Computer Forensics: You can run but you can't hide
0 likes1,771 views
This document discusses digital forensics and incident response (DFIR). It covers the key phases of digital forensics like identification, acquisition, preservation, analysis and dissemination. Acquisition involves collecting evidence from various sources like mobile devices, cloud storage and game consoles. Preservation of the evidence is critical following techniques like write blocking. Analysis techniques are discussed like recovering deleted data and analyzing file system metadata. The challenges of DFIR are also covered like virtual machines, network forensics and issues with the cloud. The document ends emphasizing the importance of ethics, certification and keeping up with new tools and techniques in this field.
Computer Forensics: You can run but you can't hide
- 1. Digital Forensics & IR You can run, but you can’t hide
- 2. Antonio Sanz IT Systems & Security Manager Expert witness @antoniosanzalc http://www.equipoazul.es
- 3. #SanPepeEINA
- 4. WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?
- 5. There is a war out there
- 6. Cybercrime
- 10. IR : Respond to an incident
- 11. Digital forensics : Post-mortem
- 13. This is not a pipe
- 14. This is not a pipe
- 15. It’s all about evidence, stupid !
- 16. No fancy 3D tools like CSI
- 17. Techniques, tools and procedures
- 18. People could go to prison
- 19. Identification Adquisition Preservation Analysis Dissemination Digital forensics phases Legal stuff here and here Tech yeah!
- 20. WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?
- 21. Acquisition
- 22. Mobile devices
- 23. RAID, SAN, NAS, VM
- 24. Cloud storage
- 26. Gotta catch ‘em all
- 27. Should I pull the plug ?
- 28. Use a cond … A write blocker
- 29. Whole enchilada Get the whole enchilada
- 32. OBEY THE CHAIN
- 33. WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?
- 34. Bad guys want to hide … but they need to run
- 36. Live forensics
- 42. Recover deleted data Recover deleted data
- 44. Good times, MAC times
- 45. Making history
- 46. Space / Time Analysis
- 47. 47 Don’t delete your history. Or do it, it doesn’t matter
- 51. Recycle bin are gold mines
- 52. 52 Registry knows where your porn is
- 53. Every USB you plugged could be used against you
- 55. Where did you say you hide your crap?.
- 56. Event logs Finding things in logs is like…
- 57. Too much … metadata
- 59. You’ve got an email
- 60. Share your downloads with us !
- 64. Yummy extra info … Yummy data breakfast
- 65. Virtual Machines
- 66. Take snapshots like there’s no tomorrow
- 69. How I Xplico to you dude ?
- 71. Cloud computing
- 72. There’s still traces There are always traces left
- 73. WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?
- 74. Cut to the chase
- 75. Know your trade
- 76. Know your enemy Know your enemy
- 77. Use more than one tool
- 78. Missing things tell us a lot
- 79. Put two and two together
- 80. Always learn new tricks
- 81. 50% Knowledge 30% Technique 15% Instincts 5% Luck
- 82. Writing the report > Introducción > Resumen Ejecutivo > Entorno del Informe (personas, lugares, fechas) > Hechos probados iniciales (lo que sabemos) > Hechos técnicos demostrables (lo que encontramos) > Conclusiones > Anexo: Evidencias Write your report
- 83. Defending the report > Contrainforme pericial > Exposición del informe en el juicio > Validez del técnico > Validez de las herramientas > Preguntas de la otra parte > Mantener la calma, responder lo justo y bien pensado Defend your report
- 84. Ethics Ethics
- 85. WTF DFIR bro? Boring legal stuff Forensic magic Stand-up guy Wanna more ?
- 86. Books
- 87. Blogs
- 88. Tools / LiveCDs
- 90. Certifications
- 91. Conclussions
- 92. We need DFIR Lots of it
- 93. Legal issues are critical
- 94. Many places to look Have to know where, how & why
- 95. You can run You can’t hide
- 96. If you’re guilty … we’ll catch you @antoniosanzalc http://www.equipoazul.es http://bit.ly/1h47zfF