© The Forensics Files Lincoln-Douglas Debate The Forensics Files The Forensics Files.
DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed ›...
Transcript of DIGITAL FORENSICS: CLUES IN THE HARD DRIVE › media › bcccmedialibrary › con-ed ›...
DIGITAL FORENSICS:CLUES IN THE HARD DRIVE
BY: PAMELA KING
COMPUTER SCIENCE & INFORMATION TECHNOLOGY DEPARTMENT
DIGITAL FORENSICS & CYBERSECURITY PROGRAM
CHESTNUT HILL COLLEGE
WHAT IS DIGITAL FORENSICS• Intersection of Law and Digital Technology
LAW and LEGAL SYSTEM
(Policy, Regulatory)
COMPUTER SCIENCE& TECHNOLOGY
Private Industry
Incident Response
Internal Investigations
Law Firms
Litigation Support
E-Discovery
Government
Law Enforcement
Regulatory
Infrastructure Protection
DIGITAL FORENSICS JOB SECTORS
DIGITAL FORENSICS
•There are six steps:• Collect • Acquire• Verify• Analyze• Report• Testify
ANALYSIS – CLUES IN THE HARD DRIVE
•Useful Artifacts
•Some overlooked
•Case Scenarios
•Technical
TOPICS
•Disk Logical Serial Numbers
•Windows Registry
•Hardware Log Events
•Search literals and strings
HARD DISK – LOGICAL SERIAL NUMBERS
•Hard drives have hardware serial numbers.
•Found in System Area/Partition Table • MBR – creates a disk serial number
• Signature is written by Windows Operating System
• GPT – Disk GUID
• Also Each partition has a GUID assigned when created.
LOGICAL SERIAL NUMBER
MBR – SECTOR 0 GPT – SECTOR 1 (HEADER)
SCENARIO
• Employees quit.
• Start new company.
• Solicit clients.
• Marketing materials/engineering diagrams.
• Claimed they “invented” them.
• Files had been “wiped”
• Hashes of the two drives were different.
• But…serial numbers were the same (among other evidence).
WINDOWS REGISTRY
• Moved Keys
• ntuser.dat to usrclass.dat
• New keys
• More data in usrclass.dat
• Backup copies
• Tools• Paraben Registry Analyzer
• AccessData Registry Viewer
• Magnet Axiom
• TZworks Sbag.exe
VSS & WINDOWS REGISTRY
SCENARIO
•Employees left for competitor
•Took proprietary data
•Company laptop analyzed
•Archived copies of registry showed•Attached to competitor’s wifi
•Attached 250GB external hard drive
•Dated prior to exiting company
GHOST IN THE MACHINE?
• Homicide Case
• Victim found murdered
• Coroner establish time of death between 6pm and 7pm June 7th.
• Defense argues that there was computer activity after that and until 11:30pm on June 8th - so time of death is wrong. Dead men don’t type…
• Software
• Applications
• System
• Firewall
• And more...
• Information/Warning/Error
• Power on/off
• Change date/time
• Update Software
• Backups
• And more...
WINDOWS HAS LOGGING
SO MUCH MORE
• RAM Analysis• Private Browsing Mode
• Attached Devices• Setupapi.log & MTP entries
• Time Line Analysis• Using $MFT/Directory
• Malware Analysis• keyloggers
• Prefetch Analysis
• Software use
• Lnk File Analysis
• File use
4TH ANNUAL CYBER SECURITY & FORENSICS CONFERENCE
• Sponsored by CHC and HTCIA.
• October is National Cyber Security Month!
• October 26 at Chestnut Hill College
THANK YOU!
Pamela King
Chestnut Hill College
Computer Science & Information Technology
Digital Forensics & Cyber Security B.S.Degrees
215-248-7145
www.chc.edu