Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Chapter 4 : File Systems What is a file system?
SEMINAR ON FILE SLACK AND DISK SLACK
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Operating Systems.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
 What is electronic data?  Information stored electronically, e.g. pictures, music, documents, etc.  Where can you store your data?  Cell phones 
Capturing Computer Evidence Extracting Information.
Hands-on: Capturing an Image with AccessData FTK Imager
File System. NET+OS 6 File System Architecture Design Goals File System Layer Design Storage Services Layer Design RAM Services Layer Design Flash Services.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Ch 26 & 27 User Interfaces.
Objectives Learn what a file system does
Digital Crime Scene Investigative Process
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Introduction to Digital Forensics Florian Buchholz.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
IT253: Computer Organization
ENGI 3655 Lab Sessions 1Richard Khoury.  Linked Allocation ◦ Section Richard Khoury2.
Guide to Computer Forensics and Investigations Fourth Edition
Reliability and Recovery CS Introduction to Operating Systems.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 11: File System Implementation.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Lecture 10 Page 1 CS 111 Summer 2013 File Systems Control Structures A file is a named collection of information Primary roles of file system: – To store.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
COEN 252: Computer Forensics Hard Drive Evidence.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Cell Phone Forensics Investigator - ICFECI
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
DIT314 ~ Client Operating System & Administration CHAPTER 7 MANAGING DISKS AND FILE SYSTEM Prepared By : Suraya Alias.
Lesson 13 PROTECTING AND SHARING DOCUMENTS
Presentation by: Tomas Lukša
File-System Management
Creighton Barrett Dalhousie University Archives
Presented by Steve Abrams, M.S. Charleston, SC / Long Island, NY
File System Structure How do I organize a disk into a file system?
Chapter 11: File System Implementation
Introduction to Computers
Knut Kröger & Reiner Creutzburg
Lesson 13 PROTECTING AND SHARING DOCUMENTS
File Management.
McGraw-Hill Technology Education
Operation System Program 4
Chapter 11: File System Implementation
File Managements.
O.S Lecture 13 Virtual Memory.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Chapter 11: File System Implementation
FILE SYSTEM ANALYSIS Dr Fudong Li
Normal deletion Shift deletion
Stephen Hess Dr. Jeffery Heer Discussion for 4/21 CS 376.
COEN 252: Computer Forensics
COMP1321 Digital Infrastructures
Ad Hoc Phase Structured Phase Enterprise Phase
Modern PC operating systems
Disk Structure Analysis
CSE451 Virtual Memory Paging Autumn 2002
COEN 252: Computer Forensics
Chapter 11: File System Implementation
Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.
McGraw-Hill Technology Education
“Encryption threatens to lead all of us to a very dark place.”
Presentation transcript:

Digital Forensics Anthony Lawrence

Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for law enforcement and military. Often used as supporting evidence in murder cases, business fraud cases, and in particular in child pornography cases. Computer hard disk drives, ram, and cell phones are commonly analyzed.

Case Study In 1998 Julie Jensen died of a mysterious cause. Mark Jenson, Julie's husband consented to a search of their house to find potential causes. Investigators acquired and imaged the Jensens' computer. After analyzing the data on the computer, they found search history that showed searches for various murder methods including ethylene glycol poisoning, which was discovered to be the cause of her death. Someone had attempted to delete this search history but investigators were able to uncover it anyway This evidence was use in part to convict Mark Jensen of murdering his wife.

File System Basics Most modern file systems maintain a table to track which blocks are allocated to which files. The table entries contain metadata information about the file, like file type, size, access time, creation time, etc. Some of this information can be valuable in a forensic investigation. In most cases, when a file is deleted its entry is removed from the allocation table but the bits on the disk remain. This can allow an investigator to recover some deleted files.

Acquiring a Disk Image In a criminal investigation it is important that no data on the disk be modified. To do this investigators use write-protection tools to ensure that no data is written back to the disk. The best kind of image to have is a bit by bit copy. In the case of most hard drives this is easy to attain, but in other kinds of electronics (especially phones) it can be harder to get. There are many tools both proprietary and open source that allow you to image a disk drive.

Analysis Once an image has been aquired the data needs to be analyzed. It is easy to go though and search allocated files since the allocation table tells you all the important details of each file. A carving algorithm is used to recover unallocated files. Once all these files have been acquired the investigator will search the drive for certain file types (for example: all.jpg files in a child pornography case), or certain keywords that might be of interest.

Carving Often times there is a lot of valuable evidence in the unallocated space on a drive. For this a carving algorithm must be used to analyze the data. These carving algorithms will check for known file headers or patterns. Simple algorithms will look for a file heading or unallocated file start and size entries in the allocation table then assume that all data is part of that file until it finds another known header or reaches the full size of the file. More complex algorithms will search for fragmented files by adding parts and testing to see if the file still follows the correct patterns. The more complex the algorithms the better the results, but the longer it will take to process the data.

The Sleuthkit Open source libraries, command line tools, and gui. Reads raw and formatted disk images. Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems Finds allocated and unallocated files. Shows all NTFS attributes. Can create timeline graphs using creation/modify/access times. Will show files hidden by rootkits.

Flash Memory In many cases data is stored in flash memory (solid state drives, phone memory cards, and built in memory). Flash memory has a special set of concerns the chief of which is the practice of wear leveling. Flash memory cells can only handle a limited number of reads and writes before they fail. Wear leveling is the practice of writing new data to cells that have not been written to recently instead of simply writing over the old data location. This way you don't have some cells die while others are barely used. This practice of wear leveling means that data will be more fragmented but also means that there could be old information that the user tried to overwrite still sitting in the memory.

Cell Phone Forensics Cell phones are becoming a more and more important part of people's lives and these phones are becoming more and more sophisticated. Cell phones analysis has special concerns. Because most phones are proprietary hardware and often proprietary software, it can be difficult or impossible to acquire a bit by bit copy of the memory. Even in cases when it is possible it can require you to modify the phone to get root access. This could invalidate the evidence in a court of law. It can also be difficult to analyze the data as the phone manufacturers might use non-standard file formats and the information may not be readily available. It is quite common for researchers to reverse engineer file formats so that investigators can use it.

Encryption The bane of forensic investigation. A well encrypted drive can be difficult or impossible to decrypt and analyze. Encrypted drives cannot even be carved into files since the encrypted data essentially looks completely random.

Questions?