SlideShare a Scribd company logo

Digital Forensics

V
Vikas Jain

Memory Forensics, N/W Alanlsis

Technology
1 of 39
Download to read offline
Lets do some Autopsy!!
AUTOPSY REALLY?
BUT CLOSE…
BUT CLOSE…
What is forensics Why to forensics Anti-Forensics How To Become Forensics Expert Some terms Computer Forensics Memory analysis Volatile/non-volatile Encryption/stegnography N/w Analysis Hands on Challenges
Vikas Jain Er.vikey@gmail.com Follow me at @ervikey
Forensic is Related to Court and Trials or To Answer Questions Related to Legal System Computer Forensics Helps answering If a Digital Device is part of cyber crime or victim of cybercrime purpose Is to find evidence which can prove things done on the system in court of case Five Aspects: IF WHO WHAT WHEN WHY
Fraud Drug traffic king Child pornog raphy Espio nage Copyrig ht infringe ment Discover what was lost Recover Deleted Data Discover entry point CYBER - ATTACKS
A set of techniques used as countermeasures to forensic analysis Ex. Full-Disk Encryption Truecrypt on Linux,Windows and OSX Filevault 2 on OSX BitLocker Windows File Eraser AbsoluteShield File Shredder Heidi Eraser Permanent Eraser
TOO DAMN EASY!!
Operating Systems File System Disk Partitioning Networking Memory Management
Operating Systems File System Disk Partitioning Networking Memory Management And Of Course A little of these…..
Collect evidence and present in the court Search and seize the equipment Conduct preliminary assessment to search for evidence Find and interpret the clues left behind Determine if an incident had occurred
Acquisition e-discovery Chain of custody Expert witness First Responder
Branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information. Computer ForensicsMemory Analysis Network Data Analysis Document or file analysis OS Analysis Mobile Analysis Database Analysis
Hardware Removable HD enclosures or connectors with different plugs Write blockers A DVD burner External disks USB2, firewire, SATA and e-SATA controllers, if possible Software Multiple operating systems Linux: extensive native file system support VMs running various Windows versions (XP,Vista, 7, 8) Forensics toolkits E.g., SleuthKit http://www.sleuthkit.org Winhex Internet Evidence Finder
Non-Volatile Memory • Stored Data Does not gets erased when powered off • Ex. Hdd, SDD,CD,DVD, USB Sticks Volatile Memory • requires power to maintain the stored • Ex. Ram, pagefiles, Swap, caches, processes
It’s extremely important to understand this Trying to obtain the data may alter them Simply doing nothing is also not good A running system continuously evolves The Heisenberg Uncertainty Principle of data gathering and system analysis As you capture data in one part of the computer you are changing data in another use write blockers
Data type Lifetime Registers, peripheral memory, caches, etc. nanoseconds Main Memory nanoseconds Network state milliseconds Running processes seconds Disk minutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years
RAM contains the most recent data such as processes, Open Files, Network Information, recent chat conversations,social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook,Twitter, Gmail and other communications. Tools to be used:- Belkasoft Live RAM Capturer Memory DD MANDIANT Memoryze
Data is stored permanently on the disk. Shift + Delete will NOT remove it If data is deleted there ARE tools to recover it. It all based on type of file format being used NTFS, FAT, ext, HFS….
dd dd if = /dev/sda1 of /dev/sdb1/root.raw dcfldd Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw ProDiscover EnCase FTk Seluth kit(autopsy) Winhex
After a clone or an image is made it is very important to make a hash of it. After the complete analysis of the disk or an image we again calculate the hash. This is important because we need to prove in the court that the evidence has not been tampered. Currently Indian courts accept SHA-256 Tools for calculating hashes:Winhex, Sleuthkit, ENCase.
The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could take a look at the files as they were on the machine. This makes the entire task of analysis easier.
With tools like Live View it is even possible to recreate the entire scenario like the actual operating system on a Virtual Machine. Live view is only compatible until XP. The tools to really looked upon for this are: Mount Image Pro and Virtual Forensic Computing
Slack Space ADS streams Stenography Hidden Partitions Unallocated space Modified file extensions META DATA
While Imaging or cloning a disk the exact copy is made and hence the hidden data remains as it is. There is no specific tool for the extraction of the hidden data and hence we need to perform manual analysis on the image or the disk using hex editors Eg:Winhex
While performing analysis on disks and images there are very good chances that we come across encrypted data. This creates a problem for an forensic analyst. Even though there are tools and techniques to break encryptions we sometimes fail to do so.
A series of attacks are carried out to break encryptions: Brute Force Attack Dictionary Attack Known Plain Text Attack Rainbow Table Attack Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files. AZPR AOPR Decryptum(Online) Passware kit
If we come across any type of encryption files or data that have been encrypted with tools like PGP, True Crypt etc., It becomes really difficult from the forensics point of view to get through. In such cases the farthest we can do is look for the keys on the machine.
From a culprits point of view steganography is something that would stand beyond cryptography. This is because detecting steganography manually is a big challenge to any individual. And with not enough tools to detect steganography in the market it makes the job even more tiresome. Different tools use different algorithms for hiding data and one can easily develop a steganography algorithm. Not a big task to achieve. That makes it difficult in detection Confidential information
Speaking of the tools used for steganalysis, these tools may sometimes give you false positives as well. StegDetect StegSecret
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Why Network Forensics plays an important role? Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
Tcp Dump Wireshark Network minner Snortc
Activity: Find as much information as you can…
Happy Hacking!!!

Recommended

A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 

Recommended

A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media ForensicsJohn J. Carney, Esq.
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsArthyR3
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 

More Related Content

What's hot

Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsArthyR3
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 

What's hot (20)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media Forensics
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices Forensics
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 

Viewers also liked

The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Dennis Rader
Dennis RaderDennis Rader
Dennis Radermabrandt
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Ethics in cyber space
Ethics in cyber spaceEthics in cyber space
Ethics in cyber spacenitss007
 

Viewers also liked (8)

The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next Frontier
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Dennis Rader
Dennis RaderDennis Rader
Dennis Rader
 
Cyber Law And Ethics
Cyber Law And EthicsCyber Law And Ethics
Cyber Law And Ethics
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Ethics in cyber space
Ethics in cyber spaceEthics in cyber space
Ethics in cyber space
 

Similar to Digital Forensics

computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi Cn|u - The Open Security Community
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435Manuel Garza
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsBense Tony
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics WorkshopTim Fletcher
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)Brian Brazil
 

Similar to Digital Forensics (20)

computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
 
intro to forensics
intro to forensicsintro to forensics
intro to forensics
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics Workshop
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
N.sai kiran IIITA AP
N.sai kiran IIITA APN.sai kiran IIITA AP
N.sai kiran IIITA AP
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Digital Forensics

  • 1. Lets do some Autopsy!!
  • 3.
  • 6. What is forensics Why to forensics Anti-Forensics How To Become Forensics Expert Some terms Computer Forensics Memory analysis Volatile/non-volatile Encryption/stegnography N/w Analysis Hands on Challenges
  • 8. Forensic is Related to Court and Trials or To Answer Questions Related to Legal System Computer Forensics Helps answering If a Digital Device is part of cyber crime or victim of cybercrime purpose Is to find evidence which can prove things done on the system in court of case Five Aspects: IF WHO WHAT WHEN WHY
  • 10. A set of techniques used as countermeasures to forensic analysis Ex. Full-Disk Encryption Truecrypt on Linux,Windows and OSX Filevault 2 on OSX BitLocker Windows File Eraser AbsoluteShield File Shredder Heidi Eraser Permanent Eraser
  • 11.
  • 15. Collect evidence and present in the court Search and seize the equipment Conduct preliminary assessment to search for evidence Find and interpret the clues left behind Determine if an incident had occurred
  • 17. Branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information. Computer ForensicsMemory Analysis Network Data Analysis Document or file analysis OS Analysis Mobile Analysis Database Analysis
  • 18. Hardware Removable HD enclosures or connectors with different plugs Write blockers A DVD burner External disks USB2, firewire, SATA and e-SATA controllers, if possible Software Multiple operating systems Linux: extensive native file system support VMs running various Windows versions (XP,Vista, 7, 8) Forensics toolkits E.g., SleuthKit http://www.sleuthkit.org Winhex Internet Evidence Finder
  • 19. Non-Volatile Memory • Stored Data Does not gets erased when powered off • Ex. Hdd, SDD,CD,DVD, USB Sticks Volatile Memory • requires power to maintain the stored • Ex. Ram, pagefiles, Swap, caches, processes
  • 20. It’s extremely important to understand this Trying to obtain the data may alter them Simply doing nothing is also not good A running system continuously evolves The Heisenberg Uncertainty Principle of data gathering and system analysis As you capture data in one part of the computer you are changing data in another use write blockers
  • 21. Data type Lifetime Registers, peripheral memory, caches, etc. nanoseconds Main Memory nanoseconds Network state milliseconds Running processes seconds Disk minutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years
  • 22. RAM contains the most recent data such as processes, Open Files, Network Information, recent chat conversations,social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook,Twitter, Gmail and other communications. Tools to be used:- Belkasoft Live RAM Capturer Memory DD MANDIANT Memoryze
  • 23. Data is stored permanently on the disk. Shift + Delete will NOT remove it If data is deleted there ARE tools to recover it. It all based on type of file format being used NTFS, FAT, ext, HFS….
  • 24. dd dd if = /dev/sda1 of /dev/sdb1/root.raw dcfldd Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw ProDiscover EnCase FTk Seluth kit(autopsy) Winhex
  • 25. After a clone or an image is made it is very important to make a hash of it. After the complete analysis of the disk or an image we again calculate the hash. This is important because we need to prove in the court that the evidence has not been tampered. Currently Indian courts accept SHA-256 Tools for calculating hashes:Winhex, Sleuthkit, ENCase.
  • 26. The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could take a look at the files as they were on the machine. This makes the entire task of analysis easier.
  • 27. With tools like Live View it is even possible to recreate the entire scenario like the actual operating system on a Virtual Machine. Live view is only compatible until XP. The tools to really looked upon for this are: Mount Image Pro and Virtual Forensic Computing
  • 28. Slack Space ADS streams Stenography Hidden Partitions Unallocated space Modified file extensions META DATA
  • 29.
  • 30. While Imaging or cloning a disk the exact copy is made and hence the hidden data remains as it is. There is no specific tool for the extraction of the hidden data and hence we need to perform manual analysis on the image or the disk using hex editors Eg:Winhex
  • 31. While performing analysis on disks and images there are very good chances that we come across encrypted data. This creates a problem for an forensic analyst. Even though there are tools and techniques to break encryptions we sometimes fail to do so.
  • 32. A series of attacks are carried out to break encryptions: Brute Force Attack Dictionary Attack Known Plain Text Attack Rainbow Table Attack Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files. AZPR AOPR Decryptum(Online) Passware kit
  • 33. If we come across any type of encryption files or data that have been encrypted with tools like PGP, True Crypt etc., It becomes really difficult from the forensics point of view to get through. In such cases the farthest we can do is look for the keys on the machine.
  • 34. From a culprits point of view steganography is something that would stand beyond cryptography. This is because detecting steganography manually is a big challenge to any individual. And with not enough tools to detect steganography in the market it makes the job even more tiresome. Different tools use different algorithms for hiding data and one can easily develop a steganography algorithm. Not a big task to achieve. That makes it difficult in detection Confidential information
  • 35. Speaking of the tools used for steganalysis, these tools may sometimes give you false positives as well. StegDetect StegSecret
  • 36. Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Why Network Forensics plays an important role? Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
  • 38. Activity: Find as much information as you can…