Forensics Analysis and Validation

Forensics Analysis and
Validation
Dr R Jegadeesan Prof-CSE
Jyothishmathi Institute of Technology
and Science, karimnagar

• Examining and analyzing digital evidence depend on the nature of the
investigation
– And the amount of data to process
• Scope creep - when an investigation expands beyond the original
description
– Because of unexpected evidence found
– Attorneys may ask investigators to examine other areas to recover
more evidence
– Increases the time and resources needed to extract, analyze, and
present evidence
2
Forensics Analysis and Validation
Determining What Data to Collect and Analyze

• Scope creep has become more common
– Criminal investigations require more detailed
examination of evidence just before trial
– To help prosecutors fend off attacks from defense
attorneys
• New evidence often isn’t revealed to prosecution
– It’s become more important for prosecution teams to
ensure they have analyzed the evidence exhaustively
before trial
3
Determining What Data to Collect and Analyze

• Ensuring the integrity of data collected is essential
for presenting evidence in court
• Most forensic tools offer hashing of image files
• Example - when ProDiscover loads an image file:
– It runs a hash and compares the value with the original
hash calculated when the image was first acquired
• Using advanced hexadecimal editors ensures data
integrity
4
Validating Forensic Data

Validating with Hexadecimal Editors
• Advanced hex editors offer features not available in digital forensics
tools, such as:
– Hashing specific files or sectors
• With the hash value in hand
– You can use a forensics tool to search for a suspicious file that
might have had its name changed to look like an innocuous file
• WinHex provides MD5 and SHA-1 hashing algorithms
5

• Advantage of recording hash values
– You can determine whether data has changed
• Block-wise hashing
– A process that builds a data set of hashes of sectors
from the original file
– Then examines sectors on the suspect’s drive to see
whether any other sectors match
– If an identical hash value is found, you have confirmed
that the file was stored on the suspect’s drive 6

• Using Hash Values to Discriminate Data
– AccessData has its own hashing database, Known File Filter
(KFF)
– KFF filters known program files from view and contains has values
of known illegal files
– It compares known file hash values with files on your evidence
drive to see if they contain suspicious data
– Other digital forensics tools can import the NSRL database and run
7

Validating with Digital Forensics Tools
• ProDiscover
– .eve files contain metadata that includes hash value
– Has a preference you can enable for using the Auto Verify Image
Checksum feature when image files are loaded
– If the Auto Verify Image Checksum and the hashes in the .eve file’s
metadata don’t match
• ProDiscover will notify that the acquisition is corrupt and can’t be
considered reliable evidence
8

• Data hiding - changing or manipulating a file to conceal information
• Techniques:
– Hiding entire partitions
– Changing file extensions
– Setting file attributes to hidden
– Bit-shifting
– Using encryption
– Setting up password protection
9
Addressing Data-Hiding Techniques

Hiding Files by Using the OS Techniques:
• One of the first techniques to hide data:
– Changing file extensions
• Advanced digital forensics tools check file headers
– Compare the file extension to verify that it’s correct
– If there’s a discrepancy, the tool flags the file as a possible altered
file
• Another hiding technique
– Selecting the Hidden attribute in a file’s Properties dialog box
10

Hiding Partitions
• By using the Windows diskpart remove letter command
– You can unassign the partition’s letter, which hides it from view in
File Explorer
• To unhide, use the diskpart assign letter command
• Other disk management tools:
– Partition Magic, Partition Master, and Linux Grand Unified
Bootloader (GRUB)
11

Hiding Partitions
• To detect whether a partition has been hidden
– Account for all disk space when examining an evidence drive
– Analyze any disk areas containing space you can’t account for
• In ProDiscover, a hidden partition appears as the highest available
drive letter set in the BIOS
– Other forensics tools have their own methods of assigning drive
letters to hidden partitions
12

Marking Bad Clusters
• A data-hiding technique used in FAT file systems is placing sensitive or
incriminating data in free or slack space on disk partition clusters
– Involves using old utilities such as Norton DiskEdit
• Can mark good clusters as bad clusters in the FAT table so the OS
considers them unusable
– Only way they can be accessed from the OS is by changing them to
good clusters with a disk editor
• DiskEdit runs only in MS-DOS and can access only FAT-formatted
13

Bit-Shifting
• Some users use a low-level encryption program that changes the order
of binary data
– Makes altered data unreadable To secure a file, users run an
assembler program (also called a “macro”) to scramble bits
– Run another program to restore the scrambled bits to their original
order
• Bit shifting changes data from readable code to data that looks like
binary executable code
• WinHex includes a feature for shifting bits
14

Understanding Steganalysis Methods
• A way to hide data is to use steganography tools
– Many are freeware or shareware
– Insert information into a variety of files
• If you encrypt a plaintext file with PGP and insert the encrypted text
into a steganography file
– Cracking the encrypted message is extremely difficult
15

Understanding Steganalysis Methods
• Steganalysis methods
– Stego-only attack
– Known cover attack
– Known message attack
– Chosen stego attack
– Chosen message attack
16

• One can remotely connect to a suspect computer via a network
connection and copy data from it
• This method is also faster at obtaining the necessary files, as it does
not depend on a stable network connection.
• Although this is the preferred method, there may be geographical
constraints, especially with larger organizations where the incident
response analysts are a plane ride away from the location containing
the evidence.
• Remote acquisition tools vary in configurations and capabilities and
tools require installing a remote agent on the suspect computer
17
Performing Remote Acquisitions

Network Forensics
• Process of collecting and analyzing raw network data and tracking
network traffic
▪ To ascertain how an attack was carried out or how an event
occurred on a network
• Intruders leave a trail behind
▪ Knowing your network’s typical traffic patterns is important in
spotting variations in network traffic
18
Network Forensics
Network Forensics Overview

The Need for Established Procedures
• Network forensics examiners must establish standard procedures for
how to acquire data after an attack or intrusion
• Essential to ensure that all comprised systems have been found
• Procedures must be based on an organization’s needs and
complement network infrastructure
• NIST created “Guide to Integrating Forensic Techniques into
Incident Response” to address these needs
19
Network Forensics
Developing standard procedures for network forensics

The Need for Established Procedures
• Network forensics examiners must establish standard procedures for
how to acquire data after an attack or intrusion
• Essential to ensure that all comprised systems have been found
• Procedures must be based on an organization’s needs and
complement network infrastructure
• NIST created “Guide to Integrating Forensic Techniques into
Incident Response” to address these needs
20
Network Forensics

• Network forensics can be a long, tedious process
• Standard procedure that is often used: Always use a standard
installation image for systems on a network
• Fix any vulnerability after an attack
• Attempt to retrieve all volatile data
• Acquire all compromised drives
• Compare files on the forensic image to the original installation
image
21
Network Forensics

• Sysinternals
– A collection of free tools for examining Windows products
• Examples of the Sysinternals tools:
– RegMon shows Registry data in real time
– Process Explorer shows what is loaded
– Handle shows open files and processes using them
– Filemon shows file system activity 22
Network Forensics
Using Network Tools

• Tools from PsTools suite created by Sysinternals
– PsExec runs processes remotely
– PsGetSid displays security identifier (SID)
– PsKill kills process by name or ID
– PsList lists details about a process
– PsLoggedOn shows who’s logged locally
– PsPasswd changes account passwords
– PsService controls and views services
– PsShutdown shuts down and restarts PCs
– PsSuspend suspends processes
23
Network Forensics
Using Network Tools

• The Honeynet Project was developed to make information widely available in
an attempt to thwart Internet and network hackers
o Objectives are awareness, information, and tools
• Distributed denial-of-service (DDoS) attacks
o Hundreds or even thousands of machines (zombies) can be used
• Zero day attacks
o Another major threat
o Attackers look for holes in networks and OSs and exploit these weaknesses before patches are
available
• Honeypot
o Normal looking computer that lures attackers to it
• Honeywalls
o Monitor what’s happening to honeypots on your network and record what attackers are doing
24
Network Forensics
Examining the Honeynet Project

Thank you
25
Network Forensics

Forensics Analysis and Validation

More Related Content

What's hot (20)

Similar to Forensics Analysis and Validation (20)

More from Jyothishmathi Institute of Technology and Science Karimnagar (20)

Recently uploaded (20)

Forensics Analysis and Validation