SlideShare una empresa de Scribd logo

Examining computer and evidence collection

Descargar como PPTX, PDF
G
gagan deep

This document discusses computer forensics and evidence collection in the cloud computing environment. It defines computer forensics and its aims to identify, analyze and present digital evidence legally. Evidence can be found in various sources like logs, storage media, browsers and memory. Logs provide details of activities, attacks and errors. Evidence is also collected from cloud storage and browsing history. Physical memory analysis allows retrieval of volatile data from memory dumps.

Derecho
1 de 21
EXAMINING COMPUTER AND EVIDENCE COLLECTION
DEFINITION • "Computer forensics is the process of identifying, holding, analyzing and presenting digital evidence in a manner that is legally acceptable." (Rodney Mckemmish 1999).
AIM OF COMPUTER FORENSICS • The main aim of computer forensics experts is not only to find the criminal, but also to expose the evidence and the presentation of the evidence in a way that leads to legal action by the criminal.
PROPERTIES OF THE COMPUTER FORENSIC • IDENTIFY • RECEIVE • ANALYZE • PRESENT
FORENSIC NEEDS OF THE COMPUTER • To present evidence in court that could lead • To the punishment of reality. • To ensure the integrity of the computer system.
HISTORY OF COMPUTER FORENSICS • In the US, developments began over 30 years ago when law enforcement and military investigators began to view criminals as technical. • In the decades that followed and until today the field has exploded. Law enforcement and the military continue to have strong local, state, and federal levels of information security and computer forensics. • Today software companies continue to make newer and more robust forensic software. Law enforcement and the military are increasingly identifying and training personnel in responding to technology-related crimes.
CYBER CRIME AND EVIDENCE • CYBER CRIME – Cyber ​​crime occurs when information technology is used to commit or hide a crime. • TYPES OF CYBER CRIME – Child Pornography – Breach of Computer Security – Fraud / Theft – Copyright Infringement – Identity Theft – Drug Investigation – Threat – Burglary – Suicide – Obscenity – Homicide – Administrative Investigation – Sexual Assault – Stalking
• DIGITAL EVIDENCE – “Any data recorded or stored on a medium in or by a computer system or similar device that can be read or understood by a person, computer system or other similar device. It contains a display, print or other output of this data.” • latent as a fingerprint or fragile DNA • can easily be changed, damaged or destroyed. • Can be time sensitive
TYPES OF DIGITAL EVIDENCE • PERSISTENT DATA, ie data that remains intact when the computer is turned off. For example. Hard drives, hard drives and removable media (such as USB drives or flash drives). • VOLATILE DATA, ie data that would be lost if the computer were switched off. For example. deleted files, computer history, computer registry, temporary files and web browsing history.
RULES OF EVIDENCE • Admissible, – Must be able to be used in court or elsewhere • Authentic, – The evidence relates to the incident in a relevant manner • Complete (no tunnel vision), – Excepted evidence for other suspects • Reliable, – None Question about authenticity and truthfulness • Credible, – Clear, easy to understand and credible by a jury.
TOP 10 EVIDENCE LOCATION • Internet history files • Temporary Internet files • Free / unallocated space • Friends lists, personal chat room records, P2P, other saved areas • Newsgroups / lists of number of clubs / publications • Settings, folder structure, file names • File storage data • Software / Hardware added • File sharing function • Emails
COMPUTER METHODOLOGY • Shut down the computer • Document the system hardware configuration • Move the computer system to a safe place • Make bitstream backups of hard drives and floppy disks • Check the data on all memories math devices • Document the date and time of the system. • List the search keywords • Evaluate Windows swap file • Evaluate file edge • Evaluate unallocated storage space (deleted files) • Find files, file edge and unallocated storage space for keywords • Name, date and time of document files • Identify file, Program and Memory Anomalies • Assess program functionality. • Document your results
COMPUTER APPLICATIONS • APPLICATIONS – FINANCIAL FRAUD DETECTION – CRIMINAL PROCEEDINGS – CIVIL DISPUTES – "CORPORATE SECURITY POLICY AND ACCEPTANCE OF VIOLATIONS" • Skills Required for Computer Forensic Applications – Programming or computer experience – Comprehensive understanding of operating systems and applications – Strong analytical skills – Strong basic computer skills – Strong systems administration skills – Knowledge of the latest intrusion tools – Knowledge of cryptography and manipulation of evidence – Ability to go to court To be an expert
Evidence collection • Data collection plays an important role in identifying and accessing data from various sources in the cloud environment for forensic investigations. Evidence is no longer stored on a single physical host and its data is distributed in a different geographic area. So when a crime occurs, it is very difficult to identify the evidence. Evidence is gathered from various sources such as routers, switches, servers, hosts, virtual machines, browser artifacts and through internal storage media such as hard drives, RAM images, storage physical, etc. Evidence is also collected through log file analysis, cloud storage data collection, web browser artifacts, and physical storage analysis.
• Cloud log analysis – Logging is considered a security check that can be used to identify operational issues, incident violations, and fraudulent activity. Logging is mainly used to monitor the system and investigate various types of malicious attacks. Using cloud log analysis, you can identify the source of evidence generated at different times by different devices such as routers, switches, servers and VM instances, as well as other internal components, namely hard drive, RAM images, physical storage, log files, etc. Intervals. Information about different types of attacks is stored in different log files such as application logs, system logs, security logs, configuration logs, network logs, web server logs, web server logs, 'audit, VM logs, etc., which are specified as follows:
– The application log is created by the developers by inserting events into the program. System administrators can use the application logs to determine the status of an application running on the server. – The system log contains information about the date and time the log was created, the type of message such as debugging, error, etc., the system generated messages regarding the occurrence and the processes affected when an event occurs. product. – The firewall log contains information about source packets routed, rejected IP addresses, outgoing internal server activity, and connection failures. – The network log contains detailed information about various events on the network. Events include malicious traffic logging, packet loss, bandwidth delays, etc. The network administrator monitors and resolves daily activity by analyzing network logs for various intrusion attempts.
– The web server log records entries for web pages executed on the web server. Entries include the history of a page request, the client's IP address, date and time, HTTP code, and bytes provided for the request. – The audit log records unauthorized access to the system or network in sequential order. It helps security administrators analyze malicious activity at the time of the attack. Information in audit log files includes source and destination addresses, user credentials, and time stamps. – The VM log records information specific to instances running on the VM, such as: B. Startup configuration, operations, and the date the VM instance finished running. It also logs the number of instances running on the virtual machine, the execution time of each application, and application migration to help the CSP locate malicious activity that occurs during the attack. – Due to the increasing use of network or new software version in the cloud, the number of vulnerabilities or attacks in the cloud is increasing and these attacks are reflected in various log files. Application level attacks are reflected in different logs i.e. access log, network protocol, authentication protocol, etc., and are also reflected in different log file traces stored on Apache server . These logs are used for forensic investigations to detect application-level attacks.
Capture evidence from cloud storage • Evidence from cloud storage like Dropbox, Microsoft SkyDrive, Google Drive, etc. are collected using the web browser and files are downloaded using existing software tools. This helps to identify illegal modification or access to cloud storage while uploading or uploading file contents to storage media and to verify if attacker modifies timestamp information in user accounts. The Virtual Forensic Computing (VFC) tool is used by forensic investigators to identify evidence from the virtual machine image file. The proof is accessible for each account through the web browser running in the cloud environment by recording the encoded value of the VM image..
• Packets are captured using network packet tools like Wireshark, Snappy, etc. from each VM instance running on hosts. Account information is synchronized and downloaded using client access software on each device used to identify the source of evidence. Evidence is isolated from files found in the virtual machine using "C: Users [username] Dropbox " for Dropbox . The zip file contains the name of the folder accessible through the browser to determine the effect of a timestamp on a drive. If an attacker modifies the contents of a file, the evidence is determined by scanning the VM disk, the history of files stored in the cloud and also from a cache. It can also be analyzed by calculating the hash value of the VM image
• Collecting evidence via a web browser – Clients communicate with the server in the cloud environment using a web browser to perform various tasks eg. Check emails and messages, shop online, get information, etc. An important source of evidence is web browser history. Evidence is found by analyzing URLs in web browser history, timeline analysis, user browsing behavior, and URL encoding and retrieved from deleted information. Here is a sample web browser URL – Likewise, evidence stored in the web browser cache in the root directory of a web application is used to identify the source of an attack.
• Physical memory analysis – This allows the caches to be available for use in cloud computing which can be lost without passive monitoring, eg B. Network socket, encryption key and database information in memory. They are scanned from the physical dump using the pslist function, which retrieves the process name, process ID, parent process IDs, and process start time. The processes are distinguished by the process names © exe © on Windows and © sync © on Ubuntu and Mac OS.

Recomendados

Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics
sunanditaAnand
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 

Recomendados

Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics
sunanditaAnand
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
MyAssignmenthelp.com
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
Manu Mathew Cherian
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
urjarathi
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
Prof. (Dr.) Tabrez Ahmad
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Router forensics
Router forensicsRouter forensics
Router forensics
Taruna Chauhan
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Email investigation
Email investigationEmail investigation
Email investigation
Animesh Shaw
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
libinp
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuven
Marc Hullegie
 

Más contenido relacionado

La actualidad más candente

Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 

La actualidad más candente (20)

Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Router forensics
Router forensicsRouter forensics
Router forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Email investigation
Email investigationEmail investigation
Email investigation
 

Similar a Examining computer and evidence collection

Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuven
Marc Hullegie
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
Amina Baha
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
Jinalkakadiya
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 

Similar a Examining computer and evidence collection (20)

Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuven
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
CF.ppt
CF.pptCF.ppt
CF.ppt
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
 

Más de gagan deep

Más de gagan deep (20)

Transnational organized crime its concept
Transnational organized crime its conceptTransnational organized crime its concept
Transnational organized crime its concept
 
Theories of justice
Theories of justiceTheories of justice
Theories of justice
 
The salient features of prevention of terrorism act, 2002
The salient features of prevention of terrorism act, 2002The salient features of prevention of terrorism act, 2002
The salient features of prevention of terrorism act, 2002
 
The election of judges of international criminal court
The election of judges of international criminal courtThe election of judges of international criminal court
The election of judges of international criminal court
 
Summaries the article competence of two judge benches of supreme court to ref...
Summaries the article competence of two judge benches of supreme court to ref...Summaries the article competence of two judge benches of supreme court to ref...
Summaries the article competence of two judge benches of supreme court to ref...
 
Specific crimes under icc
Specific crimes under iccSpecific crimes under icc
Specific crimes under icc
 
Spamming as cyber crime
Spamming as cyber crimeSpamming as cyber crime
Spamming as cyber crime
 
Principle of complementarity
Principle of complementarityPrinciple of complementarity
Principle of complementarity
 
Precedents concept and kinds
Precedents concept and kindsPrecedents concept and kinds
Precedents concept and kinds
 
Law and legitimacy
Law and legitimacyLaw and legitimacy
Law and legitimacy
 
Internal aids of interpretation and construction of statutes
Internal aids of interpretation and construction of statutesInternal aids of interpretation and construction of statutes
Internal aids of interpretation and construction of statutes
 
Fiscal technique
Fiscal techniqueFiscal technique
Fiscal technique
 
Drug trafficking and the role of ndps act in curbing the menace of organized ...
Drug trafficking and the role of ndps act in curbing the menace of organized ...Drug trafficking and the role of ndps act in curbing the menace of organized ...
Drug trafficking and the role of ndps act in curbing the menace of organized ...
 
Difference between legal logic and legal rhetoric
Difference between legal logic and legal rhetoricDifference between legal logic and legal rhetoric
Difference between legal logic and legal rhetoric
 
Cyberspace jurisdiction meaning and concept
Cyberspace jurisdiction meaning and conceptCyberspace jurisdiction meaning and concept
Cyberspace jurisdiction meaning and concept
 
Vicarious liability under criminal law
Vicarious liability under criminal law Vicarious liability under criminal law
Vicarious liability under criminal law
 
Type of research method are used
Type of research method are used Type of research method are used
Type of research method are used
 
Trial process in uk
Trial process in ukTrial process in uk
Trial process in uk
 
Rights of accused persons criminal law
Rights of accused persons criminal law Rights of accused persons criminal law
Rights of accused persons criminal law
 
research Qualitative vs. quantitative research
research Qualitative vs. quantitative researchresearch Qualitative vs. quantitative research
research Qualitative vs. quantitative research
 

Último

一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
Fir La
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
VarshRR
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
A AA
 
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
irst
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
Airst S
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
e9733fc35af6
 

Último (20)

一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in India
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
 
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
 

Examining computer and evidence collection

  • 2. DEFINITION • "Computer forensics is the process of identifying, holding, analyzing and presenting digital evidence in a manner that is legally acceptable." (Rodney Mckemmish 1999).
  • 3. AIM OF COMPUTER FORENSICS • The main aim of computer forensics experts is not only to find the criminal, but also to expose the evidence and the presentation of the evidence in a way that leads to legal action by the criminal.
  • 4. PROPERTIES OF THE COMPUTER FORENSIC • IDENTIFY • RECEIVE • ANALYZE • PRESENT
  • 5. FORENSIC NEEDS OF THE COMPUTER • To present evidence in court that could lead • To the punishment of reality. • To ensure the integrity of the computer system.
  • 6. HISTORY OF COMPUTER FORENSICS • In the US, developments began over 30 years ago when law enforcement and military investigators began to view criminals as technical. • In the decades that followed and until today the field has exploded. Law enforcement and the military continue to have strong local, state, and federal levels of information security and computer forensics. • Today software companies continue to make newer and more robust forensic software. Law enforcement and the military are increasingly identifying and training personnel in responding to technology-related crimes.
  • 7. CYBER CRIME AND EVIDENCE • CYBER CRIME – Cyber ​​crime occurs when information technology is used to commit or hide a crime. • TYPES OF CYBER CRIME – Child Pornography – Breach of Computer Security – Fraud / Theft – Copyright Infringement – Identity Theft – Drug Investigation – Threat – Burglary – Suicide – Obscenity – Homicide – Administrative Investigation – Sexual Assault – Stalking
  • 8. • DIGITAL EVIDENCE – “Any data recorded or stored on a medium in or by a computer system or similar device that can be read or understood by a person, computer system or other similar device. It contains a display, print or other output of this data.” • latent as a fingerprint or fragile DNA • can easily be changed, damaged or destroyed. • Can be time sensitive
  • 9. TYPES OF DIGITAL EVIDENCE • PERSISTENT DATA, ie data that remains intact when the computer is turned off. For example. Hard drives, hard drives and removable media (such as USB drives or flash drives). • VOLATILE DATA, ie data that would be lost if the computer were switched off. For example. deleted files, computer history, computer registry, temporary files and web browsing history.
  • 10. RULES OF EVIDENCE • Admissible, – Must be able to be used in court or elsewhere • Authentic, – The evidence relates to the incident in a relevant manner • Complete (no tunnel vision), – Excepted evidence for other suspects • Reliable, – None Question about authenticity and truthfulness • Credible, – Clear, easy to understand and credible by a jury.
  • 11. TOP 10 EVIDENCE LOCATION • Internet history files • Temporary Internet files • Free / unallocated space • Friends lists, personal chat room records, P2P, other saved areas • Newsgroups / lists of number of clubs / publications • Settings, folder structure, file names • File storage data • Software / Hardware added • File sharing function • Emails
  • 12. COMPUTER METHODOLOGY • Shut down the computer • Document the system hardware configuration • Move the computer system to a safe place • Make bitstream backups of hard drives and floppy disks • Check the data on all memories math devices • Document the date and time of the system. • List the search keywords • Evaluate Windows swap file • Evaluate file edge • Evaluate unallocated storage space (deleted files) • Find files, file edge and unallocated storage space for keywords • Name, date and time of document files • Identify file, Program and Memory Anomalies • Assess program functionality. • Document your results
  • 13. COMPUTER APPLICATIONS • APPLICATIONS – FINANCIAL FRAUD DETECTION – CRIMINAL PROCEEDINGS – CIVIL DISPUTES – "CORPORATE SECURITY POLICY AND ACCEPTANCE OF VIOLATIONS" • Skills Required for Computer Forensic Applications – Programming or computer experience – Comprehensive understanding of operating systems and applications – Strong analytical skills – Strong basic computer skills – Strong systems administration skills – Knowledge of the latest intrusion tools – Knowledge of cryptography and manipulation of evidence – Ability to go to court To be an expert
  • 14. Evidence collection • Data collection plays an important role in identifying and accessing data from various sources in the cloud environment for forensic investigations. Evidence is no longer stored on a single physical host and its data is distributed in a different geographic area. So when a crime occurs, it is very difficult to identify the evidence. Evidence is gathered from various sources such as routers, switches, servers, hosts, virtual machines, browser artifacts and through internal storage media such as hard drives, RAM images, storage physical, etc. Evidence is also collected through log file analysis, cloud storage data collection, web browser artifacts, and physical storage analysis.
  • 15. • Cloud log analysis – Logging is considered a security check that can be used to identify operational issues, incident violations, and fraudulent activity. Logging is mainly used to monitor the system and investigate various types of malicious attacks. Using cloud log analysis, you can identify the source of evidence generated at different times by different devices such as routers, switches, servers and VM instances, as well as other internal components, namely hard drive, RAM images, physical storage, log files, etc. Intervals. Information about different types of attacks is stored in different log files such as application logs, system logs, security logs, configuration logs, network logs, web server logs, web server logs, 'audit, VM logs, etc., which are specified as follows:
  • 16. – The application log is created by the developers by inserting events into the program. System administrators can use the application logs to determine the status of an application running on the server. – The system log contains information about the date and time the log was created, the type of message such as debugging, error, etc., the system generated messages regarding the occurrence and the processes affected when an event occurs. product. – The firewall log contains information about source packets routed, rejected IP addresses, outgoing internal server activity, and connection failures. – The network log contains detailed information about various events on the network. Events include malicious traffic logging, packet loss, bandwidth delays, etc. The network administrator monitors and resolves daily activity by analyzing network logs for various intrusion attempts.
  • 17. – The web server log records entries for web pages executed on the web server. Entries include the history of a page request, the client's IP address, date and time, HTTP code, and bytes provided for the request. – The audit log records unauthorized access to the system or network in sequential order. It helps security administrators analyze malicious activity at the time of the attack. Information in audit log files includes source and destination addresses, user credentials, and time stamps. – The VM log records information specific to instances running on the VM, such as: B. Startup configuration, operations, and the date the VM instance finished running. It also logs the number of instances running on the virtual machine, the execution time of each application, and application migration to help the CSP locate malicious activity that occurs during the attack. – Due to the increasing use of network or new software version in the cloud, the number of vulnerabilities or attacks in the cloud is increasing and these attacks are reflected in various log files. Application level attacks are reflected in different logs i.e. access log, network protocol, authentication protocol, etc., and are also reflected in different log file traces stored on Apache server . These logs are used for forensic investigations to detect application-level attacks.
  • 18. Capture evidence from cloud storage • Evidence from cloud storage like Dropbox, Microsoft SkyDrive, Google Drive, etc. are collected using the web browser and files are downloaded using existing software tools. This helps to identify illegal modification or access to cloud storage while uploading or uploading file contents to storage media and to verify if attacker modifies timestamp information in user accounts. The Virtual Forensic Computing (VFC) tool is used by forensic investigators to identify evidence from the virtual machine image file. The proof is accessible for each account through the web browser running in the cloud environment by recording the encoded value of the VM image..
  • 19. • Packets are captured using network packet tools like Wireshark, Snappy, etc. from each VM instance running on hosts. Account information is synchronized and downloaded using client access software on each device used to identify the source of evidence. Evidence is isolated from files found in the virtual machine using "C: Users [username] Dropbox " for Dropbox . The zip file contains the name of the folder accessible through the browser to determine the effect of a timestamp on a drive. If an attacker modifies the contents of a file, the evidence is determined by scanning the VM disk, the history of files stored in the cloud and also from a cache. It can also be analyzed by calculating the hash value of the VM image
  • 20. • Collecting evidence via a web browser – Clients communicate with the server in the cloud environment using a web browser to perform various tasks eg. Check emails and messages, shop online, get information, etc. An important source of evidence is web browser history. Evidence is found by analyzing URLs in web browser history, timeline analysis, user browsing behavior, and URL encoding and retrieved from deleted information. Here is a sample web browser URL – Likewise, evidence stored in the web browser cache in the root directory of a web application is used to identify the source of an attack.
  • 21. • Physical memory analysis – This allows the caches to be available for use in cloud computing which can be lost without passive monitoring, eg B. Network socket, encryption key and database information in memory. They are scanned from the physical dump using the pslist function, which retrieves the process name, process ID, parent process IDs, and process start time. The processes are distinguished by the process names © exe © on Windows and © sync © on Ubuntu and Mac OS.