Computer forensic
-
Upload
singgih-prasetya -
Category
Documents
-
view
272 -
download
0
Transcript of Computer forensic
![Page 1: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/1.jpg)
sComputer Forensic Workshop - 2013
Computer Forensic InvestigationProcedure, tools, and practice
Ahmad Zaid Zam [email protected]
![Page 2: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/2.jpg)
About the speaker
sComputer Forensic Workshop - 2013
Bachelor's degree in Electronic Engineering
Digital forensic analyst
GCFA, CHFI, CEH, ENSA, ECIH, CEI
Founder Indonesia Digital Forensic Community
Case involved : Corporate espionage, data leak, banking fraud, cyber attack,etc
![Page 3: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/3.jpg)
Agenda
sComputer Forensic Workshop - 2013
Digital forensic introduction
Digital evidence
Computer forensic Procedure
Evidence acquisition
Data organization
Demo
![Page 4: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/4.jpg)
Introduction
sComputer Forensic Workshop - 2013
Today, many business and personal transactions are conducted electronically
Business professionals regularly negotiate deals by e-mail
People store their personal address books and calendars on desktop computers or tablet.
People regularly use the Internet for business and pleasure
![Page 5: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/5.jpg)
Cyber Crime
sComputer Forensic Workshop - 2013
Any illegal act involving a computer and a network
The computer may have been used in the commission of a crime or it may be the target
Computer viruses, denial-of-service attacks, malware
Fraud, identity theft, phishing, spam, cyber warfare
![Page 6: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/6.jpg)
Introduction
sComputer Forensic Workshop - 2013
“A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices
and digital media, that can be presented in a court of law in a coherent and meaningful format” - DR. H.B. Wolfe
![Page 7: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/7.jpg)
Introduction
sComputer Forensic Workshop - 2013
The collection, preservation, analysis and presentation of digital evidence
Scientific procedure
Develop and test hypotheses that answer questions about incidents that occurred
Admissible in a court of law
![Page 8: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/8.jpg)
Why is computer forensic important ?
sComputer Forensic Workshop - 2013
Help reconstruct past event or activity
Extend the target of information security to the wider threat from cybercrime
Show evidence of policy violation or illegal activity
Ensure the overall integrity of network infrastructure
![Page 9: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/9.jpg)
Digital evidence
sComputer Forensic Workshop - 2013
Two basic type of evidence :
Persistent evidence the data that is stored on a local hard drive and is preserved when the computer is turned off
Volatile evidence any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off
![Page 10: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/10.jpg)
Persistent evidence
sComputer Forensic Workshop - 2013
Documents (word, slide, sheet, pdf) Images Chat log Browser history Registry Audio / Video Application Email SMS / MMS Phone book Call log
![Page 11: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/11.jpg)
Volatile evidence
sComputer Forensic Workshop - 2013
Memory
Network status and connection
Process running
Time information
![Page 12: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/12.jpg)
Procedure
sComputer Forensic Workshop - 2013
Preparation
Preliminary investigation
Site investigation
Evidence acquisition
Preservation
Analysis
Report
![Page 13: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/13.jpg)
Preparation
sComputer Forensic Workshop - 2013
Media is freshly prepared
Forensic workstation is scanned for any malware
Validate all software licenses
Toolkits
Forms - Computer worksheet forms - Hard drive worksheet form
![Page 14: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/14.jpg)
Preparation
sComputer Forensic Workshop - 2013
Establish file directories
Essential forms : - Letter of authorization - Chain of custody - Non-Disclosure Agreement
![Page 15: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/15.jpg)
Letter of authorization
sComputer Forensic Workshop - 2013
![Page 16: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/16.jpg)
Chain of custody
sComputer Forensic Workshop - 2013
![Page 17: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/17.jpg)
Evidence worksheet
sComputer Forensic Workshop - 2013
![Page 18: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/18.jpg)
Preliminary investigation
sComputer Forensic Workshop - 2013
Who ? Profile the target user – are they computer savvy?
What ? What kind of evidence could be associated with this case? Images? Documents? Spreadsheets?
When? How long has it been since the digital activity?
Where? How do you plan on procuring the digital evidence?
![Page 19: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/19.jpg)
Site investigation
sComputer Forensic Workshop - 2013
Take picture of the scene
Asset tag
Inventory and describe all hardware
Identify every process or network information
Ensure chain of custody form is properly completed
![Page 20: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/20.jpg)
Order of Volatility
sComputer Forensic Workshop - 2013
● Memory
● Network status and connections
● Process running
● Hard disk
![Page 21: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/21.jpg)
Evidence acquisition
sComputer Forensic Workshop - 2013
Bit-stream imaging (court-certified)
Write blocking device
Static prevention wrist strap
Record initial configuration
Record all activity
![Page 22: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/22.jpg)
Evidence acquisition
sComputer Forensic Workshop - 2013
Physical imaging - Grab entire drive (MBR) - Considered best evidence - Break out the partitions using dd
Logical imaging - File system partition only - Useful in obtaining backup of RAID drive
![Page 23: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/23.jpg)
Evidence acquisition
sComputer Forensic Workshop - 2013
Three evidence acquisition method - Hardware - Live CD - Live
Resultant file will be an image file in all three cases
![Page 24: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/24.jpg)
Hardware acquisition
sComputer Forensic Workshop - 2013
Situation : Removed hard drive containing evidence
1. Attach drive adapter 2. Plug into acquisition workstation 3. Image attached drive to a image file
Evidence will be in static state
Volatile evidence not available
![Page 25: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/25.jpg)
Live CD acquisition
sComputer Forensic Workshop - 2013
Situation : Boot into Forensic Live CD
System will be rebooted
Loss of volatile evidence
Hard drive not removed
Image system to attached drive or file share
![Page 26: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/26.jpg)
Live acquisition
sComputer Forensic Workshop - 2013
Situation : Live System Acquisition
Snapshot of system
System stays power on
Capability to gather volatile evidence
Evidence will be changing while imaging
Image system to a file on attached drive or file shares
![Page 27: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/27.jpg)
Write blocker
sComputer Forensic Workshop - 2013
Prevent any accidental writes to source data
Hardware based Adapter based placed on hard drive
Software based Software will not allow writes to system
http://www.cftt.nist.gov/software_write_block.htm
![Page 28: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/28.jpg)
Preservation
sComputer Forensic Workshop - 2013
Create cryptographic hash
Create bit-image copies
Compare the hash results
Lock original disk in a limited container
![Page 29: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/29.jpg)
Analysis of data
sComputer Forensic Workshop - 2013
Only work on the forensic copy
Stay within your scope of work
Analysis step - Timeline analysis - Media analysis - String or byte search - Data recovery
![Page 30: Computer forensic](https://reader035.fdocuments.net/reader035/viewer/2022062709/558e027a1a28ab866c8b45fe/html5/thumbnails/30.jpg)
Questions ?
sComputer Forensic Workshop - 2013