subrahmani babu - walidumar.my.id
Post on 26-Mar-2022
4 Views
Preview:
TRANSCRIPT
Introduction to Computer Forensics
Subrahmani BabuScientist-’C’, Computer Forensic Laboratory
Indian Computer Emergency Response Team (CERT-In)Department of Information Technology Govt of IndiaDepartment of Information Technology, Govt of India.
babu_sivakami@cert-in.org.in
Topics to be Covered• What is Computer Forensics• Why it is important to the OrganizationWhy it is important to the Organization• Role of First Responder• Difference b/w Copying and Imaging• Types of Evidences• Types of Evidences• List free Forensic Tools• Importance of Write blockers• Demo (if time available)• Demo (if time available)
Definition
F i d i d f th l ti dForensics derived from the latin word‘Forensis’ which means that "of or beforethe forum” as in olden days. It entered theEnglish vocabulary in the 17th century as theEnglish vocabulary in the 17th century as theterm “forensics”.(The word forensics
“t b i t th t ” )means “to bring to the court.” )
Source : http://www.computerforensis.com/
Computer Forensics Process
Forensics is the process of singForensics is the process of usingscientific knowledge for collecting,g ganalyzing, and presenting evidenceto the courtsto the courts.
Stakeholders in CF
Vi ti C i i l• Victim or Criminal• First Responder (From LawFirst Responder (From Law
Enforcement )C t F i E t d• Computer Forensics Expert and
• Judiciaryy
Why it is important
• Legal action against the criminal based on severity of the incident
• To File a case, we need have to preserve , pthe evidence
• It should be admissible in the court of law• It should be admissible in the court of law
Role of First Responders
• Identifying the crime scene• Protecting the crime scene• Preserve the Digital Evidence (Volatile &• Preserve the Digital Evidence (Volatile &
Non Volatile evidence)• Maintain chain of custody form• Proper packing & Transport to Lab• Proper packing & Transport to Lab.• Document Everything (Crime scene
details, Hard disk details, etc.,)
Role of Forensic Analyst
• Create required Forensic Images of the original suspected media.
• Preserve the Original suspected mediaPreserve the Original suspected media• Maintain chain of custody form• Examination with Forensic Images• Use Standards & Procedures• Use Standards & Procedures• Use Standard Forensic Tools• Report Findings
What you can expect from the CF Experts?
• Evidences from– Deleted Files– Unallocated Clusters and slack space
Formatted Hard Drives– Formatted Hard Drives– Data Carving and – Password recovery
DifferencesDifferences
Bi l i l F i• Biological Forensics– Examinations with
O i i l id
• Computer Forensics– Examinations with
Original evidences (Samples)
Images (Duplications) of Original evidences
Stages in Computer Forensics
• Identification• Preservation• Preservation• Analysis and• Report Preparations
Classifications
• Disk ForensicsNet ork Forensics• Network Forensics
• Handheld Devices Forensics• Email Forensics• Registry Forensics• Registry Forensics• OS(Windows, Linux) Forensics• Source Code Forensics• Browser ForensicsBrowser Forensics
Basic rules• Never work on original evidence.• Never mishandle evidence.• Use proper software utilities to retrieveUse proper software utilities to retrieve
evidence from the media.D t thi hil h dli th• Document everything while handling the suspected media
Types of Evidence• Volatile Evidence
R i P• Non Volatile Evidence
W d D t– Running Processes– Active N/W
Connections
– Word Documents– Email messages
D t bConnections– Passwords, Disk
Encryption Keys are
– Databases– Internet History
fEncryption Keys are available
– Email accounts login
– Registry information– Deleted files,
U ll t d Cl tEmail accounts login passwords
– Memory resident
Unallocated Clusters, Slack space evidencescould be recoveredy
malwarescould be recovered
Free Forensic ToolsVolatile evidence collection tools• Volatile evidence collection tools– Nigilant32, Helix– DD (Forensic Acquisition Utilities),– FTK ImagerFTK Imager, – WFT (Windows Forensics Toolchest)
M DD– MemoryzeDD• Volatile evidence Analysis toolsy
– MemParser– WMFT– WMFT– Volatility Framework,– PyFlag
Free Forensic Tools – contd…Forensic Imaging Tools• Forensic Imaging Tools– True Back from CDAC, TVM– DD (Forensic Acquisition Utilities),– FTK ImagerFTK Imager, – Helix, DEFT… (more than 15 Forensic Live
CD)CD)• Analysis tools
– SIFT from SANS containing 32 tools– TSK, Autopsy browser, PTKTSK, Autopsy browser, PTK– PyFlag
» Best site: www e-evidence info» Best site: www.e-evidence.info
DD – Disk Dump
• Available in Linux OS•Rewritten for windows FAUD l d f thi li k•Download from this link
•http://gmgsystemsinc.com/fau/
Syntax:
dd.exe -v if=\\.\F: of=h:\filename.img conv=noerror --chunk 2GiB l l t2GiB –localwrt
Hardware or Software Acquisition
• Hardware:– ImageMaster Solog– Logicube Forensic MD5– Talon
H d 3 f V T h– Hardcopy3 from Voom Tech• Software:
Cyber Check Suite– Cyber Check Suite– EnCase– Forensic Toolkit (FTK)Forensic Toolkit (FTK)– SafeBack– DriveSpy– Paraben– DD command : Unix/Linux
Imaging –vs- CopyingWhi h i B t?Which one is Best?
Copying of Disk
Newfile docNewfile doc
Suspected disk(Source)
Sterile disk(Target)
Test.docTest.docNewfile.docNewfile.doc
Cert-in_trainee.pptCert-in_trainee.ppt
Search &seizure .pdfSearch &seizure .pdf
MD5: f55573e2a21c4161d1eb45c014646956
Active files
Deleted filesDeleted files
20CERT-In, New Delhi
Imaging of the Disk
Newfile docNewfile doc
Suspected disk (Source) Sterile disk (Target)
Test.docTest.docNewfile.docNewfile.doc
Cert-in_trainee.pptCert-in_trainee.ppt
1010101010101010101010000011
Search &seizure .pdfSearch &seizure .pdf
1010101010101010101010000011111111010100011010101011011111111111111111101000000000010101011010101011010101101010
111111010100011010101011011111111111111111101000000000010101011010101011010101101010
MD5: f55573e2a21c4161d1eb45c014646956
1010110101010110101010101010101100101010101000000000000010101101010101101010101010101011001010101010000000000000
Active filesActive files
Deleted files 21
Is Imaging Always Possible?
• NO – It may sometimes be necessary to accessthe original machine to recover evidencethe original machine to recover evidence
Computer Forensic examiner must be able to• Computer Forensic examiner must be able toexplain and demonstrate the methodologies andprocesses used to acquire evidenceprocesses used to acquire evidence
• Findings must be repeatable by an independent• Findings must be repeatable by an independent3rd party
Dead versus Live Acquisition
• Dead Acquisition - occurs when the datafrom the suspects computer is beingp p gcopied without the assistance of thesuspect’s OSsuspect s OS.
• Live Acquisition – occurs when thesuspect’s OS is still running and beingsuspect s OS is still running and beingused to copy data.
Forensic Image File Formats
• RAW – only contains the data from the source device.Very easy to compare data with the source (e.g. dd-images)images).
• Embedded Image – contains data from the source plusadditional descriptive data about the acquisition (e.g.p q ( ghash values, dates, times). EnCase & FTK areexamples.
• Some RAW imaging tools will create descriptive data butSome RAW imaging tools will create descriptive data butthis is saved to a separate file.
• Many acquisition tools that create embedded images areproprietary (e g Encase FTK)proprietary (e.g. Encase, FTK).
• Most analysis tools will import a RAW image, making thisthe most flexible format.
Types of Data Acquisition
• Physical copy (entire physical disk) is thepreferred method.preferred method.
• Logical copy (disk partition or volume)• Data acquisition format (RAW/Compressed)Data acquisition format (RAW/Compressed)• Command-line acquisition (low overheads –
use less system resources. May run fromy yfloppy disk or thumb drive)
• GUI acquisitionq• Remote acquisition (over a network)• Verification
– Checksum : CRC32– Hashing : MD5, SHA1
Very Important
• Connect your Suspected Storage Media (Hard Disk USB Drive etc )Through HARDWAREDisk, USB Drive, etc )Through HARDWARE WRITE-BLOCKERI id difi i• It avoids unnecessary modification on your media and helps to maintain Integrity of the
idevidence.• Make sure that Source and Destination media
are readily connected with forensic work station• Now you may launch True Back (Forensic y y (
Imaging Software)
Write Blockers
S/W Write Blocker H / W Write Blocker
• Software should be enable prior to
• Hard ware device Th S t dienable prior to
connect the t d M di
• The Suspect media should be
suspected Media.– Ex:
connected through this device.
UsbWriteProtect
Drive Imaging Hardware
• Forensic mobile field system (MFS)– Laptop with NIC– Portable workstation
Hard Disk Information
BIOS - Date
IP Address
TOOL BOX
Entire System
CPU -Inside
Rearview - CPU
Primary Memory
Secondary Memory
1 ” HDD1 ” HDD3.5” HDD3.5” HDD 2.5” HDD2.5” HDD
1. HDD1. HDD
1” HDD1” HDD 0.85” HDD0.85” HDD
References• File System Forensic Analysis by brian carrier• http://www.e-evidence.info• http://www Blackhat comhttp://www. Blackhat.com• http://www.sans.org/reading_room/index.php• http://www.crime-research.org/articles/• http://geschonneck com/security/forensics/• http://geschonneck.com/security/forensics/• http://www.cerias.purdue.edu/research/forensics/resources.php• http://www.forensicfocus.com• http://csrc nist gov/publications/nistir/• http://csrc.nist.gov/publications/nistir/• http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A8B3F3-94D2-
F7E5-D32D97CF1539EBB4.pdf• http://www cdactvm inhttp://www.cdactvm.in• http://www.guidancesoftware.com
Thanks & DemonstrationThanks & Demonstration
top related