Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics.

Slides:



Advertisements
Similar presentations
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
Advertisements

File Management Chapter 3
COEN 252 Computer Forensics
E-Discovery for System Administrators Russell M. Shumway.
Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Distinguish between primary and secondary storage.
T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Objectives Learn what a file system does
Communicating with Blogs and Online Maps Peter Linehan Associate Professor of Forestry Penn State Mont Alto Teaching and Learning with Technology Symposium.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Objectives Overview Identify the qualities of valuable information Describe various information systems used in an enterprise Identify the components of.
Microsoft Office 2007 Essential Introduction to Computers.
Ecords Management Records Management Paul Smallcombe Records & Information Compliance Manager.
Computer Forensics Principles and Practices
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
File Systems (1). Readings r Reading: Disks, disk scheduling (3.7 of textbook; “How Stuff Works”) r Reading: File System Implementation ( of textbook)
© Sapphire 2006 Computer Misuse in the Workplace You only get one chance..... David Horn You only get one chance...
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Guide to Computer Forensics and Investigations, Second Edition Chapter 11 Recovering Image Files.
Deloitte Forensic Forensic Technology Conference of Regulatory Officers - CORO November 2012.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
An Introduction to Computer Forensics Jim Lindsey Western Kentucky University September 28, 2007.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Fraud Examination Evidence III: Forensic Science and Computer Forensics McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
File Analysis Dr. John P. Abraham Professor UTPA.
Cyber Forensics From Data To Digital Evidence Book by - A. Marcella, F. Guillossou.
Files Chapter 4.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Chapter 8 Recovering Graphics Files
Chapter 7 Volume versus Partition. Cylinder, Head, and Sector (CHS) Hard or fixed disks store information on a revolving platter of metal or glass coated.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Modul 2 Sifat Dasar Informasi Digital Mata Kuliah Preservasi Informasi Digital.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
ONLINE COURSES - SIFS FORENSIC SCIENCE PROGRAMME - 2 Our online course instructors are working professionals handling real-life cases related to various.
Introduction to Forensic Science There are 3 main areas of work for the forensic scientist.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Intrusion Detection MIS ALTER 0A234 Lecture 12.
Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for.
1D0-570 CIW CIW v5 Security Professional
Windows 7 and file management
PhD Oral Exam Presentation
Hardware research By Hollie Willis.
Career JEOPARDY! Cluster: Information Technology
Good Morning  Please be sure to take care of your belongings.
Acquisition and Examination of Forensic Evidence
Computer Science I CSC 135.
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
Interpreting Binary Data
Forensics Week 2.
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Understanding Hex “I hope you have the worst headache of your life, then you will begin to understand” ~unknown.
Department of Computer Science
Instructor Materials Chapter 5: Ensuring Integrity
Computer Applications -Generic Elective
Lesson 6 File Types.
Presentation transcript:

Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics

Introduction: Steve Simpson CCE, CISSP, CSFA, PMP Information Security Professional, Computer Engineer, entrepreneur, educator – 35+ years high tech experience Computer Engineer, Product Development, 3 rd party Design and Manufacturing, Network Architecture, Software development, Cyber Forensics, Industry Compliance – Education BS Electronic Engineering, MS Systems Engineering, Digital Forensics Certificate – Director of Technology / Senior Analyst, S2 Forensics – Develop and teach course, BAS Cyber Security and Forensics Highline College Network Forensics, Mobile Forensics, Mobile Security, Network Scripting 3/5/2015S2 Forensics -

Cybersecurity Defense of data or information in transit, in use, or in storage 3 pillars of data, or “cyber” security – Confidentiality – Integrity – Availability Often referred to as the “CIA Triangle” 3/5/2015S2 Forensics -

Confidentiality Keeping data secret Read protection Military very concerned with confidentiality Integrity Keep data free from changing Write protection Financial institutions very concerned with integrity Availability Maintaining services and functionality of resources ISPs and service providers concerned with availability 3/5/2015S2 Forensics -

Various jobs with Cybersecurity industry Vulnerability assessment Penetration testing Network engineering/security System administration Software development Etc. etc., etc. 3/5/2015S2 Forensics -

Various jobs with Cybersecurity industry 3/5/2015S2 Forensics -

Webster says of Forensics: – Pronunciation: f&-'ren(t)-sik, -'ren-zik 1.belonging to, used in, or suitable to courts of judicature or to public discussion and debate 2.Argumentative, Rhetorical 3.relating to or dealing with the application of scientific knowledge to legal problems US-CERT says: – Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. – The word forensics means “to bring to the court.” 3/5/2015S2 Forensics - Digital Forensics recognized as a forensic science discipline in 2003

The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found 3/5/2015S2 Forensics - Computer forensics is considered both a science and an art

Scientific Method is a body of techniques for -investigating phenomena -acquiring new knowledge -correcting and integrating previous knowledge [1] Locard’s Exchange Principle -Attributed to Dr. Edmond Locard -"Every contact leaves a trace“ [2] -“no matter where a criminal goes or what a – criminal does … a criminal [will] leave evidence …” [3] [1] Goldhaber & Nieto 2010, p. 940Goldhaber & Nieto 2010 [2] [3] 3/5/2015S2 Forensics -

Four Principles of Digital Forensics Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to. 3/5/2015S2 Forensics -

3 Types of Data – Active: Data that can be seen or readily used Data files, programs, utilities, apps, operating system files Easily accessed, easy to use – Archival: Data that has been backed up and stored Tapes, CDs, hard drives, cloud Visible data Easy to retrieve, but not as easy as Active data. – Latent: Data that requires specialized tools & skills to view Includes deleted and/or partially overwritten data May also be referred to as Ambient data 3/5/2015S2 Forensics - We will be concentrating on active and latent data

Digital Forensic Terms; Bits, Bytes, Sectors, Clusters Data is stored as magnetic charges on the hard drive. These charges represent data as a “1” or a “0” – Bit = a single charge, as a 1 or a 0 – Byte = 8 bits in most cases – Sector = 512 bytes – Cluster = multiple sectors Usually 2 n sectors – 2, 4, 8, 16, or 32 OS dependent Sys Admin usually has the option to set cluster size 3/5/2015S2 Forensics - HDDs manage data in terms of Sectors, OS’s manage data as Clusters

3/5/2015S2 Forensics - Hard Drive Physical Components Read/Write head Track 0 Track 1 Track 2 Track Sector Platter Spindle Cylinder Cluster

What does data look like? – Humans cannot see magnetic fields. – Represent magnetism as a 1 or a 0 (bit) – Group bits into bytes words, double words, quad words, etc – bits and bytes are difficult to read and understand – Hexadecimal representation of data 0x0-9A-F Above is represented as 0xA1ACAD2A82F 3/5/2015S2 Forensics -

What does data look like? -ascii representation -American Standard Code for Information Interchange -8 bits per character - -How to read computer data 3/5/2015S2 Forensics -

Slack Space demo 3/5/2015S2 Forensics -

Files are what data storage is all about -How do we know a text file from an executable? -Windows requires file extensions -.docx,.txt, ppt,.dll,.exe,.jpg, gif -Linux: extensions are optional -How does the PC know the difference between -text files -executable files -audio files -photos -movies 3/5/2015S2 Forensics - The answer is file headers aka file signatures

File signatures - -Sort by hex value or text -PDF (Portable Document Format) %PDF -Note trailers/footers on web page -JPEG file, widely used photo format -Joint Photographic Experts Group -FF D8 FF E0 xx xx 4A 46ÿØÿà..JF -Note footer of FF D9 -GIF file (Graphics Interchange Format) – GIF87a – GIF89a – Footer/trailer00 3B.; - Microsoft document files – docx, xlx, pptx – D0 CF 11 E0 A1 B1 1A E1 ÐÏ.ࡱ.á – Object Linking and Embedding (OLE) compound file 3/5/2015S2 Forensics -

How do we read these files in binary? – Use a “hex editor” HxDhttp://mh-nexus.de/en/hxd/ WinHEXhttp:// Many other no cost options available. Google search for “hex editor” – Utilities that have hex reader capabilities FTK Imagerhttp://accessdata.com/product-download orhttp://accessdata.com/product-download download-page 3/5/2015S2 Forensics -

Using HxD – demo 3/5/2015S2 Forensics -