Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Analysis By Mrs. T. Hemalatha, Associate Professor Department of Computer Science & Engineering 7/2/20151.

Published byNickolas Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensic Analysis By Mrs. T. Hemalatha, Associate Professor Department of Computer Science & Engineering 7/2/20151."— Presentation transcript:

1 Forensic Analysis By Mrs. T. Hemalatha, Associate Professor Department of Computer Science & Engineering 7/2/20151

2 Cyber Crime Computer crime, or Cyber crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet. 7/2/20152

3 Overview of Presentation Why is Evidence identification and Preservation required? Who benefits from Computer Forensics? General Types of Forensic Examinations requested. Process of Forensics. Tools of the trade. What is the Examiner looking for? 7/2/20153

4 Why is Evidence important? In the legal world, Evidence is EVERYTHING. Evidence is used to establish facts. The Forensic Examiner is not biased. 7/2/20154

5 Who needs Computer Forensics? The Vicitm! Law Enforcement Insurance Carriers Ultimately the Legal System 7/2/20155

6 Who are the Victims? Private Business Government Private Individuals 7/2/20156

7 Cybercrime Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)". Such crimes may threaten a nation’s security and financial health Ex. Cracking, Copyright Infringement, Loss or interception of Confidential Information etc. 7/2/20157

8 Computer Forensics Is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. 7/2/20158

9 Digital Forensics Goal – Computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. – Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of cyber law. 7/2/20159

10 Digital Forensics Used for various purposes – Investigating Cyber Crimes – Internal Policy Violations – Reconstructing Computer Security Incidents – Troubleshooting Operational problems – Recovering from accidental system damage 7/2/201510

11 Some litigations Civil Matters Breach of Contract Asset recovery Breach of Confidence Breach of securities industry legislation and regulation and /or Companies Acts Employee disputes Copyright and other intellectual property disputes Consumer Protection law obligations (and other examples of no-fault liability) Data Protection law legislation 7/2/201511

12 Criminal Matters Theft Acts, including deception Criminal Damage Demanding money with menaces Companies Law, Securities Industry and banking offences Criminal offences concerned with copyright and intellectual property Drug offences Trading standards offences Official Secrets Computer Misuse Act offences 7/2/201512

13 Phases involved in examination Collection Identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data. Examination using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data Analysis Analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information Reporting Reporting the results of the analysis 7/2/201513

14 Investigators use a variety of techniques and proprietary software forensic applications to examine the copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a "finding report" and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation 7/2/201514

15 Computer Forensic Analysis and Incident Response will help to determine – How did the breach occur? – What systems were compromised? – What did they take? What did they change? – How do we remediate the incident? Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise scanning methodologies in order to identify, track and contain advanced adversaries, and remediate incidents. 7/2/201515

16 Computer Forensics Methods (1) safe seizure of computer systems and files, to avoid contamination and/or interference safe collection of data and software safe and non-contaminating copying of disks and other data media reviewing and reporting on data media sourcing and reviewing of back-up and archived files recovery / reconstruction of deleted files - logical methods recovery of material from "swap" and "cache" files recovery of deleted / damaged files - physical methods 7/2/201516

17 Computer Forensics Methods (2) core-dump: collecting an image of the contents of the active memory of a computer at a particular time estimating if files have been used to generate forged output reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc. proving / testing of reports produced by complex client / server applications reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc. review of system / program documentation for: design methods, testing, audit, revisions, operations management. 7/2/201517

18 Computer Forensics Methods(3) reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc. identification and examination of audit trails identification and review of monitoring logs telecoms call path tracing (PTTs and telecoms utilities companies only) reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services) reviewing and assessment of access control services - quality of security management reviewing and assessment of encryption methods - resilience and implementation 7/2/201518

19 Computer Forensics Methods (4) setting up of pro-active monitoring in order to detect unauthorised or suspect activity monitoring of e-mail use of special "alarm" or "trace" programs use of "honey pots" inter-action with third parties, e.g. suppliers, emergency response teams, law enforcement agencies reviewing and assessment of measuring devices, etc. and other sources of real evidence, including service logs, fault records, etc. use of routine search programs to examine the contents of a file use of purpose-written search programs to examine the contents of a file 7/2/201519

20 Computer Forensics Methods (5) reconciliation of multi-source files examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties event reconstruction complex computer intrusion complex fraud system failure disaster affecting computer driven machinery or process review of "expert" or rule-based systems reverse compilation of suspect code use of computer programs which purport to provide simulations or animations of events: review of accuracy, reliability and quality 7/2/201520

21 Examination The Operating System Services Applications/processes Hardware LOGFILES! System, Security, and Application File System 7/2/201521

22 Examination Continued Deleted/Hidden Files/NTFS Streams Software Encryption Software Published Shares/Permissions Password Files SIDS Network Architecture/Trusted Relationships 7/2/201522

23 Off-Site Storage “X-Drives” FTP Links FTP Logs Shares on internal networks 7/2/201523

24 Toolkit requirements File Viewers Uncompressing Files Graphically Displaying Directory Structures Identifying Known Files Accessing File Metadata 7/2/201524

25 Protection Protect the integrity of the evidence. Maintain control until final disposition. Prior to Booting target computer, DISCONNECT HDD and verify CMOS. When Booting a machine for Analysis, utilize HD Lock software. 7/2/201525

26 Operating system Volatile Data vs. Non Volatile data Focus on Volatile Data – Contents of Memory - 3 rd party utilities – Network Configuration – ifconfig, ipconfig – Network Connections - netstat – Running Processes - ps – Open Files - lsof – Login Sessions – Operating System Time – date,time,nlsinfo 7/2/201526

27 File System File systems are designed to store files on media Deleted Files Slack Space Free Space - is the area on media that is not allocated to any partition; it includes unallocated clusters or blocks Data might be hidden is through Alternate Data Streams (ADS) within NTFS volumes - used to store unnamed stream Renaming the files with inappropriate extensions – File headers need to be analyzed to detect such attacks 7/2/201527

28 Network system Data Packet sniffers Wire shark Traffic analyzer NAT 7/2/201528

29 Application Data Configuration Files Log files – Event log – Audit Log – Error log – Installation log – Debugging log Types of application – Local or client server or peer to peer – Web application Trusted or Malware analysis 7/2/201529

30 Log File Analysis Events. What Events are monitored? What do the event records reveal? Firewall/Router/Server log files? Modem/FTP/Telnet 7/2/201530

31 Memory Forensics effective at finding evidence of worms, rootkits, and advanced malware Identify Rogue Processes Analyze process DLLs and Handles Review Network Artifacts Look for Evidence of Code Injection Check for Signs of a Rootkit Acquire Suspicious Processes and Drivers – STUXNET – TDL3/ TDSS – Zeus/Zbot 7/2/201531

32 Dead-box and Live-box analysis Dead Box Analysis – Accessing and analyzing all the Non volatile Information Live Box Analysis - – Accessing and analyzing all the volatile Information fdpro.exe was used to create a physical memory from a Windows XP SP3 OS. 7/2/201532

33 Evidence Search Image Files Software applications Deleted Files Hidden Files Encrypted Files Hidden partitions Keyword Search Known Remote Access Tools 7/2/201533

34 Malicious code Investigators need to know if malicious code is running on a suspect’s machine. Physical memory analysis provides a new approach to detecting rootkits and malicious code. This capture shows HBGary Responder identifying a hidden kernel driver called msdirectx.sys. The process notepad.exe is hidden from the system 7/2/201534

35 Evidence Processing Guidelines New Technologies Inc. recommends following 16 steps in processing evidence They offer training on properly handling each step – Step 1: Shut down the computer Considerations must be given to volatile information Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) – Step 2: Document the Hardware Configuration of The System Note everything about the computer configuration prior to re-locating 7/2/201535

36 Evidence Processing Guidelines (cont) – Step 3: Transport the Computer System to A Secure Location Do not leave the computer unattended unless it is locked in a secure location – Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks – Step 5: Mathematically Authenticate Data on All Storage Devices Must be able to prove that you did not alter any of the evidence after the computer came into your possession – Step 6: Document the System Date and Time – Step 7: Make a List of Key Search Words – Step 8: Evaluate the Windows Swap File 7/2/201536

37 Evidence Processing Guidelines (cont) – Step 9: Evaluate File Slack File slack is a data storage area of which most computer users are unaware; a source of significant security leakage. – Step 10: Evaluate Unallocated Space (Erased Files) – Step 11: Search Files, File Slack and Unallocated Space for Key Words – Step 12: Document File Names, Dates and Times – Step 13: Identify File, Program and Storage Anomalies – Step 14: Evaluate Program Functionality – Step 15: Document Your Findings – Step 16: Retain Copies of Software Used 7/2/201537

38 7/2/201538

39 7/2/201539

40 7/2/201540

41 7/2/201541

42 7/2/201542

43 7/2/201543

44 7/2/201544

45 7/2/201545

46 NTFS Streams The Forensic ToolKit 1.4 from NT OBJECTives, Inc. Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved AFind - File access time finder SFind - Hidden data streams finder HFind - Hidden file finder 7/2/201546

47 Typical CBD Files 7/2/201547

48 Imaging Software 7/2/201548

49 7/2/201549

50 Security Identifers SIDS can be used to ID the perpetrator. Security is used within Win2K to ID a user. Security is applied to the SID. 7/2/201550

51 Where to find the SID 7/2/201551

52 7/2/201552

53 SID Structure Domain Identifier: All values in the series, excluding the last value ID the Domain. Relative Identifier (RID) is the last value. This ID’S the Account or Group S-1-5-21-838281932-1837309565- 1144153901-1000 7/2/201553

54 Users 7/2/201554

55 7/2/201555

56 7/2/201556

57 7/2/201557

58 7/2/201558

59 7/2/201559

60 7/2/201560

61 7/2/201561

62 7/2/201562

63 Documentation Document EVERYTHING Reason for Examination “The Scene” Utilize Screen Capture/Copy Suspected files All apps for Analysis/apps on Examined system. 7/2/201563

64 Thank You 7/2/201564

Download ppt "Forensic Analysis By Mrs. T. Hemalatha, Associate Professor Department of Computer Science & Engineering 7/2/20151."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
OC RIMS Cyber Safety & Security Incident Response.

OC RIMS Cyber Safety & Security Incident Response.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
Information Society Security Risks.  Attacks  Origin  Consequences RISKS...

Information Society Security Risks.  Attacks  Origin  Consequences RISKS...
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
What is Computer Forensics? (Some definitions) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is.

What is Computer Forensics? (Some definitions) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is.
Network security policy: best practices

Network security policy: best practices
Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO.515020181-9.

Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:

Similar presentations

Ads by Google