Recomendados
Recomendados
Más contenido relacionado
Similar a PRESENTATIONWBJA-1.ppt
Similar a PRESENTATIONWBJA-1.ppt (20)
Último
Último (20)
PRESENTATIONWBJA-1.ppt
- 1. CYBER FORENSIC K. B. JENA ASSTT. DIRECTOR & SCIENTIST ‘C’ CFSL, KOLKATA
- 2. DOCUMENT FORENSIC TO DIGITAL DOCUMENT FORENSIC • PRESENCE OF SCANNED AND PRINTED DOCUMENTS DURING EXAMINATION OF FORENSIC DOCUMENTS. • EXAMINATION OF COMPUTERS CONTAINING DIGITAL COPY THOUGHT TO BE A WAY TO FIX RESPONSIBILITY. *first case of computer forensic was taken up in the year 2004
- 3. TYPE OF CASES EXAMINED AROUND 2008-10 • THEFT OF DESIGNS AND CUSTORMES LIST BY PARTNERS/ EMPOYESS WHILE LEAVING COMPANY AND OFFERING LOW PRICE TO EXISTING CUSTOMERS FROM OLD COMPANY EMAIL. • THREATNING EMAIL. • CUSTOMERS DUPED BY TRAVELLING AGENCY FOR FOREIGN TOUR. • FLIGHT/ RAIL TICKETS PURCHASED ONLINE BY CREDIT CARD DETAILS OF OTHERS • *20-25 cases in year
- 4. CHANGE IN NATURE OF CASES IN 2011-2013 • Cases related to fake account in social site(orkut, facebook, skype, twitter) • Terrorist communications by internet • Computers used for transaction of fictitious companies online/ offline. • Data of national interest leaked vide internet. • Online circulation Of defamatory material. • Mobile communication by sms/ mms/voice recording/ still and video recording * 150 cases per year
- 5. Elaborate planning, more details and diverse tools requirement for examination. *210 cases received
- 6. 2014-15 • mobile used as communication for all social network and email activities. • Laptop replaced desktops. • Laptop size grew smaller • Request for CCTV footages increased. • New applications/ apps on mobile for social networking (whatsapp, viber, line) • Apps for financial transaction/ banking /billing. • Server examination requirements
- 7. Seizure of digital evidence • Why they are called best practices. • Practices differ(depends on working environment). • Need to adopt a Guideline. • Stringent or Diverse. • Need to Document.
- 8. CHAIN OF CUSTODY of computer evidence • Physical(sl. No, IMEI) • Digital(Hash value)
- 9. SCENE OF CRIME • WHEN DESKTOP COMPUTER IS OFF • WHEN DESKTOP COMPUTER IS ON • ANY HARD DISK INSIDE? • WHEN LAPTOP COMPUTER IS ON? • WHEN LAPTOP COMPUTER IS OFF? • WHTHER ACCUSED SHOULD BE ALLOWED TO BACKUP DATA?
- 10. HOW DAMAGING FOR INVESTIGATION READ LABELS(os, hard disk capacity, repairs in between)
- 11. SEIZURE OF MOBILE/ SIM / MEMORY CARD • ONE SIM vs DUAL SIM • REMOVE BATTERY • FLIGHT MODE/ BLOCK SIM • SIM LOST • MEMORY CARD. • PATTERN LOCK/ PASSWORD ON SCREEN • MEMORY CARD LOCKED. • SEIZE POWER CABLE/ CONNECTORS
- 12. CCTV SEIZURE • TIME / DATE CHECK BEFORE SWITCHING OFF. • CHECK CAPACITY OF THE HARD DISK INSIDE. • DVR BOX IS REQUIRED ALONGWITH POWERCORD . • BACKED UP FOOTAGE ACUIRED AT THE CRIME SCENE.
- 13. NETWORKED COMPUTER • DELEGATE EXPERTS TO ACUIRE DATA • ADVICE OF THE NETWORK ADMINISTRATOR / SERVICE PROVIDER NEEDED. • POWERING ON AT ORIGINAL SITE IS REQUIRED.
- 14. ONLY HARD DISK/ WHOLE COMPUTER • ONLY HARD DISK IF DATA IS QUESTINED • DESKTOP/LAPTOP CONCERNED IF FUNCTIONS OF COMPUTER IS QUESTIONED/ SPECIAL.
- 15. TOOLS REQUIRED FOR PREVIEW/DUPLICATION • WRITE BLOCKERS • IDENTIFICATION OF DIFFERENT OS • NEW HARD DISK/ PROPERLY WIPED HARD DISK • VALIDATION OF HARDWARES/ SOFTWARES • HASH VALUE
- 16. CLONING VS BIT STREAM IMAGE • CLONING FOR REBOOT • BIT STREAM IMAGE FOR RESTORE. • HASH VALUE
- 17. WHAT MAY ESCAPE DURING PURVIEW • SLACK SPACE • WEB MAIL • INTERNET ACTIVITY • HIDDEN FILES • FILES NOT SUPPORTED BY SOFTWARE. • HOST PROTECTED AREA • DEVICE CONFIGURATION OVERLAY • BACK UP OF DEVICES (COMPRESSED FILES, IMAGE OF CD/DVD, BACK OF MOBILE, BACK UP OF CHAT HISTORY
- 18. DIFFERENT APPROACH • REGISTRY FORENSIC • BROWSER FORENSIC • SYSTEM RESTORE POINT FORENSIC • VIRTUAL MACHINE FORENSIC • CLOUD FORENSIC • NETWORK FORENSIC
- 19. MATERIAL FOR SEARCH • TEXT SEARCH • IMAGE SEARCH • VIDEO SEARCH • EMAIL SEARCH
- 20. EXAMINATION • INTERNET ARTIFACTS • ARCHIVED/ WEBMAIL • UNALLOCATED CLUSTER • FILE SLACK
- 21. SYNCHRONISE/ BACK UP/ CREATE SYSTEM RESTORE REMOVABLE DRIVE
- 23. EXHIBITS CPU HARD DISK CD/DVD/FLOPPY PENDRIVE/ EXTERNAL HARD DISK MOBILE PHONE/SIM CARD/MEMORY CARD DIGITAL VIDEO RECOREDER STILL/VIDEO CAMERA/MEMORY CARD SPY CAM
- 24. INTERNET HISTORY FILES DOWNLODED/UPLOADED FROM INTERNET COOKIES WEBMAIL SOCIAL NETWORK ARTIFACTS CHAT HISTORY FILES FROM PRIVATE NETWORK(BLUETOOTH, WIFI)
- 25. INTERNET HISTORY FILES DOWNLODED/UPLOADED FROM INTERNET COOKIES WEBMAIL SOCIAL NETWORK ARTIFACTS CHAT HISTORY FILES FROM PRIVATE NETWORK(BLUETOOTH, WIFI)
- 26. DIFFRENCE BETWEEN DATA EXTRACTION AND COMPUTER FORENSIC IT MUST BE PROVED THAT CHAIN OF CUSTODY IS PROPERLY FOLLOWED NOTHING HAS BEEN DELETED, ADDED OR CHANGED DURING EXAMINATION. THE PROCESS OF SUCH ASSURANCE STARTS FROM CRIME SCENE. BEST PRACTICES FOR SEIZURE OF DIGITAL EVIDENCE HASH VALUE
- 27. UNCOMMON CASES PICTURES IN EXCEL SHEET IMAGE OF HANDWRITTEN NOTES AS EMAIL MESSAGES FORMATTED HARD DISK VOICE RECORDING AS SUICIDE NOTE
- 28. MOBILE PHONE EXAMINATION SIM INTERNAL MEMORY MEMORY CARD
- 29. DATA IN SIM LOCATION ICCID(INTEGRATED CIRCUIT CARD IDENTIFIER) IMSI(INTERNATIONAL MOBILE SUBSCRIBER IDENTITY) SERVICE PROVIDER CONTACT SMS LAST CALL DETAILS
- 30. INTERNAL MOBILE MEMORY IMEI CONTACTS SMS MOBILE SETTINGS TO DO LIST NOTES EMAIL/CHAT/SOCIAL NETWORK SITE DETAILS INTERNET HISTORY
- 31. MEMORY CARD IMAGE/ VIDEO/ AUDIO ARCHIVED DATA/ SMS BACK UP/ WHATSAPP INTERNET DATA HISTORY OF USE IN OTHER DEVICES DELETED DATA
- 32. CHALLENGES PASSWORD PROTECTION LOST SIM NOT SUPPORTED BY TOOLS PROBLEM IN SWITCHING ON THE MOBILE.(broken/ blast cases)
- 33. CCTV CASES PROPRIETORY OPREATING SYSTEM REQUIRES OWN HARDWARE FOR EXAMINATION. INHERENT CLOCK SETTINGS CAN NOT BE CROSS CHECKED DELETED FILES CAN NOT BE RECOVERED
- 34. REQUIREMENTS WHILE SUBMITTING CASE 1. PROPER FORMAT 2. PROPER SEALING AND LABELLING OF EXHIBITS 3. SIGNATURE AND SEAL OF AUTHORITY 4. ATTESTED COPY OF FIR 5. REQUIREMENT OF HARD DISK
- 35. PROPER DESCRIPTION OF EXHIBITS IN FORWARDING LETTER • CPU / LAPTOP • HARD DISK • MOBILE PHONE • CCTV
- 36. QUERY FORMAT OF QUERY SUPPORTING MATERIAL
- 37. WHEN QUERY IS SOCIAL NETWORK SITE RELATED RELATED EMAIL ADDRESS PROFILE NAME SCREENSHOT OF ALLEGED PAGE ALLEGED IMAGE VIDEO CHAT ROOM CHAT HISTORY
- 38. QUERY REGARDING ACTIVITY OF A COMPANY DOCUMENT RELATED TO ALLEGED ACTIVITIES.
- 39. WHEN QUERY IS IMAGE/ VIDEO RELATED COPY OF ALLEGED IMAGE /VIDEO
- 40. WHEN QUERIES DO NOT SERVE PURPOSE. 1. MISSING NAME OF THE COMPANY. 2. ASKING RANDOM SYSTEM RELATED QUERIES. 3. ALL EMAILS/ CREDIT CARDS/ IP ADDREESS 4. ALL USERS 5. MISSING INTERNET HISTORY AND KEYWORDS
- 41. JUDICIOUS DISTRIBUTION/ SEIZURE OF EXHIBIT CAMERA WITH DVR MONITOR WITH CPU MODEM WITH LAPTOP DETACHED HARD DISKS OF SERVER BUNDLING 10 BRANCHES OF A COMPANY IN 01 BIG CASE
- 42. REQUIREMENT OF HARD DISK COPY CLONE/ MIRROR IMAGE WHAT ARE CHANCES OF MISSING EVIDENCE WHEN INVESTIGATING AGENCY DECIDES TO SEE EVIDENCE THEMSELVE.
- 43. Multiple queries What is ip address used in this computer What is mac address used in this computer What are programs installed in this computer Who are users of this computer Whether this computer was used for email. Which modem was used for connecting to internet
- 44. Traslate to single query WHETHER THE MAILS AT ANNEXURE- A WAS SENT RECEIVED FROM THIS COMPUTER.
- 45. Multiple queries What are the accounting packages installed How many xls files are there How many word files are there What is opreating system of the computer Are there any password or encrypted files What are different types of data avillable in the system any deleted files are there.
- 46. Translate to single query Please provide all the data related to company and any simmilar document related to documents at annexure a b c
- 47. What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Writing a file
- 48. What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Unused Directory Entry Directory entry is created Writing a file
- 49. What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Unused Directory Entry Directory entry is created 2 E 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FATs are updated Writing a file
- 50. What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Unused Directory Entry Directory entry is created 2 E 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FATs are updated FILE contents written to data area Writing a file
- 51. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area What areas change when a FILE is deleted? Deleting a file
- 52. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C RootC FILE FILE FILE FILE Reserved Area Filename Start Cluster Size ILE 2 1024 Unused Directory Entry Unused Directory Entry First character of the Directory entry is changed to Deleting a file
- 53. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area FAT entries are ed Filename Start Cluster Size ILE 2 1024 Unused Directory Entry Unused Directory Entry First character of the Directory entry is changed to 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 2 Deleting a file
- 54. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root D FAT2 Root D Root D Root D FILE FILE FILE FILE Reserved Area FAT entries are ed Filename Start Cluster Size ILE 2 1024 Unused Directory Entry Unused Directory Entry First character of the Directory entry is changed to Data area is not changed ! 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 2 Deleting a file
- 55. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area What areas change when a partition is reformatted? Reformatting
- 56. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Unused Directory Entry Unused Directory Entry Root Directory entries are ed Reformatting
- 57. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Unused Directory Entry Unused Directory Entry Root Directory entries are ed 2 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FAT entries are ed Reformatting
- 58. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Unused Directory Entry Unused Directory Entry Root Directory entries are ed Boot Record is written 2 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FAT entries are ed
- 59. MBR FAT1 BR FAT1 FAT1 FAT2 FAT2 Root C FAT2 Root C Root C Root C FILE FILE FILE FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Unused Directory Entry Unused Directory Entry Root Directory entries are ed Boot Record is written 2 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FAT entries are ed
- 60. Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 What are the two types of slack? RAM Slack RAM Slack is the area from the end of the file to the end of that sector. - Comes from RAM File File File File Slack Space
- 61. Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 Cluster 2 RAM Slack Residual Slack Residual Slack Residual Slack Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before. File File File File Slack Space
- 62. THANK YOU.
Notas del editor
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68