D marques digital forensics 101

DataRecoveryCenterCompany|AllRightsReserved.CorporatePresentation2012
David Marques 2012 | Todos os direitos reservados.
D a v i d M a r q u e s
E - m a i l : D M a r q u e s @ D R C . p t
Morada: Rua Alexandre Herculano, Edifício Central Park, 1 - Piso 7, 2795-242 Linda-a-Velha | Coordenadas GPS: 38o 43' 02.17'' N, 09o 14' 16.50'' O
Telefone: 707 200 017 | Telefone: (+351) 214 146 810 | Serviço de urgência: (+351) 964 944 112 | Fax: (+351) 214 146 819 |
Digital Forensics 101

26-Apr-13
Agenda | Digital Forensics 101
Tools & Training
Definitions
History
Portuguese Law
Branches & Methodologies
Future?
2

“Digital Forensics” (Computer Forensics)
Definition(Wikipédia): Digital forensics (sometimes
known as digital forensic science) is a branch of
forensic science encompassing the recovery and
investigation of material found in digital devices, often
in relation to computer crime. The term digital forensics
was originally used as a synonym for computer
forensics but has expanded to cover investigation of all
devices capable of storing digital data.
Definition
26-Apr-13 3
.: 3 :.

“Digital Forensics” (Computer
Forensics)
Applications:
• Support or refute a hypothesis before
criminal or civil court.
• Internal corporate investigations or intrusion
investigation
Definition
26-Apr-13 4
.: 4 :.

History
“Forensics”
Derived from the Latin forum and the
requirement to present both sides of a case
before the judges (or jury) appointed by the
praetor.
26-Apr-13 5

History
• 1248 – A Chinese treatise describes features
allowing to destinguish between drowning
and strangulation drawing on medical
knowledge
• 1609 – F. Demelle (France) publishes a treatise
on systematic document examination
• 1686 – M. Malpighi (Italy) noted fingerprint
characteristics
26-Apr-13 6

History
• 1810 – First documented case of document analysis
based on ink dyes.
• 1813 – M. Orfile (Spain) publishes a toxicology guide
• 1823 – J. Purkinje (Poland) publishes first systematic
classification of fingerprints
• 1835 – H. Goddard (UK) uses bullet comparison to
identify a murder weapon based on irregularities in a
bullet mould
26-Apr-13 7

History
26-Apr-13 8
• 1870 – Albert Bertillon
– First technician at La Surete Nacionale (Paris)
– Recorded criminals by photographs and body
measurements
– Took photographs of victims, measured
footprints, stains and tool marks
– Said that “no two human bodies were exactly
alike”

History
• 1910 – Edmond Locard
–Founded first Forensic Crime
Laboratory in Lyon
–Locard’s Exchange Principle: “Every
contact between individuals & objects
results in a transfer of material
between them”
9
26-Apr-13 926-Apr-13 9

History
• 1970s – First cases of crimes envolving computer
systems.
• On the first documented cases using magnetic
media and computers as evidence, they
attempted to transfer the “document” analogy to
the digital representations.
• The US FBI Laboratory started a formal
programme to examine computer based evidence
(CART – Computer Analysis and Response Team)
1026-Apr-13 1026-Apr-13 10

History
• 1989 – “Aids Diskette Case”
– 20.000 diskettes (supposed to contain medical
research) contained a trojan used for
blackmail, where shipped to medical clinics in 30
countries
– Evidence was collected, and shipped to New
Scotland Yard (using Interpol HQ (Lyon))
– Jim Bates, a programmer was asked to write a
imaging tool (DIBS – Data Image Backup System)
26-Apr-13 11

Portuguese Law
• n Types of Law
– Civil Law
– Criminal Law
– Commercial Law
– Copyright
– Intellectual Property Right
26-Apr-13 12

Portuguese Law
• n Types of Law
– Civil Law: Each one of the parties can present
evidence
– Criminal Law: State has to investigate and present
the evidence (Ministério Público)
26-Apr-13 13

Portuguese Law
26-Apr-13 1426-Apr-13 1426-Apr-13 14

Portuguese Law
• Jurisprudence: Previous decisions of courts on
certain interpretations of laws.
1526-Apr-13 1526-Apr-13 15

Legal
Mindset
Legal vs Technical
1626-Apr-13 1626-Apr-13 16

Legal
Judge
• It will not decide if IP is good or not to prove an
identity
• It will not decide if a port scan can leak
information
• He will decide if any law has been violated
• He will decide if someone is responsible for the
action he’s accused
1726-Apr-13 1726-Apr-13 17

Branches (Areas)
- Computer
- Mobile
- Network
- Software
- Video
- Audio
- Etc.
1826-Apr-13 1826-Apr-13 18

Digital Forensics
1926-Apr-13 1926-Apr-13 19

Digital Forensics
26-Apr-13 2026-Apr-13 2026-Apr-13 20

Why?
26-Apr-13 2126-Apr-13 21
.: 21 :.

Why?
26-Apr-13 2226-Apr-13 22
.: 22 :.

26-Apr-13
Why?
23
Exponential growth in security
incidents and cybercrime.
26-Apr-13 23

David Marques 2012 | Todos os direitos reservados.©David Marques 2012. Todos os direitos reservados.
• Digital evidence can be unique
and determinant for the resolution
of a dispute.
• Unique use of digital evidence
without compromising the integrity
of it.
26-Apr-13 24
Why?

26-Apr-13 25
Digital Evidence
26-Apr-13 25

26-Apr-13 26
Digital Evidence

26-Apr-13 27
Digital Evidence
1 2
4 3
Physical Logical
Logs Backups

26-Apr-13 28
Digital Evidence
Hashing

26-Apr-13 29
Methodology
26-Apr-13 29

Open Source
• Helix
• DEFT
• Sleuth Kit
• Autopsy
• Tons of others…
26-Apr-13 30
Tools

Closed Source
• Encase
• FTK
• X-Ways
• Paraben’s
• Some others…
26-Apr-13 31
Tools

Closed Source (Mobile)
• XRY
• Cellebrite UFED
• Oxygen Forensics
• Some others…
26-Apr-13 32
Tools

Open Source vs Closed Source
• Cost
• Command Line vs GUI
• Support quality and model
• Training plans
• Documentation (Manuals, etc…)
• Source code is available
• Acceptance in courts
26-Apr-13 33
Tools

Product Specific vs General
26-Apr-13 34
Training

Product Specific
• Encase
• FTK
• Paraben
• Cellebrite
• Other…
26-Apr-13 35
Training

General
• SANS (FOR408; FOR508; FOR526;
FOR610)
• EC Council (CHFI; CIH)
26-Apr-13 36
Training

• Cloud Storage
• Legal
• SSD
• Encryption
• Anti-Forensics
• Standards and Procedures
• Accreditation
26-Apr-13 37
Future

Q & A
Thanks!
David Marques
dmarques@drc.pt
www.drc.pt
26-Apr-13 38

D marques digital forensics 101

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (13)

Similar a D marques digital forensics 101

Similar a D marques digital forensics 101 (20)

Último

Último (20)

D marques digital forensics 101