digital forensics
DESCRIPTION
Memory Forensics, N/W AlanlsisTRANSCRIPT
![Page 1: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/1.jpg)
Lets do some Autopsy!!
![Page 2: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/2.jpg)
AUTOPSY
REALLY?
![Page 3: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/3.jpg)
![Page 4: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/4.jpg)
BUT CLOSE…
![Page 5: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/5.jpg)
BUT CLOSE…
![Page 6: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/6.jpg)
� What is forensics
� Why to forensics
� Anti-Forensics
� How To Become Forensics Expert
� Some terms
� Computer Forensics� Memory analysis
� Volatile/non-volatile� Encryption/stegnography
� N/w Analysis
� Hands on Challenges
![Page 8: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/8.jpg)
� Forensic is Related to Court and Trials or To AnswerQuestions Related to Legal System
� Computer Forensics Helps answering If a DigitalDevice is part of cyber crime or victim of cybercrime
� purpose Is to find evidence which can prove thingsdone on the system in court of case
� Five Aspects:
� IF � WHO � WHAT � WHEN � WHY
![Page 9: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/9.jpg)
Fraud
Drug trafficking
Child pornography
Espionage
Copyright
infringement
Discover what was
lost
Recover Deleted
Data
Discover entry point
CYBER - ATTACKS
![Page 10: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/10.jpg)
� A set of techniques used as countermeasures to forensic analysis� Ex. Full-Disk Encryption � Truecrypt on Linux, Windows and OSX� Filevault 2 on OSX� BitLocker Windows� File Eraser � AbsoluteShield File Shredder � Heidi Eraser� Permanent Eraser
![Page 11: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/11.jpg)
![Page 12: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/12.jpg)
TOO DAMN EASY!!
![Page 13: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/13.jpg)
Operating Systems File System Disk
Partitioning Networking Memory Management
![Page 14: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/14.jpg)
Operating Systems File System Disk
Partitioning Networking Memory Management
And Of Course A little of these…..
![Page 15: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/15.jpg)
Collect evidence
and present in the court
Search and seize the
equipment
Conduct preliminary assessment to search for
evidence
Find and interpret the
clues left behind
Determine if an incident
had occurred
![Page 16: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/16.jpg)
� Acquisition
� e-discovery
� Chain of custody
� Expert witness
� First Responder
![Page 17: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/17.jpg)
� Branch of digital forensicscience pertaining to legalevidence found in computersand digital storage media.
� The goal of computerforensics is to examine digitalmedia in a forensically soundmanner with the aim ofidentifying, preserving,recovering, analysing andpresenting facts and opinionsabout the digital information.
Computer ForensicsMemory
Analysis
Network Data
Analysis
Document or file
analysis
OS Analysis
Mobile Analysis
Database Analysis
![Page 18: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/18.jpg)
HardwareRemovable HD enclosures or connectors with different plugs
Write blockers
A DVD burner
External disks
USB2, firewire, SATA and e-SATA controllers, if possible
Software Multiple operating systems Linux: extensive native file system support
VMs running various Windows versions (XP, Vista, 7, 8)
Forensics toolkits
E.g., SleuthKit http://www.sleuthkit.org
Winhex
Internet Evidence Finder
![Page 19: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/19.jpg)
Non-Volatile Memory• Stored Data Does not gets erased
when powered off• Ex. Hdd, SDD,CD,DVD, USB Sticks
Volatile Memory• requires power to maintain the
stored• Ex. Ram, pagefiles, Swap, caches,
processes
![Page 20: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/20.jpg)
� It’s extremely important to understand this
� Trying to obtain the data may alter them
� Simply doing nothing is also not good� A running system continuously evolves
� The Heisenberg Uncertainty Principle of data gathering and system analysis
� As you capture data in one part of the computer you are changing data in another� use write blockers
![Page 21: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/21.jpg)
Data type Lifetime
Registers, peripheral memory, caches, etc.
nanoseconds
Main Memory nanoseconds
Network state milliseconds
Running processes seconds
Disk minutes
Floppies, backup media, etc. years
CD-ROMs, printouts, etc. tens of years
![Page 22: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/22.jpg)
� RAM contains the most recent data such as processes, Open Files, Network Information, recent chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.
� Tools to be used:-� Belkasoft Live RAM Capturer� Memory DD� MANDIANT Memoryze
![Page 23: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/23.jpg)
� Data is stored permanently on the disk.
� Shift + Delete will NOT remove it
� If data is deleted there ARE tools to recover it.
� It all based on type of file format being used� NTFS, FAT, ext, HFS….
![Page 24: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/24.jpg)
� dd� dd if = /dev/sda1 of /dev/sdb1/root.raw
� dcfldd� Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
� ProDiscover
� EnCase
� FTk
� Seluth kit(autopsy)
� Winhex
![Page 25: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/25.jpg)
� After a clone or an image is made it is very important to make a hash of it.
� After the complete analysis of the disk or an image we again calculate the hash.
� This is important because we need to prove in the court that the evidence has not been tampered.
� Currently Indian courts accept SHA-256
� Tools for calculating hashes: Winhex, Sleuthkit, ENCase.
![Page 26: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/26.jpg)
� The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could take a look at the files as they were on the machine.
� This makes the entire task of analysis easier.
![Page 27: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/27.jpg)
� With tools like Live View it is evenpossible to recreate the entirescenario like the actual operatingsystem on a Virtual Machine.
� Live view is only compatible until XP.
� The tools to really looked upon forthis are:
� Mount Image Pro and VirtualForensic Computing
![Page 28: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/28.jpg)
� Slack Space
� ADS streams
� Stenography
� Hidden Partitions
� Unallocated space
� Modified file extensions
� META DATA
![Page 29: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/29.jpg)
![Page 30: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/30.jpg)
� While Imaging or cloning a diskthe exact copy is made and hencethe hidden data remains as it is.
� There is no specific tool for theextraction of the hidden data andhence we need to perform manualanalysis on the image or the diskusing hex editors
� Eg:Winhex
![Page 31: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/31.jpg)
� While performing analysis on disks and images there are very good chances that we come across encrypted data.
� This creates a problem for an forensic analyst.
� Even though there are tools and techniques to break encryptions we sometimes fail to do so.
![Page 32: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/32.jpg)
� A series of attacks are carried out to break encryptions:� Brute Force Attack� Dictionary Attack� Known Plain Text Attack� Rainbow Table Attack
� Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files.� AZPR� AOPR� Decryptum(Online)� Passware kit
![Page 33: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/33.jpg)
� If we come across any type of encryption files or datathat have been encrypted with tools like PGP, TrueCrypt etc., It becomes really difficult from theforensics point of view to get through.
� In such cases the farthest we can do is look for thekeys on the machine.
![Page 34: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/34.jpg)
� From a culprits point of view steganography issomething that would stand beyond cryptography.
� This is because detecting steganographymanually is a big challenge to any individual.
� And with not enough tools to detectsteganography in the market it makes the jobeven more tiresome.
� Different tools use different algorithms for hidingdata and one can easily develop a steganographyalgorithm. Not a big task to achieve. That makes itdifficult in detection
Confidential information
![Page 35: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/35.jpg)
� Speaking of the tools used for steganalysis, these tools may sometimes give you false positives as well. � StegDetect� StegSecret
![Page 36: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/36.jpg)
� Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
� Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information.
� Why Network Forensics plays an important role?
� Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
![Page 37: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/37.jpg)
� Tcp Dump
� Wireshark
� Network minner
� Snortc
![Page 38: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/38.jpg)
�Activity:� Find as much information as you can…
![Page 39: Digital Forensics](https://reader030.vdocument.in/reader030/viewer/2022020122/555c43dcd8b42a2c068b4f58/html5/thumbnails/39.jpg)
Happy Hacking!!!