Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 11 Analysis Methodology Spring 2016 - Incident Response & Computer Forensics.

Published byEmily Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 11 Analysis Methodology Spring 2016 - Incident Response & Computer Forensics."— Presentation transcript:

1 Chapter 11 Analysis Methodology Spring 2016 - Incident Response & Computer Forensics

2 Define Objectives  Well-defined objectives help achieve better results  It is important to determine who will define the objectives  Objectives are usually defined as a series of questions.  Some objectives are hard to achieve  Example: Proving that the system has not been compromised  Stay focused - do not run after tempting artifacts

3 Know Your Data  Data available in many formats and locations  Explore possible data sources and know how they can be used  It will help you decide what to collect

4 Where is Data Stored?  Desktops and laptops  Hard drives and external storage  OS, Applications, and associated data  If virtualized, data in central infrastructure  Servers  Hard drives - OS  External storage solutions – (likely) Application and other data  Mobile devices  Small amount of storage, normally nonvolatile (flash) memory  Cloud (??)

5 Where is Data Stored?  Storage solutions and media  USB flash drives, USB hard drives, CDs, DVDs, Network Attached Storage (NAS), Storage Area Networks (SAN)  Network Devices  Firewalls, switches, routers  Cloud services  Data belonging to organizations and individual users  Backups  On-site and off-site storage

6 What is Available  Operating System  File systems, State information (info on processes, ports, etc.), OS Logs, etc.  Application  Application specific artifacts (logs, e-mails, browser cache, etc.)  Some artifacts are left behind even after the application is removed  User data  Documents, e-mails, source-code, etc.  Network service and instrumentation  DHCP, DNS, proxy server information, firewall, etc.

7 Access Your Data  Issues: data formats vary, storage media are different, data may have been encrypted, compressed, etc.  Disk images  Which system? How was it obtained? etc.  What does it look like?  How was data encoded? Things looking different may have similar information  What to search and how to search? Example: a string may appear disconnected and search may not work

8 Analyze Your Data  Outline an approach  Where to start, what to look for  Network and hosts Abnormal user activities Abnormal connection durations Abnormally high CPU activity Recently installed or modified services Programs that automatically start Integrity of system binaries …

9 Select Methods  Use of external resources  Using methods and tools developed by others  Manual inspection of data  Particularly when amount of data collected is small  Use of specialized tools  Can help in data visualization, malware identification, browser artifact analysis, etc.  Data minimization through sorting and filtering  Helps in focusing on a subsection of data

10 Select Methods  Statistical analysis  Helps in discovering patterns or anomalies  Keyword searching  Be careful of cases such as encoding or formatting  Search unallocated spaces and slack spaces as well  File and record carving  Searching for file information based on content – not based on metadata  The method works even if a file is deleted or renamed

11 Evaluate Results  Evaluate results periodically  Can correct or change the method early enough, if results are not satisfactory  After finishing data analysis, evaluate how well the result answers the investigative questions  If result does not help, try a different method or sources of evidence

Download ppt "Chapter 11 Analysis Methodology Spring 2016 - Incident Response & Computer Forensics."

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
File Management Chapter 3

File Management Chapter 3
Objectives Overview Define an operating system

Objectives Overview Define an operating system
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
HOW WELL DO YOU KNOW THE BASICS OF USING YOUR COMPUTER?

HOW WELL DO YOU KNOW THE BASICS OF USING YOUR COMPUTER?
COMPUTER CONCEPTS Computer Information Systems. COURSE COMPETENCIES Explain the functions of computer system components. Describe the information processing.

COMPUTER CONCEPTS Computer Information Systems. COURSE COMPETENCIES Explain the functions of computer system components. Describe the information processing.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Distinguish between primary and secondary storage.

Distinguish between primary and secondary storage.
Utility Programs  A type of system software that is used to solve a particular problem is called utility program. Many operating system provides different.

Utility Programs  A type of system software that is used to solve a particular problem is called utility program. Many operating system provides different.
Chapter 5: System Software: Operating Systems and Utility Programs.

Chapter 5: System Software: Operating Systems and Utility Programs.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Similar presentations

Ads by Google