SlideShare a Scribd company logo

Computer Forensics Bootcamp

Download as PPTX, PDF
nCircle - a Tripwire Company
nCircle - a Tripwire Company

Even with the best security, every organization will eventually suffer some kind of security breach. When IT professionals suspect something “phishy” is going on with their network, they need to be able to take immediate action to limit damage while preserving critical evidence that will help law enforcement catch the bad guys. Join John Alexander, nCircle’s Product Manager, as he steps you through basic training in computer forensics. This presentation covers: * How to handle evidence in order to preserve the chain of custody * How to thwart the most common techniques cyber criminals use to cover their tracks * When to call law enforcement and how to work with them effectively Download the presentation recording here: http://www.ncircle.com/index.php?s=registration_registernew&src=Computer-Forensics-Bootcamp

TechnologyEducation
1 of 42
© 2013 nCircle. All Rights Reserved. Forensics Bootcamp
© 2013 nCircle. All Rights Reserved. Introduction
© 2013 nCircle. All Rights Reserved. What is Forensics? • Scientific tests or techniques used in the investigation of crimes • The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes • Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.
© 2013 nCircle. All Rights Reserved. What is Computer Forensics? Computer Forensics A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format
© 2013 nCircle. All Rights Reserved. Types of Cyber Crime • Theft of intellectual property • Financial Fraud • Damage of company service networks • Distribution and execution of viruses and worms • Hacker system penetrations • Distribution of child pornography • Use of a computer to commit a traditional crime (emails, data management, files.)
© 2013 nCircle. All Rights Reserved. Legal Issues
© 2013 nCircle. All Rights Reserved. Legal Issues • 4th Amendment – Searches & Seizures • 4th Amendment – Privacy • 5th Amendment – Self Incrimination • Chain-of-Custody
© 2013 nCircle. All Rights Reserved. 4th Amendment • The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy". • Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.
© 2013 nCircle. All Rights Reserved. Chain-of-Custody (aka Chain of Evidence) • Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, a nd disposition of evidence, physical or electronic. • Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.
© 2013 nCircle. All Rights Reserved. Question ? As related to computer forensics, why is the 4th amendment an important consideration? a. Free speech b. Defense against self incrimination c. Search & seizure d. Social rights
© 2013 nCircle. All Rights Reserved. Digital Media
© 2013 nCircle. All Rights Reserved. Two Types of Data • Volatile - RAM • Non-volatile – ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD)) – USB Devices – Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), …. – Floppy disks, ZIP disks – Cameras, mp3 players, tablets, game consoles, GPS units, smart phones, smart watches, …
© 2013 nCircle. All Rights Reserved. Write Blockers • Two types of write blockers: hardware and software • Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form. • Reads Allowed and Writes Prevented! • Another name for a write blocker is a “Forensic Bridge”
© 2013 nCircle. All Rights Reserved. Some Data Hiding Techniques • Slack Space and Unallocated Space • Rootkits • Alternate Data Streams (ADS) • File Signatures • Steganography
© 2013 nCircle. All Rights Reserved. Question ? What function does a Write Blocker perform? a. Allows writes b. Blocks reads c. Prevents Reads d. Prevents writes
© 2013 nCircle. All Rights Reserved. The Forensic Process
© 2013 nCircle. All Rights Reserved. The Forensic Process • Preparation • (Containment) • Collection • Examination • Analysis • Reporting
© 2013 nCircle. All Rights Reserved. The Forensic Process (Preparation) • Training • Policies & Procedures • Equipment (Forensic Kit) – Laptop computer w/ forensic software – Boot disks and CDs of tools (forensically sound) – Digital cameras, pens, notepad – Sterile media, write blockers, cables – Anti-static bags, faraday bags, tags, stickers – Chain-of-custody and other forms
© 2013 nCircle. All Rights Reserved. The Forensic Process (Containment) • Establish immediate control of the crime scene – Limit and track physical access – Limit network / remote access • Detach computers of interest from wireless and physical network cables – Power off computers as necessary
© 2013 nCircle. All Rights Reserved. The Forensic Process (Collection) • Photograph the scene to include monitor screens. Get the system time • Collect volatile data • Image non-volatile data on site? • Shut down the system safely • Unplug the system and tag all cables • Bag and tag all non volatile devices for transport. Collect peripheral devices as necessary.
© 2013 nCircle. All Rights Reserved. The Forensic Process (Collection – Mobile devices) • Photograph main screen • Do not turn device off • Find charger to keep device from losing charge (example seizure kit) • Place in a Faraday bag to prevent remote access
© 2013 nCircle. All Rights Reserved. The Forensic Process (Examination & Analysis) • Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software) • Images must be hashed • Analyze the bit stream image using forensic analysis software, e.g.: EnCase, FTK,… • Prepare a report of findings
© 2013 nCircle. All Rights Reserved. Question ? During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image? a. read blocking b. checksums c. hashing d. transforms
© 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques
© 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques • Searching: – Keyword, email, web, viewers • File Signatures • Slack Space and unallocated space • Data carving • Steganography • Passwords (Dealing with encryption)
© 2013 nCircle. All Rights Reserved. Searching: Keywords • To effectively search through a suspect’s media an investigator needs to add relevant keywords 1) Add keywords 2) Specify keyword search criteria (e.g. what and where tosearch – e.g. slack space) 3) Conduct keyword search
© 2013 nCircle. All Rights Reserved. Searching: email & social media • Most forensic analysis tools have built-in email searching and viewing tools • Tools to view various formats of email – Outlook (.pst) – Outlook Express (.dbx) – Linux/Unix mbox format – Macintosh: Safari – Webmail formats: Yahoo, AOL, Google, Hotmail
© 2013 nCircle. All Rights Reserved. Searching: web artifacts • Most forensic analysis tools have web artifact search and viewing tools • Web artifacts – History – Cached files and images (temporary files) – Cookies
© 2013 nCircle. All Rights Reserved. File Signature Analysis • This type of analysis allows investigators to verify file types • A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll • A file signature analysis looks at the file header in order to determine what type of file it actually is
© 2013 nCircle. All Rights Reserved. Data Carving (1 of 2) • Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.
© 2013 nCircle. All Rights Reserved. Data Carving (2 of 2) • Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.
© 2013 nCircle. All Rights Reserved. Slack Space and Unallocated Space • Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space • Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.
© 2013 nCircle. All Rights Reserved. Concealment cipher = Steganography (example) Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm Saint Olga planting Christianity in Russia
© 2013 nCircle. All Rights Reserved. Steganography • Detection techniques are crude • Usually done by looking for evidence of steganography use, e.g. Steg programs on system • Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)
© 2013 nCircle. All Rights Reserved. Question ? A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called? a. Steganography b. Data Carving c. File signature analysis d. Slack space analysis
© 2013 nCircle. All Rights Reserved. Question ? A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique? a. Data Carving b. Cryptography c. Data Blinking d. Steganography
© 2013 nCircle. All Rights Reserved. Incident Handling & Forensics
© 2013 nCircle. All Rights Reserved. Incident Response Process • Identification – Incident identification – Notifying appropriate personnel • Action – Isolation and Containment – Gathering Evidence – Analysis and Reporting • Closure – Restoration – Lessons Learned
© 2013 nCircle. All Rights Reserved. The Response Team • Cross-functional with a high level of authority – Dedicated – with clearly defined roles & responsibilities – Not just computer security: Management, Info sec, IT/network, legal, public relations • Well Trained – Rehearsals and training appropriate to risk – Trained in Forensics – Forensics tools and equipment • Policies and Procedures – Appropriate to Risk (Risk Management) – Lessons learned / constant refinement
© 2013 nCircle. All Rights Reserved. When to Involve Law Enforcement • Use forensic processes whenever possible • As a general rule: Involve law enforcement when corporate policy or the law says so • You are compelled by law to report certain incidents, e.g. disclosure of credit card info. • Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.
© 2013 nCircle. All Rights Reserved. Make Sneaking Hard • Detection systems -- appropriate with risk • Logging, Logging, logging!!! (Firewall, router, system…) • Monitoring – Intrusion detection systems – File Integrity monitoring systems – Vulnerability and Configuration management systems – Attack Path Analysis • Warning Banners, Expectations of use, Expectations of privacy • Physical Security systems
© 2013 nCircle. All Rights Reserved. Question s? http://connect.ncircle.com Continue the conversation at

Recommended

Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 

Recommended

Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensicshahhardik27
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityAung Thu Rha Hein
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Sujit
SujitSujit
SujitSujit George
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensicsKabul Education University
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensikAgung Subroto
 
File000118
File000118File000118
File000118Desmond Devendran
 
computer forensics
computer forensics computer forensics
computer forensics samantha jarrett
 

More Related Content

What's hot

Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensicshahhardik27
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityAung Thu Rha Hein
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensikAgung Subroto
 

What's hot (20)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Chapter 3 cmp forensic
Chapter 3 cmp forensicChapter 3 cmp forensic
Chapter 3 cmp forensic
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
 
Sujit
SujitSujit
Sujit
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Sekilas tentang digital forensik
Sekilas tentang digital forensikSekilas tentang digital forensik
Sekilas tentang digital forensik
 

Viewers also liked

Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Frances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsFrances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsJoeAnd41
 
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sDerzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sgrechanik
 
componentes de una fórmula
componentes de una fórmula componentes de una fórmula
componentes de una fórmula Diego bejarano
 
Bluetooth 3 d glasses
Bluetooth 3 d glassesBluetooth 3 d glasses
Bluetooth 3 d glassesLinkDelight
 
EMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTEMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTROCÍO ROA CALVO
 
Andrew SAP4237
Andrew SAP4237Andrew SAP4237
Andrew SAP4237savomir
 

Viewers also liked (14)

File000118
File000118File000118
File000118
 
computer forensics
computer forensics computer forensics
computer forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Frances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and MillsFrances Jane Gordon and Green and Mills
Frances Jane Gordon and Green and Mills
 
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_sDerzhavnij standart bazovoji_i_povnoji_zagalnoji_s
Derzhavnij standart bazovoji_i_povnoji_zagalnoji_s
 
Pcm
PcmPcm
Pcm
 
Projekt EOD
Projekt EODProjekt EOD
Projekt EOD
 
componentes de una fórmula
componentes de una fórmula componentes de una fórmula
componentes de una fórmula
 
Bluetooth 3 d glasses
Bluetooth 3 d glassesBluetooth 3 d glasses
Bluetooth 3 d glasses
 
EMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENTEMPATHIZE AND DEFINE MAP ASSIGNMENT
EMPATHIZE AND DEFINE MAP ASSIGNMENT
 
Boletim (14)
Boletim (14)Boletim (14)
Boletim (14)
 
Andrew SAP4237
Andrew SAP4237Andrew SAP4237
Andrew SAP4237
 

Similar to Computer Forensics Bootcamp

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...pable2
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 

Similar to Computer Forensics Bootcamp (20)

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
9780840024220 ppt ch12
9780840024220 ppt ch129780840024220 ppt ch12
9780840024220 ppt ch12
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...computer forensics, involves the preservation, identification, extraction, an...
computer forensics, involves the preservation, identification, extraction, an...
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensics.abdallah
Digital forensics.abdallahDigital forensics.abdallah
Digital forensics.abdallah
 

More from nCircle - a Tripwire Company

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationnCircle - a Tripwire Company
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionnCircle - a Tripwire Company
 

More from nCircle - a Tripwire Company (9)

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Computer Forensics Bootcamp

  • 1. © 2013 nCircle. All Rights Reserved. Forensics Bootcamp
  • 2. © 2013 nCircle. All Rights Reserved. Introduction
  • 3. © 2013 nCircle. All Rights Reserved. What is Forensics? • Scientific tests or techniques used in the investigation of crimes • The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes • Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.
  • 4. © 2013 nCircle. All Rights Reserved. What is Computer Forensics? Computer Forensics A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format
  • 5. © 2013 nCircle. All Rights Reserved. Types of Cyber Crime • Theft of intellectual property • Financial Fraud • Damage of company service networks • Distribution and execution of viruses and worms • Hacker system penetrations • Distribution of child pornography • Use of a computer to commit a traditional crime (emails, data management, files.)
  • 6. © 2013 nCircle. All Rights Reserved. Legal Issues
  • 7. © 2013 nCircle. All Rights Reserved. Legal Issues • 4th Amendment – Searches & Seizures • 4th Amendment – Privacy • 5th Amendment – Self Incrimination • Chain-of-Custody
  • 8. © 2013 nCircle. All Rights Reserved. 4th Amendment • The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy". • Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.
  • 9. © 2013 nCircle. All Rights Reserved. Chain-of-Custody (aka Chain of Evidence) • Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, a nd disposition of evidence, physical or electronic. • Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.
  • 10. © 2013 nCircle. All Rights Reserved. Question ? As related to computer forensics, why is the 4th amendment an important consideration? a. Free speech b. Defense against self incrimination c. Search & seizure d. Social rights
  • 11. © 2013 nCircle. All Rights Reserved. Digital Media
  • 12. © 2013 nCircle. All Rights Reserved. Two Types of Data • Volatile - RAM • Non-volatile – ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD)) – USB Devices – Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), …. – Floppy disks, ZIP disks – Cameras, mp3 players, tablets, game consoles, GPS units, smart phones, smart watches, …
  • 13. © 2013 nCircle. All Rights Reserved. Write Blockers • Two types of write blockers: hardware and software • Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form. • Reads Allowed and Writes Prevented! • Another name for a write blocker is a “Forensic Bridge”
  • 14. © 2013 nCircle. All Rights Reserved. Some Data Hiding Techniques • Slack Space and Unallocated Space • Rootkits • Alternate Data Streams (ADS) • File Signatures • Steganography
  • 15. © 2013 nCircle. All Rights Reserved. Question ? What function does a Write Blocker perform? a. Allows writes b. Blocks reads c. Prevents Reads d. Prevents writes
  • 16. © 2013 nCircle. All Rights Reserved. The Forensic Process
  • 17. © 2013 nCircle. All Rights Reserved. The Forensic Process • Preparation • (Containment) • Collection • Examination • Analysis • Reporting
  • 18. © 2013 nCircle. All Rights Reserved. The Forensic Process (Preparation) • Training • Policies & Procedures • Equipment (Forensic Kit) – Laptop computer w/ forensic software – Boot disks and CDs of tools (forensically sound) – Digital cameras, pens, notepad – Sterile media, write blockers, cables – Anti-static bags, faraday bags, tags, stickers – Chain-of-custody and other forms
  • 19. © 2013 nCircle. All Rights Reserved. The Forensic Process (Containment) • Establish immediate control of the crime scene – Limit and track physical access – Limit network / remote access • Detach computers of interest from wireless and physical network cables – Power off computers as necessary
  • 20. © 2013 nCircle. All Rights Reserved. The Forensic Process (Collection) • Photograph the scene to include monitor screens. Get the system time • Collect volatile data • Image non-volatile data on site? • Shut down the system safely • Unplug the system and tag all cables • Bag and tag all non volatile devices for transport. Collect peripheral devices as necessary.
  • 21. © 2013 nCircle. All Rights Reserved. The Forensic Process (Collection – Mobile devices) • Photograph main screen • Do not turn device off • Find charger to keep device from losing charge (example seizure kit) • Place in a Faraday bag to prevent remote access
  • 22. © 2013 nCircle. All Rights Reserved. The Forensic Process (Examination & Analysis) • Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software) • Images must be hashed • Analyze the bit stream image using forensic analysis software, e.g.: EnCase, FTK,… • Prepare a report of findings
  • 23. © 2013 nCircle. All Rights Reserved. Question ? During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image? a. read blocking b. checksums c. hashing d. transforms
  • 24. © 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques
  • 25. © 2013 nCircle. All Rights Reserved. Forensic Analysis Techniques • Searching: – Keyword, email, web, viewers • File Signatures • Slack Space and unallocated space • Data carving • Steganography • Passwords (Dealing with encryption)
  • 26. © 2013 nCircle. All Rights Reserved. Searching: Keywords • To effectively search through a suspect’s media an investigator needs to add relevant keywords 1) Add keywords 2) Specify keyword search criteria (e.g. what and where tosearch – e.g. slack space) 3) Conduct keyword search
  • 27. © 2013 nCircle. All Rights Reserved. Searching: email & social media • Most forensic analysis tools have built-in email searching and viewing tools • Tools to view various formats of email – Outlook (.pst) – Outlook Express (.dbx) – Linux/Unix mbox format – Macintosh: Safari – Webmail formats: Yahoo, AOL, Google, Hotmail
  • 28. © 2013 nCircle. All Rights Reserved. Searching: web artifacts • Most forensic analysis tools have web artifact search and viewing tools • Web artifacts – History – Cached files and images (temporary files) – Cookies
  • 29. © 2013 nCircle. All Rights Reserved. File Signature Analysis • This type of analysis allows investigators to verify file types • A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll • A file signature analysis looks at the file header in order to determine what type of file it actually is
  • 30. © 2013 nCircle. All Rights Reserved. Data Carving (1 of 2) • Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.
  • 31. © 2013 nCircle. All Rights Reserved. Data Carving (2 of 2) • Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.
  • 32. © 2013 nCircle. All Rights Reserved. Slack Space and Unallocated Space • Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space • Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.
  • 33. © 2013 nCircle. All Rights Reserved. Concealment cipher = Steganography (example) Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm Saint Olga planting Christianity in Russia
  • 34. © 2013 nCircle. All Rights Reserved. Steganography • Detection techniques are crude • Usually done by looking for evidence of steganography use, e.g. Steg programs on system • Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)
  • 35. © 2013 nCircle. All Rights Reserved. Question ? A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called? a. Steganography b. Data Carving c. File signature analysis d. Slack space analysis
  • 36. © 2013 nCircle. All Rights Reserved. Question ? A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique? a. Data Carving b. Cryptography c. Data Blinking d. Steganography
  • 37. © 2013 nCircle. All Rights Reserved. Incident Handling & Forensics
  • 38. © 2013 nCircle. All Rights Reserved. Incident Response Process • Identification – Incident identification – Notifying appropriate personnel • Action – Isolation and Containment – Gathering Evidence – Analysis and Reporting • Closure – Restoration – Lessons Learned
  • 39. © 2013 nCircle. All Rights Reserved. The Response Team • Cross-functional with a high level of authority – Dedicated – with clearly defined roles & responsibilities – Not just computer security: Management, Info sec, IT/network, legal, public relations • Well Trained – Rehearsals and training appropriate to risk – Trained in Forensics – Forensics tools and equipment • Policies and Procedures – Appropriate to Risk (Risk Management) – Lessons learned / constant refinement
  • 40. © 2013 nCircle. All Rights Reserved. When to Involve Law Enforcement • Use forensic processes whenever possible • As a general rule: Involve law enforcement when corporate policy or the law says so • You are compelled by law to report certain incidents, e.g. disclosure of credit card info. • Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.
  • 41. © 2013 nCircle. All Rights Reserved. Make Sneaking Hard • Detection systems -- appropriate with risk • Logging, Logging, logging!!! (Firewall, router, system…) • Monitoring – Intrusion detection systems – File Integrity monitoring systems – Vulnerability and Configuration management systems – Attack Path Analysis • Warning Banners, Expectations of use, Expectations of privacy • Physical Security systems
  • 42. © 2013 nCircle. All Rights Reserved. Question s? http://connect.ncircle.com Continue the conversation at