SlideShare a Scribd company logo

DigitalForensics.ppt

Download as PPT, PDF
T
TamannaTabassum21

Digital forensics involves investigating computer security incidents by acquiring digital evidence without alteration and then analyzing the evidence to answer key questions like who was involved, what happened, when and how. The typical investigation process involves acquiring evidence by imaging systems or storage media, recovering files and metadata, analyzing the evidence through techniques like event reconstruction or locating contraband material, and presenting findings. Challenges include the massive amounts of potential data, limited system logging, and needing to explain technical details simply. Standards, better system auditing, and databases of known file systems and malware could help advance the field.

Education
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Introduction to Digital Forensics Florian Buchholz
What is Digital Forensics? • Emerging discipline in computer security – “voodoo science” – No standards, few research • Investigation that takes place after an incident has happened • Try to answer questions: Who, what, when, where, why, and how
Types of investigations • Determine what the incident was and get back to a working state • Internal investigation – Should be based on IR policy – May lead to criminal investigation • Criminal investigation • Support for “real world” investigations
Typical investigation phases 1. Acquisition 2. Recovery 3. Analysis 4. Presentation
Phase 1: Acquisition • Analogous to crime scene in the “real world” • Goal is to recover as much evidence without altering the crime scene • Investigator should document as much as possible • Maintain Chain of Custody
Acquisition (2) • Determine if incident actually happened • What kind of system is to be investigated? – Can it be shut down? – Does it have to keep operating? • Are there policies governing the handling of the incident? • Is a warrant needed?
Acquisition (3) • Get most fleeting information first – Running processes – Open sockets – Memory – Storage media • Create 1:1 copies of evidence (imaging) • If possible, lock up original system in the evidence locker
Phase 2: Recovery • Goal is to extract data from the acquired evidence • Always work on copies, never the original – Must be able to repeat entire process from scratch • Data, deleted data, “hidden” data
File systems • Get files and directories • Metadata – User IDs – Timestamps (MAC times) – Permissions, … • Some deleted files may be recovered • Slack space
File deletion • Most file systems only delete directory entries but not the data blocks associated with a file. • Unless blocks get reallocated the file may be reconstructed – The earlier the better the chances – Depending on fragmentation, only partial reconstruction may be possible
Slack space • Unallocated blocks – Mark blocks as allocated to fool the file system • Unused space at end of files if it doesn’t end on block boundaries • Unused space in file system data structures
Steganography • Data hidden in other data • Unused or irrelevant locations are used to store information • Most common in images, but may also be used on executable files, meta data, file system slack space
Encrypted data • Depending on encryption method, it might be infeasible to get to the information. • Locating the keys is often a better approach. • A suspect may be compelled to reveal the keys by law.
Recovery (cont.) • Locating hidden or encrypted data is difficult and might even be impossible. • Investigator has to look at other clues: – Steganography software – Crypto software – Command histories
File residue • Even if a file is completely deleted from the disk, it might still have left a trace: – Web cache – Temporary directories – Data blocks resulting from a move – Memory
Phase 3: Analysis • Methodology differs depending on the objectives of the investigation: – Locate contraband material – Reconstruct events that took place – Determine if a system was compromised – Authorship analysis
Contraband material • Locate specific files – Databases of illegal pictures – Stolen property • Determine if existing files are illegal – Picture collections – Music or movie downloads
Locating material • Requires specific knowledge of file system and OS. • Data may be encrypted, hidden, obfuscated • Obfuscation: – Misleading file suffix – Misleading file name – Unusual location
Event reconstruction • Utilize system and external information – Log files – File timestamps – Firewall/IDS information • Establish time line of events
Time issues • Granularity of time keeping – Can’t order events that occur in the same time interval • Multiple systems: – Different clocks – Clock drift • E-mail headers and time zones
The needle in the haystack • Locating files: – Storage capacity approaches the terrabyte magnitude – Potentially millions of files to investigate • Event reconstruction: – Dozens, hundreds of events a second – Only last MAC times are available – Insufficient logging
Compromised system • If possible, compare against known good state – Tripwire – Databases of “good” files • Look for unusual file MACs • Look for open or listening network connections (trojans) • Look for files in unusual locations
Unknown executables • Run them in a constrained environment – Dedicated system – Sandbox – Virtual machine • Might be necessary to disassemble and decompile – May take weeks or months
Authorship analysis • Determine who or what kind of person created file. – Programs (Viruses, Tojans, Sniffers/Loggers) – E-mails (Blackmail, Harassment, Information leaks) • If actual person cannot be determined, just determining the skill level of the author may be important.
Phase 4: Presentation • An investigator that performed the analysis may have to appear in court as an expert witness. • For internal investigations, a report or presentation may be required. • Challenge: present the material in simple terms so that a jury or CEO can understand it.
Forensics Tools • Acquisition – dd, pdd – SafeBack, … • Recovery – Encase – TCT and SleuthKit • Analysis – ? • Presentation – ?
DF Investigator Profile • Understanding of relevant laws • Knowledge of file systems, OS, and applications – Where are the logs, what is logged? – What are possible obfuscation techniques? – What programs and libraries are present on the system and how are they used? • Know what tools exist and how to use them • Be able to explain things in simple terms
Future in DF • The need for standards – Acquisition procedure: develop step- by-step instructions to be followed – Certification • Investigators • Tools • Operating Systems
Future in DF (2) • Research – Create more meaningful audit data – Ensure integrity and availability of audit data – Privacy and Digital Forensics – Develop detection techniques – Develop automation processes
Future in DF (3) • Documentation – File systems • Over 50 different FS currently in use • Most are poorly documented – Malware • “fingerprint” of bad programs – Good system state • Accessible databases • Every OS, version, patchlevel

More Related Content

PPT
Basics of Digital Forensics, techniques and tools
madhulikarsit
 
PPT
DigitalForensicDigitalForensicDigitalForensic
RPimpalgaonkar
 
PPT
DigitalForensicsDigitalForensics.pptDigitalForensics.ppt
MoshoodKareemOlawale
 
PDF
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
PPT
Computer Forensic
Tawhidur Rahman
 
PPTX
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
PPTX
Latest presentation
Adetunji Adeoje
 
PPT
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Basics of Digital Forensics, techniques and tools
madhulikarsit
 
DigitalForensicDigitalForensicDigitalForensic
RPimpalgaonkar
 
DigitalForensicsDigitalForensics.pptDigitalForensics.ppt
MoshoodKareemOlawale
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
Computer Forensic
Tawhidur Rahman
 
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
Latest presentation
Adetunji Adeoje
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 

Similar to DigitalForensics.ppt (20)

PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PPTX
cyber forensics
Ambuj Kumar
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
 
PPT
Collecting and preserving digital evidence
Online
 
PPTX
Computer Forensics
Daksh Verma
 
PDF
Cyber Forensics training by Forensic Academy
Forensic Academy
 
PPTX
Cyber forensics 02 mit-2014
Muzzammil Wani
 
PDF
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
Vest Forensics presentation owasp benelux days 2012 leuven
Marc Hullegie
 
PDF
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 
PPTX
Network and computer forensics
Johnson Ubah
 
PPTX
Sujit
Sujit George
 
PPTX
Computer Forensics
Bense Tony
 
PPTX
cyberforensicsv2-191113184409.pptx
PrasannaKumarpanda2
 
PPTX
cyberforensicsv2-191113184409.pptx
PrabithGupta1
 
PDF
CNIT 152 11 Analysis Methodology
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PPTX
Digital Forensic ppt
Suchita Rawat
 
PDF
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
PPTX
Computer forensics
deaneal
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
cyber forensics
Ambuj Kumar
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
 
Collecting and preserving digital evidence
Online
 
Computer Forensics
Daksh Verma
 
Cyber Forensics training by Forensic Academy
Forensic Academy
 
Cyber forensics 02 mit-2014
Muzzammil Wani
 
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Vest Forensics presentation owasp benelux days 2012 leuven
Marc Hullegie
 
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 
Network and computer forensics
Johnson Ubah
 
Sujit
Sujit George
 
Computer Forensics
Bense Tony
 
cyberforensicsv2-191113184409.pptx
PrasannaKumarpanda2
 
cyberforensicsv2-191113184409.pptx
PrabithGupta1
 
CNIT 152 11 Analysis Methodology
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
Digital Forensic ppt
Suchita Rawat
 
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Computer forensics
deaneal
 
Ad

Recently uploaded (20)

PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Institutional Correction lecture only . . .
limvtheghins
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
master seminar digital applications in india
ananyaray35
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Pre independence Education in Inndia.pdf
goofy5603
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Ad

DigitalForensics.ppt

  • 2. What is Digital Forensics? • Emerging discipline in computer security – “voodoo science” – No standards, few research • Investigation that takes place after an incident has happened • Try to answer questions: Who, what, when, where, why, and how
  • 3. Types of investigations • Determine what the incident was and get back to a working state • Internal investigation – Should be based on IR policy – May lead to criminal investigation • Criminal investigation • Support for “real world” investigations
  • 4. Typical investigation phases 1. Acquisition 2. Recovery 3. Analysis 4. Presentation
  • 5. Phase 1: Acquisition • Analogous to crime scene in the “real world” • Goal is to recover as much evidence without altering the crime scene • Investigator should document as much as possible • Maintain Chain of Custody
  • 6. Acquisition (2) • Determine if incident actually happened • What kind of system is to be investigated? – Can it be shut down? – Does it have to keep operating? • Are there policies governing the handling of the incident? • Is a warrant needed?
  • 7. Acquisition (3) • Get most fleeting information first – Running processes – Open sockets – Memory – Storage media • Create 1:1 copies of evidence (imaging) • If possible, lock up original system in the evidence locker
  • 8. Phase 2: Recovery • Goal is to extract data from the acquired evidence • Always work on copies, never the original – Must be able to repeat entire process from scratch • Data, deleted data, “hidden” data
  • 9. File systems • Get files and directories • Metadata – User IDs – Timestamps (MAC times) – Permissions, … • Some deleted files may be recovered • Slack space
  • 10. File deletion • Most file systems only delete directory entries but not the data blocks associated with a file. • Unless blocks get reallocated the file may be reconstructed – The earlier the better the chances – Depending on fragmentation, only partial reconstruction may be possible
  • 11. Slack space • Unallocated blocks – Mark blocks as allocated to fool the file system • Unused space at end of files if it doesn’t end on block boundaries • Unused space in file system data structures
  • 12. Steganography • Data hidden in other data • Unused or irrelevant locations are used to store information • Most common in images, but may also be used on executable files, meta data, file system slack space
  • 13. Encrypted data • Depending on encryption method, it might be infeasible to get to the information. • Locating the keys is often a better approach. • A suspect may be compelled to reveal the keys by law.
  • 14. Recovery (cont.) • Locating hidden or encrypted data is difficult and might even be impossible. • Investigator has to look at other clues: – Steganography software – Crypto software – Command histories
  • 15. File residue • Even if a file is completely deleted from the disk, it might still have left a trace: – Web cache – Temporary directories – Data blocks resulting from a move – Memory
  • 16. Phase 3: Analysis • Methodology differs depending on the objectives of the investigation: – Locate contraband material – Reconstruct events that took place – Determine if a system was compromised – Authorship analysis
  • 17. Contraband material • Locate specific files – Databases of illegal pictures – Stolen property • Determine if existing files are illegal – Picture collections – Music or movie downloads
  • 18. Locating material • Requires specific knowledge of file system and OS. • Data may be encrypted, hidden, obfuscated • Obfuscation: – Misleading file suffix – Misleading file name – Unusual location
  • 19. Event reconstruction • Utilize system and external information – Log files – File timestamps – Firewall/IDS information • Establish time line of events
  • 20. Time issues • Granularity of time keeping – Can’t order events that occur in the same time interval • Multiple systems: – Different clocks – Clock drift • E-mail headers and time zones
  • 21. The needle in the haystack • Locating files: – Storage capacity approaches the terrabyte magnitude – Potentially millions of files to investigate • Event reconstruction: – Dozens, hundreds of events a second – Only last MAC times are available – Insufficient logging
  • 22. Compromised system • If possible, compare against known good state – Tripwire – Databases of “good” files • Look for unusual file MACs • Look for open or listening network connections (trojans) • Look for files in unusual locations
  • 23. Unknown executables • Run them in a constrained environment – Dedicated system – Sandbox – Virtual machine • Might be necessary to disassemble and decompile – May take weeks or months
  • 24. Authorship analysis • Determine who or what kind of person created file. – Programs (Viruses, Tojans, Sniffers/Loggers) – E-mails (Blackmail, Harassment, Information leaks) • If actual person cannot be determined, just determining the skill level of the author may be important.
  • 25. Phase 4: Presentation • An investigator that performed the analysis may have to appear in court as an expert witness. • For internal investigations, a report or presentation may be required. • Challenge: present the material in simple terms so that a jury or CEO can understand it.
  • 26. Forensics Tools • Acquisition – dd, pdd – SafeBack, … • Recovery – Encase – TCT and SleuthKit • Analysis – ? • Presentation – ?
  • 27. DF Investigator Profile • Understanding of relevant laws • Knowledge of file systems, OS, and applications – Where are the logs, what is logged? – What are possible obfuscation techniques? – What programs and libraries are present on the system and how are they used? • Know what tools exist and how to use them • Be able to explain things in simple terms
  • 28. Future in DF • The need for standards – Acquisition procedure: develop step- by-step instructions to be followed – Certification • Investigators • Tools • Operating Systems
  • 29. Future in DF (2) • Research – Create more meaningful audit data – Ensure integrity and availability of audit data – Privacy and Digital Forensics – Develop detection techniques – Develop automation processes
  • 30. Future in DF (3) • Documentation – File systems • Over 50 different FS currently in use • Most are poorly documented – Malware • “fingerprint” of bad programs – Good system state • Accessible databases • Every OS, version, patchlevel