Live Legal sciences Instructional exercise Section 1: Customary Crime scene investigation.

Uploaded on:
Category: Medical / Health
Straight to the point: Forensics scientist, Ph.D. in software engineering (OSU), R&D, GCFA affirmation, bad habit seat DFRWS ... Proof of unseemly utilization of PC assets or assaults ...
Slide 1

Live Forensics Tutorial Part 1: Traditional Forensics Frank Adelstein, Ph.D. Specialized Director, Computer Security, ATC-NY GIAC-affirmed Digital Forensics Investigator Golden G. Richard III, Ph.D. Partner Professor, Dept. of Computer Science, University of New Orleans GIAC-confirmed Digital Forensics Investigator Co-Founder, Digital Forensics Solutions, LLC

Slide 2

Course Overview – The Big Picture Introduction Traditional Forensics/Background Network Forensics Live Forensics Demo Wrap-up You are here

Slide 3

Instructor Background Frank: Forensics scientist, Ph.D. in software engineering (OSU), R&D, GCFA confirmation, bad habit seat DFRWS Golden: Professor, Ph.D. in software engineering (OSU), instructs criminological courses, GCFA, author Digital Forensic Solutions, LLC, seat DFRWS

Slide 4

Course Goals and Disclaimer Goals Gain a comprehension of what data live legal examination can give and additionally its restrictions See how live legal sciences fits into the 10,000 foot view of different investigation methods Disclaimers This is not lawful guidance 6 hours doesn\'t make you a specialist

Slide 5

Technical Definition: Digital Forensics "Apparatuses and strategies to recuperate, safeguard, and look at advanced confirmation on or transmitted by computerized gadgets." PLUS information recuperation

Slide 6

Definition for the Masses "Erased" data, on any sort of advanced stockpiling media, is never totally "gone"… Digital Forensics is the arrangement of devices and systems to recoup this data in a forensically legitimate manner (i.e., satisfactory by an official courtroom)

Slide 7

Motivation Deleted documents aren\'t safely erased Recover erased record + when it was erased! Renaming records to stay away from recognition is pointless Formatting plates doesn\'t erase much information Web-based email can be (halfway) recouped straightforwardly from a PC Files exchanged over a system can be reassembled and utilized as confirmation

Slide 8

Motivation (2) Uninstalling applications is substantially more troublesome than it may show up… "Unstable" information sticks around for quite a while (even crosswise over reboots) Remnants from already executed applications Using encryption legitimately is troublesome, in light of the fact that information isn\'t valuable unless decoded Anti-legal sciences (protection improving) programming is for the most part broken "Huge" magnets (by and large) don\'t work Media mutilation (with the exception of in the compelling) doesn\'t work Basic empowering influence: Data is difficult to murder

Slide 9

Traditional Digital Forensics Investigation What\'s conceivable? Recuperation of erased information Discovery of when records were changed, made, erased, composed Can figure out which stockpiling gadgets were appended to a particular PC Which applications were introduced, regardless of the fact that they were uninstalled by the client Which sites a client went to…

Slide 10

Traditional (2) What\'s not… If advanced media is totally (physically) decimated, recuperation is incomprehensible If computerized media is safely overwritten, recuperation is, exceptionally muddled, or outlandish

Slide 11

Privacy Through Media Mutilation or forensically-secure document erasure programming (however ensure it works!) degausser

Slide 12

Who Needs It? Law implementation Prosecution of wrongdoings which include PCs or other computerized gadgets Defend the pure Prosecute the liable Must take after strict rules amid whole criminology procedure to guarantee confirmation will be permissible in court Military Prosecution of inside PC related violations Own rules, numerous ordinary legitimate issues don\'t have any significant bearing

Slide 13

Who (2) Security organizations (e.g., Secret Service, CIA, FBI, NSA) Anti-psychological oppression endeavors Some arrangements for this exertion unwind customary protection watches More on this soon, yet for instance, regularly court order is served and individual knows he is being examined Patriot Act debilitates a few necessities for court orders

Slide 14

Who (3) General Employee unfortunate behavior in corporate cases What transpired PC? For incidental erasure or pernicious cancellation of information by a client (or a system), what can be recouped? Requirement for strict rules and documentation amid recuperation procedure could conceivably be vital Privacy advocates What should be possible to guarantee protection? Premise: Individuals have a privilege to protection. By what means can people guarantee that their computerized information is private? Extremely troublesome, unless solid encryption is utilized, then stockpiling of keys turns into the troublesome issue

Slide 15

Digital Forensics: Goals (1) Identification of potential computerized proof Where may the confirmation be? Which gadgets did the suspect use? Conservation of confirmation On the wrongdoing scene… First, balance out proof… anticipate misfortune and pollution Careful documentation of everything—what\'s snared, how it\'s snared… If conceivable, make indistinguishable, piece level duplicates of proof for examination

Slide 16

Digital Forensics: Goals (2) Careful extraction and examination of proof Directory and record examination Presentation of consequences of examination (if fitting) "The FAT was fubared, yet utilizing a hex proofreader I changed the principal byte of index section 13 from 0xEF to 0x08 to reestablish \'HITLIST.DOC\'… " "The suspect endeavored to shroud the Microsoft Word report "HITLIST.DOC" however I could recuperate it by amending some filesystem accounting data, without altering the record substance." Legal: Investigatory necessities meet security

Slide 17

Digital Forensics: Constraints Order of instability Some information is more unpredictable RAM > swap > circle > CDs/DVDs Idea: catch more unstable proof first Chain of care Maintenance of ownership records for all Must have the capacity to follow proof back to unique source "Demonstrate" that source wasn\'t adjusted

Slide 18

Legal issues Investigative needs versus the privilege to protection Search warrant laws, e.g., Fourth Amendment to the U.S. Constitution Fifth Amendment and Encryption Wiretap laws Chain of care Admissibility of confirmation in court: Daubert Essentially: Has hypothesis or strategy being referred to been tried? Is blunder rate known? Far reaching acknowledgment inside an applicable academic group? Loyalist Act Greatly extends legislative forces regarding seeking, wiretap w/o earlier warning

Slide 19

Investigatory Process: Needs Acceptance Steps and strategies are acknowledged as substantial Reliability Methods can demonstrated to bolster discoveries e.g., strategy for recouping a picture from swap space can be appeared to be exact Repeatability Process can be recreated by autonomous specialists

Slide 20

Investigatory (2) Integrity Evidence is not adjusted (if at all conceivable) and can demonstrate that was not modified (or measure the extent to which it was changed) Cause and impact Can indicate solid intelligent associations between people, occasions, and proof Documentation Entire procedure recorded, with every progression logical and legitimate

Slide 21

The Beginning: Incident Alert System executive notification bizarre conduct on a server (moderate, hanging… ) Intrusion identification framework cautions chairman of suspicious system movement Company all of a sudden loses a considerable measure of offers Citizen reports criminal action Computer repair focus sees youngster erotica amid a PC repair, advises police Murder, PC at the scene Murder, casualty has a PDA Law implementation: must research Corporate/military: may explore, contingent upon seriousness, different needs

Slide 22

Crime Scene Document, archive, report! Photos delineating the association of gear, cabling Detailed stock of proof Proper taking care of methods, turn on, leave off guidelines for every kind of computerized gadget e.g., for PC: Photograph screen, then disengage all force sources Place proof tape over every drive opening Photograph/graph and name back of PC segments with existing associations Label all connectors/link closures to permit reassembly as required If transport is required, bundle segments and transport/store parts as delicate freight

Slide 23

Examples of Digital Evidence Computers progressively included in criminal and corporate examinations Digital confirmation may assume a backing ing part or be the "smoking firearm" Email Harassment or dangers Blackmail Illegal transmission of inside corporate reports

Slide 24

Examples (2) Meeting focuses/times for medication bargains Suicide letters Technical information for bomb making Image or advanced video records (esp., kid erotic entertainment) Evidence of unseemly utilization of PC assets or assaults Use of a machine as a spam email generator Use of a machine to appropriate illicitly replicated programming

Slide 25

Sources of Digital Evidence Computers Email Digital pictures Documents Spreadsheets Chat logs Illegally duplicated programming or other copyrighted material

Slide 26

Digital Evidence on a Disk Files Active Deleted Fragments File metadata Slack space Swap document System data Registry Logs Configuration information

Slide 27

More Sources (1) Wireless phones Numbers called Incoming calls Voice mail access numbers Debit/Mastercard numbers Email addresses Call sending numbers PDAs/Smart Phones Above, in addition to contacts, maps, pictures, passwords, archives, …

Slide 28

More Sources (2) Landline Telephones/Answering machines Incoming/active messages Numbers called Incoming call information Access codes for voice message frameworks Contact records Copiers Especially advanced copiers, which may store whole duplicate occupations

Slide 29

More Sources (3) Video diversion frameworks Basically PC frameworks, particularly XBox. GPS gadgets Routes, way-focuses Digital cameras Photos (self-evident) additionally video, subjective records on capacity cards (SD, memory stick, CF, … )

Slide 30

Preservation of Evidence Stabilize proof Depends on gadget classification, however should keep unstable gadgets upbeat Whenever conceivable, make duplicates of unique confirmation Write blocking gadgets and other innovation to guarantee that confirmation is not adjusted are regularly utilized Careful! Not

View more...