CYBER FORENSICS | Kiran Bettadapur S. | 5/8/2018

DIGITAL ERA 5/8/2018

INTERNET TRAFFIC Over 100,000 Petabytes/Month in 2016 100,000,000,000 Gigabytes  STORE… ALL FILMS [HD]: 2000X ALL BOOKS [PDF]: 333X ALL YOUTUBE: 1,000X 5/8/2018

CYBERCRIME C Y B E R C R I M E T Y P E S COMPUTER AS OBJECT: ILLEGAL ACCESS UNLAWFUL DATA TRANSMISSION DATA DELETION WEBSITE DEFACING COMPUTER AS MEDIUM: ID THEFT FRAUD E-THEFT PHISHIING CONTENTS OF COMPUTER: CHILD PORNOGRAPHY STOLEN SENSITIVE INFO TERROR ATTACK DETAILS C Y B E R C R I M E T Y P E S AGAINST PERSONS: IDENTITY THEFT INFO THEFT DEFAMATION CYBER THREATS, BULLYING & STALKING FORGERY HARASSMENT E-MAIL SPOOFING & SPAM; PHISHING CHILD SOLICITING AGAINST GOVERNMENT: SALE OF ILLEGAL ITEMS: WEAPONS, WILDLIFE, DRUGS CYBER WAR & TERRORISM CHILD PORNOGRAPHY ONLINE GAMBLING SECURE SYSTEM HACKING ONLINE ESPIONAGE AGAINST PROPERTY DENIAL OF SERVICE MALWARE: Viruses, Trojans, Worms, Mail Bombs, Ransomware CYBER SQUATTING HACKING SALAMI SLICING (PENNY SHAVING) CREDIT CARD FRAUD IP CRIMES: Software Piracy; IP Violations (Copyright, TM, etc.) 5/8/2018

WHAT IS? CYBER FORENSICS Challenges of Cyber Crime: Emerging Field On the Increase Skillful Criminals No Barriers or Borders Evolving Laws Digital Evidence Sources Computers Storage Devices Mobile Devices: Phones, Tabs, etc. Electronic Gadgets: Cameras, etc. Emerging Field Digital Evidence Collection Analysis Results From: Incidents Result Of: Investigation Results In: Legal Evidence CYBER FORENSICS 5/8/2018

[part of digital forensics] BRANCHES B r a n c h e s o f C Y B E R F O R E N S I C S [part of digital forensics] CLOUD & NETWORK FORENSICS: SECURITY ATTACKS & PROBLEM INCIDENTS TWO SYSTEMS: ─ CATCH-IT-AS-YOU-CAN… Batch-mode Traffic Analysis …Needs Storage ─ STOP-LOOK-’N-LISTEN… Individual Packet Analysis …Needs processing power MOBILE DEVICE FORENSICS: CELL PHONES; DIGITAL CAMERAS; I-PODS; etc… ANY MEDIUM FOR STORAGE OF CONTENT DATA & DATABASE FORENSICS SERVER SIDE CLIENT SIDE MALWARE E-MAIL & SOCIAL MEDIA INCIDENT RESPONSE AUDITS 5/8/2018

WHAT IT ENTAILS CYBER FORENSICS Intrusion Detection & Access Control 2. Web History & Storage Analysis 1. Network Evidence 3. CYBER FORENSICS Image or Clone Creation 7. System Artifacts: Logs, users media, etc. 8. E-mail Tracing & Data Recovery 6. Traffic & Flow Analysis 4. Attack Pattern Analysis 5. 5/8/2018

DIGITAL EVIDENCE ASPECTS PRIMARY STORAGE OFFLINE STORAGE PHYSICAL : Chain of Custody Document Secure Storage Photos Original + Backup + Working LOGICAL : Work on Copy Minimal Access of Original Use Write-blocking Use Hash Functions SECONDARY STORAGE TERTIARY / NEARLINE / CLOUD STORAGE 5/8/2018

COLLECTION CHALLENGES DELETED / ERASED 2. PRESENT 1. HIDDEN 3. DIGITAL EVIDENCE CORRUPTED 6. ENCRYPTED 4. COMPRESSED 5. 5/8/2018

EVIDENCE TAMPERING LEVELS OF TAMPERING 2. 1. 3. 6. 4. 5. REMOVING [From Recycle Bin] 2. DELETING & TRAPPING 1. FORMATTING [Index, not actual data removed] 3. LEVELS OF TAMPERING DEVICE DESTRUCTION [Shredding & Melting] 6. WIPING [Changed to 0’s & 1’s] 4. PHYSICAL DAMAGING [Hammering] 5. 5/8/2018

ANALYSIS M E T H O D S & T E C H N I Q U E S CROSS-DRIVE ANALYSIS: CORRELATION…of info on multiple devices IDENTIFY SOCIAL NETWORKS ANOMALY DETECTION LIVE ANALYSIS: SYTEM EXAMINATION… from within the OS CUSTOM TOOLS SYSADMIN TOOLS DE-ENCRYPTION STOCHASTIC FORENSICS: PROBABILITY THEORY ACTIVITIES LACKING DIGITAL ARTIFACTS DATA THEFT M E T H O D S & T E C H N I Q U E S STEGANALYSIS: STEGANOGRAPHY Concealment of Data … in picture or digital image Encrypted Payload BARRAGE NOISE Random data; white noise, Misinformation, meaningless drivel DETECTING HASH VALUE CHANGES DELETED FILE RETRIEVAL: DISK RECONSTRUCTION Reconstruct from file sectors FILE CARVING Search for file-headers in disk image Reconstruct Deleted Material CRYPTANALYSIS: DECIPHERING ENCRPTED MESSAGES No access to key or encryption algorithm SYMMETRIC KEY Block Ciphers (Blocks of text) Stream Ciphers (Individual characters) HASH FUNCTIONS 5/8/2018

PROCESS TRIAL & TESTIMONY COLLECTION: PREPARATION EXAMINATION: Devices/Sources: RFID, Black-boxes (vehicle), etc. Due Care No Heat, X-Ray, etc. Imaging media Chain of custody Document PREPARATION Training of Investigators Tools & Planning Suspect Questioning Warrant EXAMINATION: Electronic Content Procedures & Techniques: Case by Case basis ANALYSIS; REPORTING Tools: Integrated / Special EnCase, FTK, Sleuth Kit, Scalpel, ProDiscover Logs, files, emails, registry, Browsing History, etc. Cracking PWD Extracting files Presenting Exhibits TRIAL & TESTIMONY 5/8/2018

5/8/2018

“Thank You!” 5/8/2018