop can be used for searching different types of explosive material,
map locations.
–H2: Used for attack message communication with other group members.23
2. Form hypothesis to explain observations
•Hypothesis should not be influenced by the investigator’s bias, but should base
on the observed facts.
•We must develop possible explanations for what we are seeing in the digital
evidence.
•Should keep away from FA knowledge and experience
•Sometime impossible to all knowledge, then scope reduced like.
•Was it possible to perform a givenaction using the subject computer, and
if so, what evidence of this action is leftbehind on the system?
•For example:
–H1: Laptop can be used for searching different types of explosive material,
map locations.
–H2: Used for attack message communication with other group members.23
Applying Scientific Method
3. Evaluation of Hypothesis
•Hypothesis is based on observations so predictions will flow
naturally
•If hypothesis is true then we can expect to find “X” in the
evidence.
•If the hypothesis is false, then we would expect to find Y.
•Success of forensic analysis depends on thoroughness of the
hypothesis attack.
•Other explanations should also be considered to disapprove the
hypothesis. Negative hypothesis testing.
•If experiments and observations do not support the initial hypothesis,
we should revise hypothesis and perform further tests.
24
3. Evaluation of Hypothesis
•Hypothesis is based on observations so predictions will flow
naturally
•If hypothesis is true then we can expect to find “X” in the
evidence.
•If the hypothesis is false, then we would expect to find Y.
•Success of forensic analysis depends on thoroughness of the
hypothesis attack.
•Other explanations should also be considered to disapprove the
hypothesis. Negative hypothesis testing.
•If experiments and observations do not support the initial hypothesis,
we should revise hypothesis and perform further tests.
24
Applying Scientific Method
4. Draw conclusions and communicate findings
•After forming likely explanations of the events, communicate the
conclusions to the decision makers.
•FA to repeat until proper conclusions can be made.
•Documentation (every action, result)
•Every opinion has a statistical bias because of limited amount of
information, so convey the confidence you have in your conclusion
on a Certainty Scale.
(1) almost definitely (2) most probably (3) probably (4) very possibly, and (5)
possibly.
25
4. Draw conclusions and communicate findings
•After forming likely explanations of the events, communicate the
conclusions to the decision makers.
•FA to repeat until proper conclusions can be made.
•Documentation (every action, result)
•Every opinion has a statistical bias because of limited amount of
information, so convey the confidence you have in your conclusion
on a Certainty Scale.
(1) almost definitely (2) most probably (3) probably (4) very possibly, and (5)
possibly.
25
Tool Validation
•The most critical element of analysis is the FA knowledge,
capabilities, limitations and restrictions of the tool.
•Each case is different so no standard approach for tool
validation.
•Validate on a known data set for the basic functionality.
•NIST CFTT group is testing the major tools.
•Digital Forensic Tool Testing Images Project ((http://dftt.sourceforge.net/)
•Computer Forensic Reference Data Set.
•Trust but Verify Approach is better.
•Work with multiple tools to validate the output
•No single book cover all concepts of C programming like in
Forensics
26
•The most critical element of analysis is the FA knowledge,
capabilities, limitations and restrictions of the tool.
•Each case is different so no standard approach for tool
validation.
•Validate on a known data set for the basic functionality.
•NIST CFTT group is testing the major tools.
•Digital Forensic Tool Testing Images Project ((http://dftt.sourceforge.net/)
•Computer Forensic Reference Data Set.
•Trust but Verify Approach is better.
•Work with multiple tools to validate the output
•No single book cover all concepts of C programming like in
Forensics
26
Uses of Digital Forensics Analysis
•Forensic analysis of DE can play a significant role in a wide range of cases,
•Can lead to the culprit or help further the investigation.
•Attribution
•FA can help identify and apprehend offenders.
•FA can establish links between people and their online activities.
•Attribution is not easy. Logs can take us to the computer but not to
the one on the keyboard.
•However, When combined with traditional investigative techniques,
digital evidence can provide the necessary clues to track down
criminals
27
•Forensic analysis of DE can play a significant role in a wide range of cases,
•Can lead to the culprit or help further the investigation.
•Attribution
•FA can help identify and apprehend offenders.
•FA can establish links between people and their online activities.
•Attribution is not easy. Logs can take us to the computer but not to
the one on the keyboard.
•However, When combined with traditional investigative techniques,
digital evidence can provide the necessary clues to track down
criminals
27
Use of Digital Forensics Analysis
28
28
Use of Digital Forensics Analysis
•Attribution
•Following investigative steps can help attribution around a specific
time frame.
•Personal communication
•Access to online banking site by using soft/hard tokens.
•Credit card purchases
•Key card access logs
•CCTV footage
•DE combined with traditional investigative techniques
(surveillance)
•** Letter with the map pointing the location of a dead body
29
•Attribution
•Following investigative steps can help attribution around a specific
time frame.
•Personal communication
•Access to online banking site by using soft/hard tokens.
•Credit card purchases
•Key card access logs
•CCTV footage
•DE combined with traditional investigative techniques
(surveillance)
•** Letter with the map pointing the location of a dead body
29
Use of Digital Forensics Analysis
•Assessing Alibi and Statements
•Offenders and victims can mislead intentionally or
unintentionally.
•Cross referencing with the digital foot prints of user activity
can help support or refute the statements.
•** Murder suspect claims he was not in the town, but emails sent and
received from his computer proved him wrong.
•** Phone registered to a specific tower on a route to Burwell.
•Investigators should not rely on one piece of digital evidence
when examining an alibi—they should look for an associated
cybertrail
•Clock can be changed, email headers can be falsified, IP addresses can
be concealed, GSM/CDMA location of mobile phone is not exact.
•A phone/computer can be used by multiple individuals.
30
•Assessing Alibi and Statements
•Offenders and victims can mislead intentionally or
unintentionally.
•Cross referencing with the digital foot prints of user activity
can help support or refute the statements.
•** Murder suspect claims he was not in the town, but emails sent and
received from his computer proved him wrong.
•** Phone registered to a specific tower on a route to Burwell.
•Investigators should not rely on one piece of digital evidence
when examining an alibi—they should look for an associated
cybertrail
•Clock can be changed, email headers can be falsified, IP addresses can
be concealed, GSM/CDMA location of mobile phone is not exact.
•A phone/computer can be used by multiple individuals.
30
Use of Digital Forensics Analysis
•Determining the Intent
•Behavior in public vs. behavior in private
•Behavioral Digital Archives
•DE can reveal innermost thoughts at a particular time.
•DE can reveal e.g. offenders diary or planning
31
•Determining the Intent
•Behavior in public vs. behavior in private
•Behavioral Digital Archives
•DE can reveal innermost thoughts at a particular time.
•DE can reveal e.g. offenders diary or planning
31
Use of Digital Forensics Analysis
•Determining the Intent
•Neil Entwistlegoogled “how to kill with a knife”
•William Guthrie googled “household accidents”, “bathtub
accidents”.
•Robert Durallgoogled “kill + spouse”, “accidental + deaths”,
“smothering” and “murder”
•Tempered clock intent to mislead
•Disk cleaning/encryption data destruction/hiding
32
•Determining the Intent
•Neil Entwistlegoogled “how to kill with a knife”
•William Guthrie googled “household accidents”, “bathtub
accidents”.
•Robert Durallgoogled “kill + spouse”, “accidental + deaths”,
“smothering” and “murder”
•Tempered clock intent to mislead
•Disk cleaning/encryption data destruction/hiding
32
Use of Digital Forensics Analysis
•Evaluation of the Source
•Forensic analyst is required to answer origins of a specific DE.
•Produce by the source X
•Segment of a source X
•Altered by a source X
•A point X in the space.
•MS Office embedded data holds information about the printer,
folder location, names of authors, timestamps.
•To determining the origin of an e-mail message using IP
addresses,
33
•Evaluation of the Source
•Forensic analyst is required to answer origins of a specific DE.
•Produce by the source X
•Segment of a source X
•Altered by a source X
•A point X in the space.
•MS Office embedded data holds information about the printer,
folder location, names of authors, timestamps.
•To determining the origin of an e-mail message using IP
addresses,
33
Use of Digital Forensics Analysis
•Evaluation of the Source
•A photo to its source i.e. a particular camera, location and person?
•Class characteristics e.g. make and model of the camera.
•Individual characteristics e.g. a scratch on the lens.
•A monument in the picture
•Geo Loc.
•Face of photographer
34
•Evaluation of the Source
•A photo to its source i.e. a particular camera, location and person?
•Class characteristics e.g. make and model of the camera.
•Individual characteristics e.g. a scratch on the lens.
•A monument in the picture
•Geo Loc.
•Face of photographer
34
Use of Digital Forensics Analysis
•Digital document authentication
•Information about the author and the dateof doc can be
significant.
•Simple change in clock time can make it difficultto ascertain
who and when about a doc.
•Compare timestamps in the doc and log files
•Embedded metadata about timestamps e.g. last printed time
etc.
•Newer file overwritten by an older file shows staging.
35
•Digital document authentication
•Information about the author and the dateof doc can be
significant.
•Simple change in clock time can make it difficultto ascertain
who and when about a doc.
•Compare timestamps in the doc and log files
•Embedded metadata about timestamps e.g. last printed time
etc.
•Newer file overwritten by an older file shows staging.
35
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 24
- Slides 35
- Age 541 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
31 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views