History of Forensics CHS. Define Forensics Forensics is the application of science to law.
intro to forensics
-
Upload
pardhasaradhi-ch -
Category
Technology
-
view
1.430 -
download
0
Transcript of intro to forensics
![Page 1: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/1.jpg)
n|u
Pardhasaradhi.ch
![Page 2: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/2.jpg)
n|u Computer Forensics :
• It is the application of computer investigation and analysis techniques to gather evidence
• It is also called as cyber forensics
Goal :
• The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Pardhasaradhi.ch
![Page 3: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/3.jpg)
n|u
Preparation
Search and seizure
Acquisition and Authentication
Case storage and Archival
Analysis and Reporting
Stages in digital investigation process
Pardhasaradhi.ch
![Page 4: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/4.jpg)
n|u Rules of computer forensics :
• Rule 1 :Never mishandle Evidence
• Rule 2 :Never trust the subject operating system
Chain of custody
Asset tags
Crime scene details
Ex :
Ex :Avoid Live forensics
Use drive encryption
Check hash value with the image
Pardhasaradhi.ch
![Page 5: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/5.jpg)
n|u
• Rule 3 :Never work on original evidence
• Rule 4 :Document Every thing
Ex : Create a bit stream copy
Do not access the file system during imaging
Document the errors while imaging If any
If any errors arise while imaging take another copy
Pardhasaradhi.ch
![Page 6: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/6.jpg)
n|u
Clone Vs. image :
To copy or replicate the entire contents of a hard disk drive by creating an image of the hard disk drive. Hard disk drives are often cloned for batch installation on other computers, particularly those on a network, or for use as backups.
Clone :
Image :
Some of the image types are dd,E01,smart,ad1,ISO,NRG,
Images are locked format ,these are easy to carry
EX: Symantec ghost
Clone is used to execute the images
Pardhasaradhi.ch
![Page 7: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/7.jpg)
n|u
Access data
MAC times•Modified
•Accessed
•Created
FTK imager
Password recovery toolkit
Registry viewer
Forensic toolkit
Software Forensic Hub
Pardhasaradhi.ch
![Page 8: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/8.jpg)
Stego suite
Mount image pro
Ultimate forensics Tool kit
Elcomsoft
Helix
DD for Linux
![Page 9: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/9.jpg)
n|u
Devices used for forensics
•Shadow device :
•write blocker
As an investigative tool, boot the suspect client and connect to their network
Allows read commands to pass but by blocks write commands,
Hardware Forensic Hub :
•Faraday bag
The product was designed for E items which would isolate it from the networks
Pardhasaradhi.ch
![Page 10: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/10.jpg)
n|u Wde
Drive wiper
Ex: True crypt
• whole disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Full Disk Encryption prevents unauthorized access to data storage
• Wipe all data off of two drives at up to 8 GB per minute • Automatically unlocks and wipes Host Protected Areas • Cut your drive wiping time in half • Very light weight - less than a pound, plus the laptop style power supply • Simple, fast, portable data destruction
Pardhasaradhi.ch
![Page 11: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/11.jpg)
n|u
Steganography is the process of hiding of a secret message within an ordinary message and extracting it at its destination
Steganography
Pardhasaradhi.ch
Alternate Data Streams (NTFS) New Technology File System allows for Alternate Data Streams One file can be a link to multiple Alternate Data Streams of files of any size.
![Page 12: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/12.jpg)
n|u
Pardhasaradhi.ch
![Page 13: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/13.jpg)
n|u Importance of windows files
Pardhasaradhi.ch
Sam SYSTEM32\COFIG
User namesUser information like last logon count ,last login time.
Ntldr
NTLDR will display the versions of operating systems in a boot menu and waits a specified number of seconds before loading the first in the list
System
This file will help us to know details regarding the USB connected and exact time stamps for drive operations done
index
This file will store all the internet related data cookies, Recent history
![Page 14: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/14.jpg)
n|u Making a report for forensic case
Executive summary
Detailed activity log
Proof of process
Forensic image processing
Restoration and verification of images
Document evidences discovered during analysis
Pardhasaradhi.ch
![Page 15: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/15.jpg)
n|u
• File slack
Terminology used
•Data carving
Data carving or File Carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing,
Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack"
Pardhasaradhi.ch
•Cluster
Storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors which are used to allocate the data storage area
![Page 16: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/16.jpg)
Sites:
Access data- www.accessdata.com -- ace
LADS - www.heysoft.de
Elcom soft – www.elcomsoft.com
Helix - www.e-fense.com/helix/
Stego suite – www.logon-int.com/product.asp
I2analyst notebook
www.Forensicfocus.com
www.computerforensics1.com
www.forensics.nl
www.blogs.sans.org/computer-forensics/
![Page 17: intro to forensics](https://reader035.fdocuments.net/reader035/viewer/2022062523/54c02f8d4a79597a028b458f/html5/thumbnails/17.jpg)
n|u
THANK YOU
Pardhasaradhi.ch