Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
1 CA202 Spreadsheet Application Combining Data from Multiple Sources Lecture # 6.
COEN 252 Computer Forensics
Microsoft Expression Web-Illustrated Unit L: Using Code Tools.
US Army Corps of Engineers BUILDING STRONG ® Creating a Data Dictionary for Your Local Data USACE SDSFIE Training Prerequisites: Preparing Your Local Data.
Guide to Computer Forensics and Investigations, Second Edition
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.
File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Guide To UNIX Using Linux Third Edition
A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.
Database Design IST 7-10 Presented by Miss Egan and Miss Richards.
Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.
COMPREHENSIVE Excel Tutorial 8 Developing an Excel Application.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Integrating Microsoft Project with Other Programs
Ch 71 Using ATTRIB, SUBST, XCOPY, DOSKEY, and the Text Editor.
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
Copyright © Texas Education Agency, All rights reserved. 1 Web Technologies Website Development with Dreamweaver.
Classroom User Training June 29, 2005 Presented by:
Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.
Digital Crime Scene Investigative Process
Website Development with Dreamweaver
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Chapter 6 Generating Form Letters, Mailing Labels, and a Directory
Hunter Valley Amateur Beekeepers Forum User Guide Guide shows sample screenshots with most relevant actions. Website is at
XP New Perspectives on Integrating Microsoft Office XP Tutorial 2 1 Integrating Microsoft Office XP Tutorial 2 – Integrating Word, Excel, and Access.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Lesson 11: Looking at Files and Folders what a file or folder is on the computer how to recognize a file or folder on the desktop how to recognize the.
HTML Comprehensive Concepts and Techniques Second Edition.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
A Guide to MySQL 3. 2 Introduction  Structured Query Language (SQL): Popular and widely used language for retrieving and manipulating database data Developed.
Rev.04/2015© 2015 PLEASE NOTE: The Application Review Module (ARM) is a system that is designed as a shared service and is maintained by the Grants Centers.
Chapter Five Advanced File Processing. 2 Lesson A Selecting, Manipulating, and Formatting Information.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Microsoft Excel 2003 Illustrated Complete Data with Other Programs Exchanging.
CE Operating Systems Lecture 17 File systems – interface and implementation.
Files Chapter 4.
OPERATING SYSTEMS Frans Sanen.  Analyze a FAT file system manually  FAT12 first and simplest version  Still used on smaller disks (e.g. floppies) 
Introduction to KE EMu Unit objectives: Introduction to Windows Use the keyboard and mouse Use the desktop Open, move and resize a.
Introduction to KE EMu Unit objectives: Introduction to Windows Use the keyboard and mouse Use the desktop Open, move and resize a.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
© 2015 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
Lesson 6-Using Utilities to Accomplish Complex Tasks.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
1 Lesson 9 Windows Management Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
McGraw-Hill/Irwin The Interactive Computing Series © 2002 The McGraw-Hill Companies, Inc. All rights reserved. Microsoft Excel 2002 Using Macros Lesson.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael JonesDigital Forensic Investigations2.
Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for.
3 A Guide to MySQL.
Excel Tutorial 8 Developing an Excel Application
Project Objectives Publish to a remote server
Understanding File Management
Guide to Computer Forensics and Investigations Fifth Edition
Chapter Lessons Start Adobe Photoshop CS
Digital Forensics 2 Lecture 2: Understanding steganography in graphic files Presented by : J.Silaa Lecture: FCI Based on Guide to Computer Forensics and.
Lesson 9 Windows Management
Exploring Microsoft® Access® 2016 Series Editor Mary Anne Poatsy
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Unit 3 - A Digital Portfolio
Using Cascading Style Sheets (CSS)
Exam Information CSI5107 Network Security.
3.1 Basic Concept of Directory and Sub-directory
Understanding Hex “I hope you have the worst headache of your life, then you will begin to understand” ~unknown.
Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1.
Presentation transcript:

Forensic Investigation Techniques Michael Jones

Overview Purpose People Processes Michael Jones2Digital Forensic Investigations

The (Digital) Forensic Process Photographs Faraday bags Photographs Faraday bags Imaging - forensically sound copying Analyse file system and analyse files Produce Report Scene Store Laboratory Chain of Custody Michael Jones3Digital Forensic Investigations

Review: Logical and Physical Views Logical view – As seen via the file manager Physical view – What is (physically) on the device Questions – What might these be different? – What is ‘striping’? – Is ‘physical’ really physical? Michael Jones4Digital Forensic Investigations

Imaging Low (device) level – Duplicating the bit sequence – Output is a file – Multiple copies may be taken Verification – Applying (hashing) algorithms to device and copy MD5, SHA1 If device and copy hashes match then copy is forensically sound Devices and copies returned to (case) store Michael Jones5Digital Forensic Investigations

Analysing the Image Before: apply hashing algorithms Processes: – Identify file system – Scan for known file types – Compare with logical view – Match logical and physical views and identify deleted files – Deeper analysis After: apply hashing algorithms Michael Jones6Digital Forensic Investigations

Digital Forensics Triage Triage – Quick analysis to identify priorities – Why? Focus on logical view – Plus deleted files Ideal outcomes of triage Michael Jones7Digital Forensic Investigations

Main Analysis That which is actually there – File dates and times – File and directory (folder) names – Metadata That which might require interpretation – Examples encoding and encryption File manipulation (e.g., changing first byte of a jpeg) Michael Jones8Digital Forensic Investigations

Finding Hidden Files In *nix (including OS X) and Windows – Hidden files have names starting with ‘.’ In *nix – Files with names ending in ‘~’ are also hidden Finding hidden files – Via ‘View’ menu – Using the ‘ls –a’ command in the Terminal Michael JonesDigital Forensic Investigations9

Deeper Analysis Can be time consuming Secondary data – Additional processes needed Examples – Encoding and encryption – Steganography E.g., Snow – Use of slack space, unused space Michael Jones10Digital Forensic Investigations

Summary Rigorous processes need to be followed – E.g., ACPO guidelines All investigations produce documentation All documents and artefacts must be labelled and stored appropriately Chain of custody must be unbroken Michael Jones11Digital Forensic Investigations

Conducting a Digital Forensic Investigation

Overview Creating the image – Copying the device to a file – Verifying the copy Creating a logical copy – Drag and drop Carving the image (creating the physical view) – E.g., using foremost Identifying the deleted files Analysing the (logical and physical) files Michael Jones13Digital Forensic Investigations

Assignment 1 Supplied: a zip file – Only the logical view (once extracted) – Physical view not included File carving not relevant Will not be able to identify any deleted files – Why might this not be that important? Michael Jones14Digital Forensic Investigations

Organisation of the Secure Store Secure Analysis Physical Logical Image Michael Jones15Digital Forensic Investigations

Organising the Analysis Identifying the file types – Identifying incorrect extensions Processing order options: – By directory/folder – By file type – By file name Michael JonesDigital Forensic Investigations16

Conducting the Analysis At least 4 windows involved – View of Logical files – View of physical files – Command (terminal) window – Web browser Command window located at secure store – All commands executed from there Michael Jones17Digital Forensic Investigations

Documenting the Analysis Need to document: – Process (e.g., finding comments in HTML) – Source (i.e., the file) – Result – Date and time – Investigator What if nothing was found? Michael JonesDigital Forensic Investigations18

Documenting a Process ‘Finding comments in HTML documents’ – Can be ambiguous Need to specify exact actions: – E.g., ‘open with text editor and search for ‘<!--’ using the Edit/Find menu entry’ These should be included in an appendix to the report Michael JonesDigital Forensic Investigations19

Example Command exiftool Logical/* > Analysis/exiftool_YYYY-MM-DD-HH-MM-SS.txt This will find the metadata of all files in the Logical directory and put then in a file in the Analysis directory Replace ‘YYYY-MM-DD-HH-MM-SS’ with current date and time Repeat command for all subdirectories Michael Jones20Digital Forensic Investigations

Repeating Commands Two main techniques: – Manual Using up arrow to access previous commands Manually edit the commands to apply to another file OK for small datasets – Programmatic Create a program (or shell script) to iterate through a set of files Needed for large datasets Michael Jones21Digital Forensic Investigations

Recording Data Potentially interesting data is recorded – Via the ‘evidence summary’ spreadsheet Do NOT change the column headings In FC assignments: – Each piece of data has 2 elements: Attribute (e.g., First Name 1 of 4) Value (e.g., Fred) Care when inserting data – Make sure all cells are of type ‘text’ Michael JonesDigital Forensic Investigations22

Assignment 1 Tasks Retrieve ‘interesting’ data – Record on ‘data’ sheet Identify pictures (people, buildings, cars, etc.) – Record on ‘images’ sheet Identify sounds – Record on ‘sounds’ sheet Identify files with incorrect extensions – Record on ‘extensions’ sheet Note: ignore ‘bin’ and ‘dat’ extensions Michael JonesDigital Forensic Investigations23

Assignment Submission 2 files – Evidence summary spreadsheet XLSX: Must be readable by Excel (2007 onwards) – Technical report Report structure – Numbered headings and subheadings – Hyperlinked table of contents Processes and findings PDF Michael JonesDigital Forensic Investigations24

Verifying the Analysis Issue: how can we know if the analysis has been tampered with – Or the image, logical, or physical elements? Solution: hashing – But keeping the hashes elsewhere But: cannot hash a directory – So zip the directory then hash the zip file – Use an ‘archive’ directory Michael Jones25Digital Forensic Investigations

Forensic Soundness Some tools may have to be shown to be forensically sound – E.g., websites used to decode base64 All tests should be documented and kept in the secure store – Make sure the dates of the tests are included – Separate directory for each tool Michael Jones26Digital Forensic Investigations

Summary When conducting an investigation – Use a PLAN Step-by-step guide – Follow the plan And document each stage – Question the plan Is it complete, appropriate – Check and verify At the start and end of each session (at least) Michael Jones27Digital Forensic Investigations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.