SlideShare a Scribd company logo

Collecting and preserving digital evidence

Online
Online

This document discusses best practices for collecting, preserving, and analyzing digital evidence. It covers topics such as data recovery, backup solutions, hidden data recovery techniques, evidence collection methods, and standards for ensuring digital evidence is authenticated and verified. The goal is to extract useful information from seized devices and recovered data in a way that can be used in a court of law to identify attackers and reconstruct security incidents.

EducationTechnology
1 of 21
Collecting and Preserving Digital Evidence
Data Recovery • What is Data Recovery? • Role of Backup in Data Recovery • Data Recovery Solution • Hiding and Recovering Hidden Data
What is Data Recovery • Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered • In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis
Role of Backup in Data Recovery • Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state • Challenge to backup petabyte sized databases/files • Obstacles for backing up – Backup window, network bandwidth, system throughout • Current trends – Storage cost decreasing, systems have to be online 24x7 • Next generation solutions – Multiple backup servers, optimizing storage space
Data Recovery/Backup Solution • Develop a plan/policy for backup and recovery • Develop/Hire/Outsource the appropriate expertise • Develop a system design for backup/recovery – Three tier architectures, caches, backup servers • Examine state of the art backup/recovery products and tools • Implement the backup plan according to the policy and design
Recover Hidden Data • Hidden data – Files may be deleted, but until they are overwritten, the data may remain – Data stored in diskettes and stored insider another disk • Need to get all the pieces and complete the puzzle • Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle
Evidence Collection and Data Seizure • What is Evidence Collection • Types of Evidence • Rules of Evidence • Volatile Evidence • Methods of Collection • Steps to Collection • Controlling Contamination
What is Evidence Collection • Collecting information from the data recovered for further analysis • Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited • Collect evidence for analysis or monitor the intruder • Obstacles – Difficult to extract patterns or useful information from the recovered data – Difficult to tie the extracted information to a person
Types of Evidence • Testimonial Evidence – Evidence supplied by a witness; subject to the perceived reliability of the witness – Word processor documents written by a witness as long as the author states that he wrote it • Hearsay – Evidence presented by a person who is not a direct witness – Word processor documents written by someone without direct knowledge of the incident
Rules of Evidence • Admissible – Evidence must be able to be used in court • Authentic – Tie the evidence positively to an incident • Complete – Evidence that can cover all perspectives • Reliable – There should be no doubt that proper procedures were used • Believable – Understandable and believable to a jury
Additional considerations • Minimize handling and corruption of original data • Account for any changes and keep detailed logs • Comply with the 5 basic rules • Do not exceed your knowledge – need to understand what you are doing • Follow the security policy established • Work fast / however need to be accurate • Proceed from volatile to persistent evidence • Do not shut down the machine before collecting evidence • Do not run programs on the affected machine
Volatile Evidence • Types – Cached data – Routing tables – Process table – Kernel statistics – Main memory • What to do next – Collect the volatile data and store in a permanent storage device
Methods of Collection • Freezing the scene – Taking a snapshot of the system and its compromised state – Recover data, extract information, analyze • Honeypotting – Create a replica system and attract the attacker for further monitoring
Steps to Collection • Find the evidence; where is it stored • Find relevant data - recovery • Create order of volatility • Remove external avenues of change; no tampering • Collect evidence – use tools • Good documentation of all the actions
Controlling Contamination • Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques • Maintain a chain of custody, who owns the data, data provenance techniques • Analyze the evidence – Use analysis tools to determine what happened • Analyze the log files and determine the timeline • Analyze backups using a dedicated host • Reconstruct the attack from all the information collected
Duplication and Preservation of Evidence • Preserving the Digital Crime Scene – First task is to make a compete bit stream backup of all computer data before review or process – Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups. – http://www.forensics-intl.com/def2.html • Make sure that the legal requirements are met and proper procedures are followed
Digital Evidence Process Model • The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - • 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. • 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. • 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. • 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
Standards for Digital Evidence • The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. • The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. • http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
Verifying Digital Evidence • Encryption techniques – Public/Private key encryption – Certification Authorities – Digital ID/Credentials • Owner signs document with his private key, the Receiver decrypts the document with the owner’s public key • Owner signs document with the receiver’s public key, Receiver decrypts the document with his private key • Standards for Encryption – Export/Import laws
Conclusion • Data must be backed up using appropriate policies, procedures and technologies • Once a crime ahs occurred data ahs to be recovered from the various disks and commuters • Data that is recovered has to be analyzed to extract evidence • Evidence has to analyzed to determine what happened • Use log files and documentations to establish the timeline • Reconstruct the attack
Conclusion • Standards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence • Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand • Need to make it a scientific discipline

Recommended

Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 

Recommended

Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
Manu Mathew Cherian
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
Applied Forensic Research Sciences
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
Manik Bhola
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
yash sawarkar
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
 
Forensic ppt
Forensic pptForensic ppt
Forensic ppt
gagandeepkaur301
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
urjarathi
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Types of Crime Scenes
Types of Crime ScenesTypes of Crime Scenes
Types of Crime Scenes
Don Caeiro
 
History development of forensic science
History development of forensic scienceHistory development of forensic science
History development of forensic science
gurpreet kaur
 
CF.ppt
CF.pptCF.ppt
CF.ppt
KhusThakkar
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
Muzzammil Wani
 

More Related Content

What's hot

What's hot (20)

Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Forensic ppt
Forensic pptForensic ppt
Forensic ppt
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
 
Incident response process
Incident response processIncident response process
Incident response process
 
Types of Crime Scenes
Types of Crime ScenesTypes of Crime Scenes
Types of Crime Scenes
 
History development of forensic science
History development of forensic scienceHistory development of forensic science
History development of forensic science
 

Similar to Collecting and preserving digital evidence

644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 

Similar to Collecting and preserving digital evidence (20)

CF.ppt
CF.pptCF.ppt
CF.ppt
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Daniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfDaniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdf
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Ch 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.pptCh 3C Processing Crime and Incident Scenes.ppt
Ch 3C Processing Crime and Incident Scenes.ppt
 
Cyber forensics and investigations
Cyber forensics and investigationsCyber forensics and investigations
Cyber forensics and investigations
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.ppt
 
DigitalForensics.ppt
DigitalForensics.pptDigitalForensics.ppt
DigitalForensics.ppt
 

More from Online

More from Online (20)

Philosophy of early childhood education 3
Philosophy of early childhood education 3Philosophy of early childhood education 3
Philosophy of early childhood education 3
 
Philosophy of early childhood education 2
Philosophy of early childhood education 2Philosophy of early childhood education 2
Philosophy of early childhood education 2
 
Philosophy of early childhood education 1
Philosophy of early childhood education 1Philosophy of early childhood education 1
Philosophy of early childhood education 1
 
Philosophy of early childhood education 4
Philosophy of early childhood education 4Philosophy of early childhood education 4
Philosophy of early childhood education 4
 
Operation and expression in c++
Operation and expression in c++Operation and expression in c++
Operation and expression in c++
 
Functions
FunctionsFunctions
Functions
 
Formatted input and output
Formatted input and outputFormatted input and output
Formatted input and output
 
Control structures selection
Control structures selectionControl structures selection
Control structures selection
 
Control structures repetition
Control structures repetitionControl structures repetition
Control structures repetition
 
Introduction to problem solving in c++
Introduction to problem solving in c++Introduction to problem solving in c++
Introduction to problem solving in c++
 
Optical transmission technique
Optical transmission techniqueOptical transmission technique
Optical transmission technique
 
Multi protocol label switching (mpls)
Multi protocol label switching (mpls)Multi protocol label switching (mpls)
Multi protocol label switching (mpls)
 
Lan technologies
Lan technologiesLan technologies
Lan technologies
 
Introduction to internet technology
Introduction to internet technologyIntroduction to internet technology
Introduction to internet technology
 
Internet standard routing protocols
Internet standard routing protocolsInternet standard routing protocols
Internet standard routing protocols
 
Internet protocol
Internet protocolInternet protocol
Internet protocol
 
Application protocols
Application protocolsApplication protocols
Application protocols
 
Addressing
AddressingAddressing
Addressing
 
Transport protocols
Transport protocolsTransport protocols
Transport protocols
 
Leadership
LeadershipLeadership
Leadership
 

Recently uploaded

Recently uploaded (20)

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 

Collecting and preserving digital evidence

  • 1. Collecting and Preserving Digital Evidence
  • 2. Data Recovery • What is Data Recovery? • Role of Backup in Data Recovery • Data Recovery Solution • Hiding and Recovering Hidden Data
  • 3. What is Data Recovery • Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered • In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis
  • 4. Role of Backup in Data Recovery • Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state • Challenge to backup petabyte sized databases/files • Obstacles for backing up – Backup window, network bandwidth, system throughout • Current trends – Storage cost decreasing, systems have to be online 24x7 • Next generation solutions – Multiple backup servers, optimizing storage space
  • 5. Data Recovery/Backup Solution • Develop a plan/policy for backup and recovery • Develop/Hire/Outsource the appropriate expertise • Develop a system design for backup/recovery – Three tier architectures, caches, backup servers • Examine state of the art backup/recovery products and tools • Implement the backup plan according to the policy and design
  • 6. Recover Hidden Data • Hidden data – Files may be deleted, but until they are overwritten, the data may remain – Data stored in diskettes and stored insider another disk • Need to get all the pieces and complete the puzzle • Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle
  • 7. Evidence Collection and Data Seizure • What is Evidence Collection • Types of Evidence • Rules of Evidence • Volatile Evidence • Methods of Collection • Steps to Collection • Controlling Contamination
  • 8. What is Evidence Collection • Collecting information from the data recovered for further analysis • Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited • Collect evidence for analysis or monitor the intruder • Obstacles – Difficult to extract patterns or useful information from the recovered data – Difficult to tie the extracted information to a person
  • 9. Types of Evidence • Testimonial Evidence – Evidence supplied by a witness; subject to the perceived reliability of the witness – Word processor documents written by a witness as long as the author states that he wrote it • Hearsay – Evidence presented by a person who is not a direct witness – Word processor documents written by someone without direct knowledge of the incident
  • 10. Rules of Evidence • Admissible – Evidence must be able to be used in court • Authentic – Tie the evidence positively to an incident • Complete – Evidence that can cover all perspectives • Reliable – There should be no doubt that proper procedures were used • Believable – Understandable and believable to a jury
  • 11. Additional considerations • Minimize handling and corruption of original data • Account for any changes and keep detailed logs • Comply with the 5 basic rules • Do not exceed your knowledge – need to understand what you are doing • Follow the security policy established • Work fast / however need to be accurate • Proceed from volatile to persistent evidence • Do not shut down the machine before collecting evidence • Do not run programs on the affected machine
  • 12. Volatile Evidence • Types – Cached data – Routing tables – Process table – Kernel statistics – Main memory • What to do next – Collect the volatile data and store in a permanent storage device
  • 13. Methods of Collection • Freezing the scene – Taking a snapshot of the system and its compromised state – Recover data, extract information, analyze • Honeypotting – Create a replica system and attract the attacker for further monitoring
  • 14. Steps to Collection • Find the evidence; where is it stored • Find relevant data - recovery • Create order of volatility • Remove external avenues of change; no tampering • Collect evidence – use tools • Good documentation of all the actions
  • 15. Controlling Contamination • Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques • Maintain a chain of custody, who owns the data, data provenance techniques • Analyze the evidence – Use analysis tools to determine what happened • Analyze the log files and determine the timeline • Analyze backups using a dedicated host • Reconstruct the attack from all the information collected
  • 16. Duplication and Preservation of Evidence • Preserving the Digital Crime Scene – First task is to make a compete bit stream backup of all computer data before review or process – Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups. – http://www.forensics-intl.com/def2.html • Make sure that the legal requirements are met and proper procedures are followed
  • 17. Digital Evidence Process Model • The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - • 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. • 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. • 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. • 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
  • 18. Standards for Digital Evidence • The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. • The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. • http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
  • 19. Verifying Digital Evidence • Encryption techniques – Public/Private key encryption – Certification Authorities – Digital ID/Credentials • Owner signs document with his private key, the Receiver decrypts the document with the owner’s public key • Owner signs document with the receiver’s public key, Receiver decrypts the document with his private key • Standards for Encryption – Export/Import laws
  • 20. Conclusion • Data must be backed up using appropriate policies, procedures and technologies • Once a crime ahs occurred data ahs to be recovered from the various disks and commuters • Data that is recovered has to be analyzed to extract evidence • Evidence has to analyzed to determine what happened • Use log files and documentations to establish the timeline • Reconstruct the attack
  • 21. Conclusion • Standards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence • Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand • Need to make it a scientific discipline