![• Packets are captured using network packet tools like
Wireshark, Snappy, etc. from each VM instance running
on hosts. Account information is synchronized and
downloaded using client access software on each
device used to identify the source of evidence.
Evidence is isolated from files found in the virtual
machine using "C: Users [username] Dropbox "
for Dropbox . The zip file contains the name of the
folder accessible through the browser to determine the
effect of a timestamp on a drive. If an attacker modifies
the contents of a file, the evidence is determined by
scanning the VM disk, the history of files stored in the
cloud and also from a cache. It can also be analyzed by
calculating the hash value of the VM image](https://image.slidesharecdn.com/examiningcomputerandevidencecollection-211225173310/85/Examining-computer-and-evidence-collection-19-320.jpg)
Examining computer and evidence collection
- 1. EXAMINING COMPUTER AND EVIDENCE COLLECTION
- 2. DEFINITION • "Computer forensics is the process of identifying, holding, analyzing and presenting digital evidence in a manner that is legally acceptable." (Rodney Mckemmish 1999).
- 3. AIM OF COMPUTER FORENSICS • The main aim of computer forensics experts is not only to find the criminal, but also to expose the evidence and the presentation of the evidence in a way that leads to legal action by the criminal.
- 4. PROPERTIES OF THE COMPUTER FORENSIC • IDENTIFY • RECEIVE • ANALYZE • PRESENT
- 5. FORENSIC NEEDS OF THE COMPUTER • To present evidence in court that could lead • To the punishment of reality. • To ensure the integrity of the computer system.
- 6. HISTORY OF COMPUTER FORENSICS • In the US, developments began over 30 years ago when law enforcement and military investigators began to view criminals as technical. • In the decades that followed and until today the field has exploded. Law enforcement and the military continue to have strong local, state, and federal levels of information security and computer forensics. • Today software companies continue to make newer and more robust forensic software. Law enforcement and the military are increasingly identifying and training personnel in responding to technology-related crimes.
- 7. CYBER CRIME AND EVIDENCE • CYBER CRIME – Cyber crime occurs when information technology is used to commit or hide a crime. • TYPES OF CYBER CRIME – Child Pornography – Breach of Computer Security – Fraud / Theft – Copyright Infringement – Identity Theft – Drug Investigation – Threat – Burglary – Suicide – Obscenity – Homicide – Administrative Investigation – Sexual Assault – Stalking
- 8. • DIGITAL EVIDENCE – “Any data recorded or stored on a medium in or by a computer system or similar device that can be read or understood by a person, computer system or other similar device. It contains a display, print or other output of this data.” • latent as a fingerprint or fragile DNA • can easily be changed, damaged or destroyed. • Can be time sensitive
- 9. TYPES OF DIGITAL EVIDENCE • PERSISTENT DATA, ie data that remains intact when the computer is turned off. For example. Hard drives, hard drives and removable media (such as USB drives or flash drives). • VOLATILE DATA, ie data that would be lost if the computer were switched off. For example. deleted files, computer history, computer registry, temporary files and web browsing history.
- 10. RULES OF EVIDENCE • Admissible, – Must be able to be used in court or elsewhere • Authentic, – The evidence relates to the incident in a relevant manner • Complete (no tunnel vision), – Excepted evidence for other suspects • Reliable, – None Question about authenticity and truthfulness • Credible, – Clear, easy to understand and credible by a jury.
- 11. TOP 10 EVIDENCE LOCATION • Internet history files • Temporary Internet files • Free / unallocated space • Friends lists, personal chat room records, P2P, other saved areas • Newsgroups / lists of number of clubs / publications • Settings, folder structure, file names • File storage data • Software / Hardware added • File sharing function • Emails
- 12. COMPUTER METHODOLOGY • Shut down the computer • Document the system hardware configuration • Move the computer system to a safe place • Make bitstream backups of hard drives and floppy disks • Check the data on all memories math devices • Document the date and time of the system. • List the search keywords • Evaluate Windows swap file • Evaluate file edge • Evaluate unallocated storage space (deleted files) • Find files, file edge and unallocated storage space for keywords • Name, date and time of document files • Identify file, Program and Memory Anomalies • Assess program functionality. • Document your results
- 13. COMPUTER APPLICATIONS • APPLICATIONS – FINANCIAL FRAUD DETECTION – CRIMINAL PROCEEDINGS – CIVIL DISPUTES – "CORPORATE SECURITY POLICY AND ACCEPTANCE OF VIOLATIONS" • Skills Required for Computer Forensic Applications – Programming or computer experience – Comprehensive understanding of operating systems and applications – Strong analytical skills – Strong basic computer skills – Strong systems administration skills – Knowledge of the latest intrusion tools – Knowledge of cryptography and manipulation of evidence – Ability to go to court To be an expert
- 14. Evidence collection • Data collection plays an important role in identifying and accessing data from various sources in the cloud environment for forensic investigations. Evidence is no longer stored on a single physical host and its data is distributed in a different geographic area. So when a crime occurs, it is very difficult to identify the evidence. Evidence is gathered from various sources such as routers, switches, servers, hosts, virtual machines, browser artifacts and through internal storage media such as hard drives, RAM images, storage physical, etc. Evidence is also collected through log file analysis, cloud storage data collection, web browser artifacts, and physical storage analysis.
- 15. • Cloud log analysis – Logging is considered a security check that can be used to identify operational issues, incident violations, and fraudulent activity. Logging is mainly used to monitor the system and investigate various types of malicious attacks. Using cloud log analysis, you can identify the source of evidence generated at different times by different devices such as routers, switches, servers and VM instances, as well as other internal components, namely hard drive, RAM images, physical storage, log files, etc. Intervals. Information about different types of attacks is stored in different log files such as application logs, system logs, security logs, configuration logs, network logs, web server logs, web server logs, 'audit, VM logs, etc., which are specified as follows:
- 16. – The application log is created by the developers by inserting events into the program. System administrators can use the application logs to determine the status of an application running on the server. – The system log contains information about the date and time the log was created, the type of message such as debugging, error, etc., the system generated messages regarding the occurrence and the processes affected when an event occurs. product. – The firewall log contains information about source packets routed, rejected IP addresses, outgoing internal server activity, and connection failures. – The network log contains detailed information about various events on the network. Events include malicious traffic logging, packet loss, bandwidth delays, etc. The network administrator monitors and resolves daily activity by analyzing network logs for various intrusion attempts.
- 17. – The web server log records entries for web pages executed on the web server. Entries include the history of a page request, the client's IP address, date and time, HTTP code, and bytes provided for the request. – The audit log records unauthorized access to the system or network in sequential order. It helps security administrators analyze malicious activity at the time of the attack. Information in audit log files includes source and destination addresses, user credentials, and time stamps. – The VM log records information specific to instances running on the VM, such as: B. Startup configuration, operations, and the date the VM instance finished running. It also logs the number of instances running on the virtual machine, the execution time of each application, and application migration to help the CSP locate malicious activity that occurs during the attack. – Due to the increasing use of network or new software version in the cloud, the number of vulnerabilities or attacks in the cloud is increasing and these attacks are reflected in various log files. Application level attacks are reflected in different logs i.e. access log, network protocol, authentication protocol, etc., and are also reflected in different log file traces stored on Apache server . These logs are used for forensic investigations to detect application-level attacks.
- 18. Capture evidence from cloud storage • Evidence from cloud storage like Dropbox, Microsoft SkyDrive, Google Drive, etc. are collected using the web browser and files are downloaded using existing software tools. This helps to identify illegal modification or access to cloud storage while uploading or uploading file contents to storage media and to verify if attacker modifies timestamp information in user accounts. The Virtual Forensic Computing (VFC) tool is used by forensic investigators to identify evidence from the virtual machine image file. The proof is accessible for each account through the web browser running in the cloud environment by recording the encoded value of the VM image..
- 19. • Packets are captured using network packet tools like Wireshark, Snappy, etc. from each VM instance running on hosts. Account information is synchronized and downloaded using client access software on each device used to identify the source of evidence. Evidence is isolated from files found in the virtual machine using "C: Users [username] Dropbox " for Dropbox . The zip file contains the name of the folder accessible through the browser to determine the effect of a timestamp on a drive. If an attacker modifies the contents of a file, the evidence is determined by scanning the VM disk, the history of files stored in the cloud and also from a cache. It can also be analyzed by calculating the hash value of the VM image
- 20. • Collecting evidence via a web browser – Clients communicate with the server in the cloud environment using a web browser to perform various tasks eg. Check emails and messages, shop online, get information, etc. An important source of evidence is web browser history. Evidence is found by analyzing URLs in web browser history, timeline analysis, user browsing behavior, and URL encoding and retrieved from deleted information. Here is a sample web browser URL – Likewise, evidence stored in the web browser cache in the root directory of a web application is used to identify the source of an attack.
- 21. • Physical memory analysis – This allows the caches to be available for use in cloud computing which can be lost without passive monitoring, eg B. Network socket, encryption key and database information in memory. They are scanned from the physical dump using the pslist function, which retrieves the process name, process ID, parent process IDs, and process start time. The processes are distinguished by the process names © exe © on Windows and © sync © on Ubuntu and Mac OS.