Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search.

Similar presentations


Presentation on theme: "Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search."— Presentation transcript:

1

2 Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Search and Analysis 8/24/06 Learning by Doing Theory  Practice

3 Computer Forensics Procedure Documentation Acquisition Authentication Presentation Analysis Verify Legal authority Search warrants Photographing Documentation Forensically wipe storage drive Bit-stream Imaging Documentation Chain of custody Hash verification CRC/MD5/SHA1 Documentation Retain the integrity Filtering out irrelevant data What could/could not have happened Be objective and unbiased Documentation Interpret and report Present and defend The Defensible Approach Location, date, time, witnesses System information, status Physical evidence collected

4 Steps in Forensic Examination Verify Legal Authority: - Search warrant - Scope of the search Collect Preliminary Data Determine the Environment for the Investigation – on or off site? Secure and Transport Evidence - Document the evidence - Tag the evidence - Bag the evidence - Transport the evidence Acquire the evidence Examine and Analyze the evidence Report on the Investigation

5 Effective Data Searches Interview members of the IT staff to learn how and where data has been stored, if applicable. Confirm or define the objective of the investigation. Identify relevant time periods and the scope of the data to be searched. Identify the relevant types of data. Identify search terms for data filtering, particularly words, names, or unique phrases to help locate relevant data and filter out what is irrelevant. Metadata can be invaluable to the filtering process. Find out usernames and passwords for network and e-mail accounts, to the extent possible. Check for other computers or devices that might contain relevant evidence.

6 Data Types to be Searched Active data. The information readily available and accessible to users via file manager. Deleted files Hidden, Encrypted, and Password-Protected Files. Automatically Stored Data E-Mail and Instant Messages Background Information – computer and network logs, caches, cookies.

7 Acquiring Volatile Data The data that is held in temporary storage in the system’s memory is called volatile data. The memory is dependant upon electrical power. When the power is shut off the memory is disrupted. Order of volatility: –Registers and Cache –Routing tables, ARP cache, process tables, kernel statistics –Contents of system memory –Temporary file systems –Data on disk

8 Acquiring Volatile Data Commands –Nestat –an (-rn) –lsof –Ifconfig –Ipconfig –pslist –Nbtstat –Top –Prstat –Arp -a

9 Structure of EnCase

10 Logical Examination Pyramid Investigation Foundation File system details, directory structure, operating system norms, partition information, and other operating systems Hash analysis, file header/extension analysis, and obvious files of interest Password-protected, encrypted, compressed, and link files Unallocated space and file slack Data for analysis Degree of complexity and difficulty

11 The Art of File Analysis File contents Metadata Application files Operating system file types Directory / folder structure Patterns User configurations Time frame analysis - Creation date/time - Modified date/time - Accessed date/time

12 The Art of Data Hiding Analysis Password-protected files Compressed files Compress files + password protection Encrypted files Steganography

13 Common Cyber Criminal Tools Nuker: Software used by intruders to destroy system log trails. Anonymous Remailers: Tools used by intruders to mask their identities. These devices are configured to receive and re-send Internet traffic by replacing the original (actual) source address of the sender with the address of the anonymous re- mailer machines. Password Cracker: Software used to break encrypted password files, often stolen from a victim's network server. Scanner: Software used to identify services that are running on a network so that those services can be exploited to gain unauthorized access to the network. Spoofer: Software used to impersonate someone else to hide the identity of the actual sender of the e-mail. Steganography: Steganography is the science of hiding messages in messages. The point of it is to hide data or the existence of the message; that is, to hide the fact that the parties are communicating anything other than innocuous graphics or audio files. Steganography has been used by terrorists or intruders to spy, steal, or communicate information via electronic “dead drops,” typically Web pages. Trojan horse: Malicious software disguised as a legitimate computer file or program. Trojan horses are used to create backdoors into networks to gain unauthorized access to the network.


Download ppt "Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search."

Similar presentations


Ads by Google