SlideShare una empresa de Scribd logo

Preserving and recovering digital evidence

Online
Online

Click Here http://www.eacademy4u.com/ Online Educational Website For You

EducaciónTecnología
1 de 33
Preserving And Recovering Digital Evidence
Introduction • Digital Evidence – encompasses any and all digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. • This presentation will explore collection, preservation and identification of digital evidence.
Overview • Introduction to Intrusion Detection Systems • The rules and guidelines surrounding the gathering and use of digital evidence. • Digital evidence on the target machine. • Digital evidence on the network.
Intrusion Detection • A brief overview Intrusion detection systems collect information from a variety of system and network sources, then analyze the information for signs of intrusion and misuse.
Intrusion Detection: • Intrusion Detection – 2 Types • Host-Based • Network-Based
Intrusion Detection – Host-Based • Host-based intrusion detection systems .The system is used to analyze data that originates on computers (hosts). • Examines events like what files are accessed and what applications were executed. - Logs are used to gather this data • Resides on every system and usually reports to a central command console. • Uses signatures or predefined patterns that have been defined as suspicious by the security officer.
Intrusion Detection – Host-Based - cont • Used primarily for detecting insider attacks. - For example an employee who abuses their privileges, or students changing their grades. • Audit policy - Defines which end-user actions will result in an event record being written to an event log. For example accesses of mission-critical files.
Intrusion Detection – Network-Based Network-Based • The system is used to analyze network packets. • Used to detect access attempts and denial of service attempts originating outside the network. • Consists of sensors deployed throughout a network. • Sensors then report to a central command console
Intrusion Detection – Network- Based • Uses packet content signatures - Based on the contents of packets. - Patterns are detected in the headers and flow of traffic. • Encryption prevents detection of any patterns.
Digital Evidence vs. Physical Evidence • It can be duplicated exactly and a copy can be examined as if it were the original. - Examining a copy will avoid the risk of damaging the original. • With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.
Digital Evidence vs. Physical Evidence • It is relatively difficult to destroy. • Even if it is “deleted,” digital evidence can be recovered. • When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
Collecting and Preserving Digital Evidence • The focus of digital evidence is on the contents of the computer as opposed to hardware. • Two kinds of copies: - Copy everything. - Just copy the information needed. • When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.
Collecting and Preserving Digital Evidence • When collecting the entire contents of a • computer, the general concept is the same • in most situations:
Collecting and Preserving Digital Evidence • All related evidence should be taken out of RAM. • The computer should be shut down. • Document the hardware configuration of the system. • Document the time and date of the CMOS. • The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). • A copy of the digital evidence from the hard • drive(s) should be made.
Collecting and Preserving Digital Evidence • When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable. • In short, a bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.
Agenda for Duplication and Preservation of Evidence • Make bit stream back-ups of hard disks and floppy disks cont. Tools to accomplish this: • Encase • DD • Byte back • Safeback Note the tool used • When making the bit stream image, note and • document how the image was created. Also note the date, time, and the examiner.
Empirical Law • Empirical Law of Digital Collection and Preservation: • If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
Computer Image Verification • At least two copies are taken of the evidential computer. • One of these is sealed in the presence of the computer owner and then placed in secure storage. • This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.
The important to locate and recover all graphics files on a drive and determine which ones are pertinent to your case.. • Because these files aren’t always stored in standard graphics file formats, we should examine all files our computer forensics tools find, even if they aren’t identified as graphics files. • A graphic file contains a header with instructions for displaying the image. • Each type of graphics file has its own header that helps to identify the file format. • Because the header is complex and difficult to remember, we can compare a known good file header with that of a suspect file.
Collecting and Preserving Digital Evidence • Collecting evidence out of RAM on a Unix machine is not a simple task. • The ‘ps’ command is used to list programs that a machine is running but one must specify that one wants to see all the processes. • “ps –aux”
Collecting and Preserving Digital Evidence • Some types of Unix allow one to save and view the contents of RAM that is associated with a particular program using the “gcore” program. • There are also programs that provide a list of files and sockets that a particular program is running – “lsof” • Investigators can use the “dd” command to make a bit stream backup
Collecting and Preserving Digital Evidence • Whenever digital evidence is copied onto a floppy disk, compact disk, tape or any other form of storage media, an indelible felt-tipped pen should be used to label it with the following information:
Collecting and Preserving Digital Evidence • Current date and time and the date/time on the computer (any discrepancy should be noted). • The initials of the person who made the copy. • The name of the operating system. • The program(s) and/or command(s) used to copy the files. - Retain copies of software used. • The information believed to be contained in the files.
Collecting and Preserving Digital Evidence • Since the evidence has been collected, it is important to ensure the integrity of the evidence.
How To Handle Digital Evidence Steps to guide the responder in handling the Digital evidence at an electronic crime scene. 3. Recognize, identify, seize, and secure all digital evidence at the scene. 4. Document the entire scene and the specific location of the evidence found. 5. Collect, label, and preserve the digital evidence. 6. Package and transport digital evidence in a secure manner.
The Primary Steps to Conduct a Forensic Investigation. Step 1: Isolate the System and Data • Collect information by interviewing all system administrators and anyone else who might have come into contact with the system.
The Primary Steps to Conduct a Forensic Investigation. Step 2: Collect Non-Technical Information • The purpose of this step is to ensure that the required minimum information is recorded in paper note form, such as developing a timeline of events. The premise here is to start a log book using a fresh pad of paper to gather information from the system administration staff and any other persons involved.
The Primary Steps to Conduct a Forensic Investigation. Step 3: Preserve Evidence and Create Copies for Analysis • Memory and /proc. • Create a duplicate of the system. • Validate copies.
The Primary Steps to Conduct a Forensic Investigation. Step 4: Prepare for an Analysis • At this point, the information collected in the preceding steps is ready for inspection. • The following steps can also be performed by a third party or at another physical location.
The Primary Steps to Conduct a Forensic Investigation. Step 5: Perform the Analysis • The purpose of the analysis step is to determine whether a compromise has occurred, what exactly was damaged, and to obtain any evidence indicating who the culprit(s) might be, as well as the methods they used to attack the system. • Tools are needed to complete the analysis phase.
The Primary Steps to Conduct a Forensic Investigation. Step 6: Perform Recovery • The recovery efforts that ensue after the forensic analysis is a standard process that should be defined in your organization
The Primary Steps to Conduct a Forensic Investigation. How to acquire data from removable media?
How to acquire data from removable media? 1.Document the scene Use static-proof container and label container with a.Type of media b.Where media was found c.Type of reader required for the media 2.Transport directly to lab 3.Do not leave any media in a hot vehicle or environment 4.Store media in a secure and organized area 5.Once at the lab, make a working copy of the drive a.Make sure the media is write-protected b.Make a hash of the original drive and the duplicate c.Make a copy of the duplicate to work from d.Store the original media in a secure location

Recomendados

Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
Kabul Education University
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
urjarathi
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
Anpumathews
 

Recomendados

Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
Kabul Education University
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
urjarathi
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
Anpumathews
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Shreya Singireddy
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
primeteacher32
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
Nikhil Mashruwala
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
Kranthi
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
noorashams
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
Sonu Sunaliya
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
Neha Raju k
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Nicholas Davis
 

Más contenido relacionado

La actualidad más candente

03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
Kranthi
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
Sonu Sunaliya
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
Kranthi
 

La actualidad más candente (20)

CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 

Similar a Preserving and recovering digital evidence

Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
Gnanavi2
 

Similar a Preserving and recovering digital evidence (20)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime scene
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
CF.ppt
CF.pptCF.ppt
CF.ppt
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 

Más de Online

Más de Online (20)

Philosophy of early childhood education 3
Philosophy of early childhood education 3Philosophy of early childhood education 3
Philosophy of early childhood education 3
 
Philosophy of early childhood education 2
Philosophy of early childhood education 2Philosophy of early childhood education 2
Philosophy of early childhood education 2
 
Philosophy of early childhood education 1
Philosophy of early childhood education 1Philosophy of early childhood education 1
Philosophy of early childhood education 1
 
Philosophy of early childhood education 4
Philosophy of early childhood education 4Philosophy of early childhood education 4
Philosophy of early childhood education 4
 
Operation and expression in c++
Operation and expression in c++Operation and expression in c++
Operation and expression in c++
 
Functions
FunctionsFunctions
Functions
 
Formatted input and output
Formatted input and outputFormatted input and output
Formatted input and output
 
Control structures selection
Control structures selectionControl structures selection
Control structures selection
 
Control structures repetition
Control structures repetitionControl structures repetition
Control structures repetition
 
Introduction to problem solving in c++
Introduction to problem solving in c++Introduction to problem solving in c++
Introduction to problem solving in c++
 
Optical transmission technique
Optical transmission techniqueOptical transmission technique
Optical transmission technique
 
Multi protocol label switching (mpls)
Multi protocol label switching (mpls)Multi protocol label switching (mpls)
Multi protocol label switching (mpls)
 
Lan technologies
Lan technologiesLan technologies
Lan technologies
 
Introduction to internet technology
Introduction to internet technologyIntroduction to internet technology
Introduction to internet technology
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocols
 
Internet protocol
Internet protocolInternet protocol
Internet protocol
 
Application protocols
Application protocolsApplication protocols
Application protocols
 
Addressing
AddressingAddressing
Addressing
 
Transport protocols
Transport protocolsTransport protocols
Transport protocols
 
Leadership
LeadershipLeadership
Leadership
 

Último

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 

Último (20)

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 

Preserving and recovering digital evidence

  • 1. Preserving And Recovering Digital Evidence
  • 2. Introduction • Digital Evidence – encompasses any and all digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. • This presentation will explore collection, preservation and identification of digital evidence.
  • 3. Overview • Introduction to Intrusion Detection Systems • The rules and guidelines surrounding the gathering and use of digital evidence. • Digital evidence on the target machine. • Digital evidence on the network.
  • 4. Intrusion Detection • A brief overview Intrusion detection systems collect information from a variety of system and network sources, then analyze the information for signs of intrusion and misuse.
  • 5. Intrusion Detection: • Intrusion Detection – 2 Types • Host-Based • Network-Based
  • 6. Intrusion Detection – Host-Based • Host-based intrusion detection systems .The system is used to analyze data that originates on computers (hosts). • Examines events like what files are accessed and what applications were executed. - Logs are used to gather this data • Resides on every system and usually reports to a central command console. • Uses signatures or predefined patterns that have been defined as suspicious by the security officer.
  • 7. Intrusion Detection – Host-Based - cont • Used primarily for detecting insider attacks. - For example an employee who abuses their privileges, or students changing their grades. • Audit policy - Defines which end-user actions will result in an event record being written to an event log. For example accesses of mission-critical files.
  • 8. Intrusion Detection – Network-Based Network-Based • The system is used to analyze network packets. • Used to detect access attempts and denial of service attempts originating outside the network. • Consists of sensors deployed throughout a network. • Sensors then report to a central command console
  • 9. Intrusion Detection – Network- Based • Uses packet content signatures - Based on the contents of packets. - Patterns are detected in the headers and flow of traffic. • Encryption prevents detection of any patterns.
  • 10. Digital Evidence vs. Physical Evidence • It can be duplicated exactly and a copy can be examined as if it were the original. - Examining a copy will avoid the risk of damaging the original. • With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original.
  • 11. Digital Evidence vs. Physical Evidence • It is relatively difficult to destroy. • Even if it is “deleted,” digital evidence can be recovered. • When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
  • 12. Collecting and Preserving Digital Evidence • The focus of digital evidence is on the contents of the computer as opposed to hardware. • Two kinds of copies: - Copy everything. - Just copy the information needed. • When there is plenty of time and uncertainty about what is being sought, but a computer is suspected to contain key evidence, it makes sense to copy the entire contents.
  • 13. Collecting and Preserving Digital Evidence • When collecting the entire contents of a • computer, the general concept is the same • in most situations:
  • 14. Collecting and Preserving Digital Evidence • All related evidence should be taken out of RAM. • The computer should be shut down. • Document the hardware configuration of the system. • Document the time and date of the CMOS. • The computer should be booted using another operating system that bypasses the existing one and does not change data on the hard drive(s). • A copy of the digital evidence from the hard • drive(s) should be made.
  • 15. Collecting and Preserving Digital Evidence • When collecting the entire contents of a computer, a bit stream copy of the digital evidence is usually desirable. • In short, a bit stream copy copies what is in slack space and unallocated space, whereas a regular copy does not.
  • 16. Agenda for Duplication and Preservation of Evidence • Make bit stream back-ups of hard disks and floppy disks cont. Tools to accomplish this: • Encase • DD • Byte back • Safeback Note the tool used • When making the bit stream image, note and • document how the image was created. Also note the date, time, and the examiner.
  • 17. Empirical Law • Empirical Law of Digital Collection and Preservation: • If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
  • 18. Computer Image Verification • At least two copies are taken of the evidential computer. • One of these is sealed in the presence of the computer owner and then placed in secure storage. • This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.
  • 19. The important to locate and recover all graphics files on a drive and determine which ones are pertinent to your case.. • Because these files aren’t always stored in standard graphics file formats, we should examine all files our computer forensics tools find, even if they aren’t identified as graphics files. • A graphic file contains a header with instructions for displaying the image. • Each type of graphics file has its own header that helps to identify the file format. • Because the header is complex and difficult to remember, we can compare a known good file header with that of a suspect file.
  • 20. Collecting and Preserving Digital Evidence • Collecting evidence out of RAM on a Unix machine is not a simple task. • The ‘ps’ command is used to list programs that a machine is running but one must specify that one wants to see all the processes. • “ps –aux”
  • 21. Collecting and Preserving Digital Evidence • Some types of Unix allow one to save and view the contents of RAM that is associated with a particular program using the “gcore” program. • There are also programs that provide a list of files and sockets that a particular program is running – “lsof” • Investigators can use the “dd” command to make a bit stream backup
  • 22. Collecting and Preserving Digital Evidence • Whenever digital evidence is copied onto a floppy disk, compact disk, tape or any other form of storage media, an indelible felt-tipped pen should be used to label it with the following information:
  • 23. Collecting and Preserving Digital Evidence • Current date and time and the date/time on the computer (any discrepancy should be noted). • The initials of the person who made the copy. • The name of the operating system. • The program(s) and/or command(s) used to copy the files. - Retain copies of software used. • The information believed to be contained in the files.
  • 24. Collecting and Preserving Digital Evidence • Since the evidence has been collected, it is important to ensure the integrity of the evidence.
  • 25. How To Handle Digital Evidence Steps to guide the responder in handling the Digital evidence at an electronic crime scene. 3. Recognize, identify, seize, and secure all digital evidence at the scene. 4. Document the entire scene and the specific location of the evidence found. 5. Collect, label, and preserve the digital evidence. 6. Package and transport digital evidence in a secure manner.
  • 26. The Primary Steps to Conduct a Forensic Investigation. Step 1: Isolate the System and Data • Collect information by interviewing all system administrators and anyone else who might have come into contact with the system.
  • 27. The Primary Steps to Conduct a Forensic Investigation. Step 2: Collect Non-Technical Information • The purpose of this step is to ensure that the required minimum information is recorded in paper note form, such as developing a timeline of events. The premise here is to start a log book using a fresh pad of paper to gather information from the system administration staff and any other persons involved.
  • 28. The Primary Steps to Conduct a Forensic Investigation. Step 3: Preserve Evidence and Create Copies for Analysis • Memory and /proc. • Create a duplicate of the system. • Validate copies.
  • 29. The Primary Steps to Conduct a Forensic Investigation. Step 4: Prepare for an Analysis • At this point, the information collected in the preceding steps is ready for inspection. • The following steps can also be performed by a third party or at another physical location.
  • 30. The Primary Steps to Conduct a Forensic Investigation. Step 5: Perform the Analysis • The purpose of the analysis step is to determine whether a compromise has occurred, what exactly was damaged, and to obtain any evidence indicating who the culprit(s) might be, as well as the methods they used to attack the system. • Tools are needed to complete the analysis phase.
  • 31. The Primary Steps to Conduct a Forensic Investigation. Step 6: Perform Recovery • The recovery efforts that ensue after the forensic analysis is a standard process that should be defined in your organization
  • 32. The Primary Steps to Conduct a Forensic Investigation. How to acquire data from removable media?
  • 33. How to acquire data from removable media? 1.Document the scene Use static-proof container and label container with a.Type of media b.Where media was found c.Type of reader required for the media 2.Transport directly to lab 3.Do not leave any media in a hot vehicle or environment 4.Store media in a secure and organized area 5.Once at the lab, make a working copy of the drive a.Make sure the media is write-protected b.Make a hash of the original drive and the duplicate c.Make a copy of the duplicate to work from d.Store the original media in a secure location