FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of...
Transcript of FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of...
![Page 1: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/1.jpg)
FORENSICSLets do some Autopsy!!
Savan Patel aka Achilli3st aka X
![Page 2: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/2.jpg)
AUTOPSY
REALLY ?
![Page 3: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/3.jpg)
BUT CLOSE…
NOT LITERALLY!
![Page 4: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/4.jpg)
AGENDA▪ What is forensics
▪ Why to forensics
▪ Anti-Forensics
▪ How To Become Forensics Expert
▪ Some terms
▪ Computer Forensics▪ Memory analysis
▪ Volatile/non-volatile
▪ Encryption/stegnography
▪ N/w Analysis
![Page 6: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/6.jpg)
WHAT IS FORENSICS?▪ Forensic is Related to Court and Trials or To Answer Questions
Related to Legal System
▪ Computer Forensics Helps answering If a Digital Device is part of cyber crime or victim of cybercrime
▪ Purpose is to find evidence which can prove things done on the system in court of case
▪ Five Aspects:
▪ IF ▪ WHO ▪ WHAT ▪ HOW ▪ WHEN ▪ WHY
![Page 7: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/7.jpg)
WHY FORENSICS?
Fraud
Drug traffick
ing
Child pornogr
aphy
Espionage
Copyright infringem
ent
Discover what was lost
Recover Deleted Data
Discover entry pointCYBER - ATTACKS
![Page 8: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/8.jpg)
ANTI-FORENSICS▪ A set of techniques used as countermeasures to forensic analysis
▪ Ex. Full-Disk Encryption
▪ Truecrypt on Linux, Windows and OSX
▪ Filevault 2 on OSX
▪ BitLocker Windows
▪ File Eraser
▪ AbsoluteShield File Shredder ▪ Heidi Eraser
▪ Permanent Eraser
![Page 9: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/9.jpg)
HOW TO BE FORENSICS EXPERT?
![Page 10: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/10.jpg)
HOW TO BE FORENSICS EXPERT?
TOO DAMN EASY!!
![Page 11: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/11.jpg)
JUST LEARN:
Operating Systems
File SystemDisk
Partitioning Networking
Memory Management
![Page 12: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/12.jpg)
JUST LEARN:
Operating Systems
File SystemDisk
PartitioningNetworking
Memory Management
And Of Course A little of these…..
![Page 13: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/13.jpg)
STEPS FOR INVESTIGATING COMPUTER CRIME
Collect evidence and present in the
court
Search and seize the
equipment
Conduct preliminary
assessment to search for evidence
Find and interpret the
clues left behind
Determine if an incident
had occurred
![Page 14: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/14.jpg)
COMPUTER FORENSICS▪ Branch of digital forensic science
pertaining to legal evidence found in computers and digital storage media.
▪ The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information.
Computer ForensicsMemory
Analysis
Network Data Analysis
Document or file analysis
OS Analysis
Mobile Analysis
Database Analysis
![Page 15: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/15.jpg)
WHAT YOU NEED?
HardwareRemovable HD enclosures or connectors with different plugsWrite blockers
External disks
Software Multiple operating systems Linux: extensive native file system support
VMs running various Windows versions (XP, Vista, 7, 8)
Forensics toolkits
E.g., SleuthKit http://www.sleuthkit.org
Winhex
Internet Evidence Finder
![Page 16: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/16.jpg)
MEMORY ANALYSIS
Non-Volatile Memory• Stored Data Does not gets erased when
powered off• Ex. Hdd, SDD,CD,DVD, USB Sticks
Volatile Memory• requires power to maintain the stored • Ex. Ram, pagefiles, Swap, caches,
processes
![Page 17: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/17.jpg)
DATA ‘SPOILS’ EASILY▪ It’s extremely important to understand this
▪ Trying to obtain the data may alter them
▪ Simply doing nothing is also not good▪ A running system continuously evolves
▪ The Heisenberg Uncertainty Principle of data gathering and system analysis
▪ As you capture data in one part of the computer you are changing data in another▪ use write blockers
![Page 18: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/18.jpg)
ORDER OF VOLATILITYData type LifetimeRegisters, peripheral memory, caches, etc. nanoseconds
Main Memory nanoseconds Network state milliseconds Running processes seconds Disk minutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years
![Page 19: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/19.jpg)
VOLATILE MEMORY▪ RAM contains the most recent data such as processes, Open Files, Network Information, recent
chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.
▪ Tools to be used:-▪ Belkasoft Live RAM Capturer
▪ Memory DD
▪ MANDIANT Memoryze
![Page 20: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/20.jpg)
NON-VOLATILE MEMORY▪ Data is stored permanently on the disk.
▪ Shift + Delete will NOT remove it
▪ If data is deleted there ARE tools to recover it.
▪ It all based on type of file format being used▪ NTFS, FAT, ext, HFS….
![Page 21: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/21.jpg)
DISK IMAGING▪ dd
▪ dd if = /dev/sda1 of /dev/sdb1/root.raw
▪ dcfldd▪ Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
▪ ProDiscover
▪ EnCase
▪ FTk
▪ Seluth kit(autopsy)
▪ Winhex
![Page 22: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/22.jpg)
HASHING▪ After a clone or an image is made it is very important to make a hash of it.
▪ After the complete analysis of the disk or an image we again calculate the hash.
▪ This is important because we need to prove in the court that the evidence has not been tampered.
▪ Currently Indian courts accept SHA-256
▪ Tools for calculating hashes: Winhex, Sleuthkit, ENCase.
![Page 23: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/23.jpg)
RECONSTRUCTING THE FILE SYSTEM▪ The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could
take a look at the files as they were on the machine.
▪ This makes the entire task of analysis easier.
![Page 24: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/24.jpg)
MAKING THINGS EASIER▪ With tools like Live View it is even possible
to recreate the entire scenario like the actual operating system on a Virtual Machine.
▪ Live view is only compatible until XP.
▪ The tools to really looked upon for this are:
▪ Mount Image Pro and Virtual Forensic Computing
![Page 25: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/25.jpg)
▪ Slack Space
▪ ADS streams
▪ Stenography
▪ Hidden Partitions
▪ Unallocated space
▪ Modified file extensions
▪ META DATA
HIDDEN DATA
![Page 26: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/26.jpg)
FILE CARVING
![Page 27: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/27.jpg)
EXTRACTING HIDDEN DATA▪ While Imaging or cloning a disk the
exact copy is made and hence the hidden data remains as it is.
▪ There is no specific tool for the extraction of the hidden data and hence we need to perform manual analysis on the image or the disk using hex editors
▪ Eg: Winhex
![Page 28: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/28.jpg)
ANALYZING ENCRYPTED MATERIAL▪ While performing analysis on disks and images there are very good chances that we come across
encrypted data.
▪ This creates a problem for an forensic analyst.
▪ Even though there are tools and techniques to break encryptions we sometimes fail to do so.
![Page 29: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/29.jpg)
PASSWORD CRACKING TECHNIQUES▪ A series of attacks are carried out to break encryptions:
▪ Brute Force Attack
▪ Dictionary Attack
▪ Known Plain Text Attack
▪ Rainbow Table Attack
▪ Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files.
▪ AZPR
▪ AOPR
▪ Decryptum(Online)
▪ Passware kit
![Page 30: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/30.jpg)
HIGH-END ENCRYPTIONS▪ If we come across any type of encryption files or data that have
been encrypted with tools like PGP, True Crypt etc., It becomes really difficult from the forensics point of view to get through.
▪ In such cases the farthest we can do is look for the keys on the machine.
![Page 31: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/31.jpg)
▪ From a culprits point of view steganography is something that would stand beyond cryptography.
▪ This is because detecting steganography manually is a big challenge to any individual.
▪ And with not enough tools to detect steganography in the market it makes the job even more tiresome.
▪ Different tools use different algorithms for hiding data and one can easily develop a steganography algorithm. Not a big task to achieve. That makes it difficult in detection
DEALING WITH STEGANOGRAPHY
Confidential information
![Page 32: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/32.jpg)
THE OOPS MOMENT!!▪ Speaking of the tools used for steganalysis, these tools may sometimes
give you false positives as well. ▪ StegDetect
▪ StegSecret
![Page 33: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/33.jpg)
WHAT IS NETWORK FORENSICS?▪ Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of
computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
▪ Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information.
▪ Why Network Forensics plays an important role?
▪ Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
WHY NETWORK FORENSICS?
![Page 34: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/34.jpg)
TOOLS▪ Tcp Dump
▪ Wireshark
▪ Network minner
▪ Snortc
![Page 35: FORENSICS - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of cyber crime or victim of cybercrime ... COMPUTER FORENSICS Branch of digital forensic](https://reader031.fdocuments.net/reader031/viewer/2022030419/5aa5c3d47f8b9afa758dabba/html5/thumbnails/35.jpg)
THANK YOU
Happy Hacking!!!