2008 CSI Challenge .


30 views
Uploaded on:
Category: Sports / Games
Description
What you will discover in this presentationWhat is PC forensics?The four
Transcripts
Slide 1

2008 CSI Challenge

Slide 2

Welcome to the 2008 CSI Challenge: Computer Forensics What you will discover in this presentation What is PC crime scene investigation? The four "A"s How plate stockpiling works for your situation How records live on circle Where proof may dwell What is slack space? What is unallocated space? Hex & Ascii representation Tools Steganography, recuperating concealed information Requirements Glossary

Slide 3

What is Computer Forensics? Advanced adaptation of "CSI" Finds proof of episodes on computerized hardware Computers & drives PDA\'s iPods Cell telephones Digital camera & streak cards Network gear Evidence must stand up in court

Slide 4

The 4 An\'s Acquire Archive Analyze Attest

Slide 5

Acquisition Crime Scene Considerations Identify and gain the confirmation Safeguard and process physically Prints and follow confirm Handling of Magnetic media (drives and floppies, and so forth) Keep far from magnets, apparatus which produce attractive fields and friction based electricity (no plastic proof packs to create friction based electricity) Note where found, under what conditions Nature of material grows where it may be covered up Between pages of a book Inside a gadget Locate material which may help User manuals, records, secret word which may be composed down

Slide 6

Acquisition Identify wellsprings of data hard drives circles (floppy, CD, DVD) different gadgets Digital cameras Cell telephones PDA\'s Technician must comprehend innovation required to "chronicle" data Once seized as confirmation, the expert will then make a bit-for-bit measurable picture and make it accessible to the examiner

Slide 7

Acquisition: Bit picture Image is a \'bit-for-bit\' depiction of the plate This picture is utilized by the investigator The picture contains everything on the plate Files, erased records, "dead space" on circle, and so on… Can\'t read it specifically The scientific programming "deciphers" the picture and "sees" every one of the documents on the circle NEVER utilize the first media unless no other option… dependably utilize the bit-for-bit picture if conceivable If you ever need to utilize the first material, report it alongside the reason 2008 CSI Challenge Teams will be given a \'bit-for-bit picture\' for examination Your group won\'t need to make this picture

Slide 8

Analysis Examination of your proof In Forensic Toolkit (FTK) Create a New or Open an Existing case Add proof to the case Drive (hard plate, floppy, USB streak drive, and so forth) Previously procured bit-picture 2008 CSI Challenge groups will utilize this choice A Folder and its substance Individual documents

Slide 9

Analysis Find the confirmation Examine the structure of the plate itself shrouded information Suspicious records Renamed, adjusted or erased Search for "strings" ( a string is a gathering of characters, for example, a name, charge card number, or even a section of a word) in records in erased documents in \'dead space\' (slack or unallocated, clarified later)

Slide 10

Analysis Look for "stuff" on display Files, messages, and so on Look for concealed confirmation Files renamed to show up as various record sorts Word record renamed as a "jpg" picture document Stego\'d document ( see late r) Encrypted records Password required Locate watchword In existing confirmation At wrongdoing scene Guess secret word (imperative dates, names, and so forth) Might require individual learning about speculate\'s experience "Break" the secret key utilizing a PC program (impossible for 2008 CSI Challenge… insufficient time)

Slide 11

Analysis File oddities (anomalies) File name does not coordinate the record sort An inner "mark" in the document demonstrates the kind of document Signatures are likewise called "enchantment numbers" "JFIF" inside a record may mean it\'s truly a JPG picture record and not a content document or whatever the filename shows File times are conflicting MAC times (Modification-Access-Creation) It\'s feasible for creation time to be post-alteration time, contingent upon OS and how record replicated, and so forth.. Compacted records (compress or other arrangement) May be passworded , contain many documents packaged into one record You ought to know how to "unfasten" a record if it\'s packed or "compressed" File closes in ".compress"

Slide 12

Analysis Critical considering: the investigative part! implicating proof (or exculpatory… barring a suspect) finding new roads of request Emails Recently utilized records went to sites Snippets or parts of data Including slack space…

Slide 13

Archive Saving the confirmation for sometime later once you\'re finished with the case on the off chance that you have to survey your work

Slide 14

Attest Reporting of examination results composed competency Testimony master witness verbal and non-verbal aptitudes Any detailing of results by 2008 CSI Challenge groups ought to be clear, intelligible, utilizing entire sentences to express your discoveries

Slide 15

Explaining units of capacity This is an essential clarification of how data is put away on a PC\'s circle Byte The fundamental unit of capacity Roughly comparable to a "character" 1,000,000 byte =1 Megabyte (1 Mb) Holds around a million typewritten characters Sector How bytes are sorted out on plate 512 bytes for each area Cluster A gathering of divisions Floppy plate: 1 segment for every bunch Hard drive: relies on upon framework

Slide 16

How a document is composed Sectors are assembled into " groups " a bunch can be 1 segment/cluster (512 bytes) 2 segments/cluster (1024 bytes) 4 segments/cluster (2048 bytes) 8 areas/cluster (4096 bytes) on a floppy, we utilize one segment/bunch when we require space for a document, the framework gives us a bunch ( not only a segment )

Slide 17

Slack Space When we compose a record utilizing a group We have "left over" room in the bunch This is called "slack space" Information can dwell in slack space Cannot state that the individual who composed the document in that group additionally put that slack data into that bunch Clusters can be reused once a document is erased They\'re returned to a pool of unallocated bunches (they don\'t have a place with any document) If these groups haven\'t been utilized for composing another document, it\'s conceivable to recuperate this "erased" record

Slide 18

Cluster and slack space Cluster (512 bytes) we expound on 100 bytes the rest is "slack" File This is a case of a group containing data… .yakkity yak … Dear Sir; We have perused your proposition, and … no way Slack

Slide 19

Oh no! Should I stress over Hexadecimal No, for the 2008 CSI Challenge you may see hexadecimal documentation of the plate\'s information, alongside the "English" clear information This is displayed so you\'ll remember it when you see it while utilizing FTK (see the following screen) You won\'t be in charge of knowing "hex" Computers truly just know "numbers" Certain numbers (qualities) are connected with letters of the letters in order For instance an estimation of "44" in hexadecimal is a capital "D", and a hex "20" is a space, a "64" esteem is a little "d" This is known as the ASCII code

Slide 20

Hex Data (numeric) and ASCII (Alpha) Upper Case "D"

Slide 21

Tools Software, for example, FTK (which you will utilize) contain instruments that permit you to: Acquire a confirmation picture Identify erased records Possibly recuperate an erased document Search the bit picture Search for string of content (last name, and so on) Identify documents containing the string Identify that territory as having a place with a document, or in slack space Examine traits of documents Hidden Deleted File times Mismatch between document name and real record sort \'awful signature\' (txt document may really be a "jpg" record) Show thumbnails of picture sort documents Export records (or sections) (gather them in one spot) Bookmark basic discoveries (highlight significant discoveries) Document case for report (times, agent, and so forth)

Slide 22

Tools Existing programming Word, Adobe, and so on Open documents of that arrangement Analyst must know how the application programming functions PKZIP, WinZip, WinRAR Extract packed documents Steganograhpy (S-Tools) Extract documents from a "stego\'d" record S-Tools will utilize BMP, GIF or WAV records as "compartments" to stow away different documents Can be utilized to uncover and separate shrouded documents

Slide 23

FTK Forensic ToolKit (AccessData) Demo adaptation permits examination of cases with a maximum of 5000 records Add your proof picture record Analyze it Document your outcomes You will utilize FTK to add your proof to another case and dissect it

Slide 24

Steganography Hidden data inside a document A document inside a document (holder record and message record) Can be passworded/encoded The "holder" (stego\'d) document is either a "bmp" or "gif" picture sort Can likewise be a "sound" document On a hard drive, or on somebody\'s iPod, and so forth… Files can be incorporated into a Word (or other archive, for example, site pages or be an "independent" record on somebody\'s hard drive S-Tools can be downloaded to uncover stego\'d prove

Slide 25

2008 CSI Challenge Requirements Laptop CD/ROM drive Software Windows XP or Vista Microsoft Office (2003 or better) Access Data\'s Forensic ToolKit (FTK) S-devices WinZip or ability to unfasten documents on your drive Should as of now be incorporated with Windows when you right-tap on a compressed filename Tutorials (counting this) can be found on the site

Slide 26

Glossary ASCII Computers just know numbers. ASCII is a "code" that partners numbers with letters or characters of the letter set. Bit Binary digit; a "one" or a "zero" Byte Grouping of eight bits, speaking to a numerical incentive from 0 to 255 Can likewise speak to a "character" or letter of the letter set

Slide 27

Glossary Bit-for-bit picture Also known as a bitstream picture A "preview" of a bit of confirmation, taken in a forensically stable way (no change of unique proof) Bitstream picture See bit-for-bit picture

Slide 28

Glossary Cluster A gathering of segments. Records are composed by the framework utilizing groups Floppy bunches are 1 segment for every clu

Recommended
View more...