Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Computer Forensics.
Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
(C) Oxygen Software, Oxygen Forensic Suite – Premium Mobile Examination Extracting.
BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Chapter 14: Computer and Network Forensics
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?
Passwords, Encryption Forensic Tools
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
How to discover ephemeral evidence with Live RAM analysis.
Data, PDA and Cell Phone Forensics. 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the.
Use of IT Resources for Evidence Gathering & Analysis Use of IT Resources for Evidence Gathering & Analysis Raymond SO Wing-keung Assistant Director Independent.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Software.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Your Interactive Guide to the Digital World Discovering Computers 2012.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
INTRODUCTION TO VIRTUALIZATION KRISTEN WILLIAMS MOSES IKE.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 6 Protecting Your Files. 2Practical PC 5 th Edition Chapter 6 Getting Started In this Chapter, you will learn: − What you should know about losing.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
1 REMOTE CONTROL SYSTEM V7 2 Introduction.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Digital Forensics and Hand Held Devices Robert Trimble COSC
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
10. Mobile Device Forensics Part 2. Topics Collecting and Handling Cell Phones as Evidence Cell Phone Forensic Tools GPS (Global Positioning System)
Creighton Barrett Dalhousie University Archives
Discovering Computers 2012: Chapter 8
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Digital Forensics CJ
Threats to Privacy in the Forensic Analysis of Database Systems
Presentation transcript:

Damien Leake

Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many data recovery techniques Process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media Hard drives, USB flash drives, DVDs Recovery may be required due to physical damage or logical damage to file system Digital evidence has to be authentic, reliably obtained, and admissible

Common Scenarios for Data Recovery Operating system failure Use LiveCD to copy all files to another disk Can be avoided by proper disk partitioning Disk-level failure Compromised file system or disk partition Repair file system, partition table, master boot record Hard disk recovery – one time recovery Recovering deleted files Often data is not removed, only the references to them in the file table

Data Reduction During Acquisition Ever larger hard drives make collecting data very time- consuming Data analysis can also take much longer if there are large amounts of data Known files Operating system and application files can often be disregarded when looking for documents File types Many file types can usually be ignored

Live Acquisition Debate: pull the plug or not when finding suspect’s computers For: minimizes disturbance to stored data Against: Critical data may be in RAM With full disk encryption, files are decrypted on the fly, with the decryption key stored in RAM Open ports, active processes Fully volatile OS: Knoppix Unsaved documents

Examining RAM Evidence cannot be recorded on a target machine without changing the state Logs, temp files, network connections opened/closed Critical data may be overwritten Analysis utilities may need to be loaded onto target system Usually, ram data is sent to another machine over a network connection These problems may be avoided if the target machine was running on a Virtual Machine

Virtual Introspection Process by which the state of a VM is observed from the Virtual Machine Manager or another VM on the system No current production tool, but research shows promise Can allow live system analysis of a VM May be possible for it to be undetected by target system Experienced cyber criminals may have safeguards that remove critical data from RAM upon breach detection

Virtual Introspection for Xen Xen is an open source Virtual Machine Manager Not as robust as some competitors Open source means that researchers can modify the VMM should that become necessary VIX is a suite of tools currently being developed for Xen Provides API for getting data from different VMs Pauses target machine, acquires data, un-pauses machine Ensures machine state is not modified

Future Work Support for multiple OS Currently, Linux 2.6 kernel is supported by VIX Need Windows and Mac OS support for widespread significance Analysis of the extent to which VI can be detected by the target VM Timing analysis, page fault monitoring Application of these techniques to VMware and other popular VM platforms

Database Forensics Standard forensics tools tend to be too time consuming to run on large databases Database tools to search logs are quicker Can return a lot of useful information But they may alter the database in ways that complicate the admissibility of the content in court New field of study with little literature

Mobile Device Forensics State of device at time of acquisition Password locks Remote data deletion Variety of operating systems Hard to build tools considered industry standard

FTK Mobile Phone Examiner Most commonly used tool in US Simple data acquisition Cable. Infrared, Bluetooth Does not alter any data on device Integration with Forensic Toolkit Perform analysis on multiple phones at once Reports are automatically court-usable

Oxygen Forensic Suite Popular tool with European law enforcement agencies Extracts all possible information Phone/SIM card data Contact list, caller groups, speed dials All calls sent/received/missed SMS, calendar events, text notes Can tap into LifeBlog and geotagging in Nokia Symbian OS phones

EnCase Neutrino Extension of company’s PC forensic software Claims to have the only extensively tested signal blocking technology Data acquisition starts with SIM card first, then searches the phone itself Easily returns device serial number, cell tower location, and manufacturer information

Anti-Forensics Avoid detection of events Disrupt collection of information Increase time spent on case

Attacking Data Data wiping Overwrite erased disk space with random data Many commercial tools do not do this properly and leave some of the original data Data hiding Encryption Using anonymous web storage Steganography Embedding data into another digital form (images, videos) Data corruption Aims to stop the acquisition of evidentiary data

Aims to make examination results unreliable in court Manipulate essential information Hashes Timestamps File signatures Compression bomb Compress data hundreds of times Causes analyzing computer to crash trying to decompress it Attacking Forensics Tools

Attack the Investigator Exhaust investigator’s time and resources Leave large amounts of useless data on hard drives Cases that take too long are more likely to be dropped

Summary Data forensics attempts to capture and analyze data for use in court proceedings Techniques involve traditional data recovery along with live acquisition of volatile data Relatively new field, with more research needed for databases, mobile devices, and virtual machines Analysis techniques will need to evolve as cyber criminals develop more sophisticated ways to hide their actions