CLICK HERE TO DOWNLOAD PPT ON Cyber Forensic Tools
Cyber Forensic Tools Presentation Transcript
1.Cyber Forensic Tools
2.Computer Forensics: A Brief Overview
Scientific process of preserving, identifying, extracting, documenting, and interpreting data on computer
The field of computer forensics began to evolve more than 30 years ago in the United States.
With the growth of the Internet and increasing usage of technology devices connected to the Internet, computer crimes are increasing at a great speed.
Scientific process of preserving, identifying, extracting, documenting, and interpreting data on computer
The field of computer forensics began to evolve more than 30 years ago in the United States.
With the growth of the Internet and increasing usage of technology devices connected to the Internet, computer crimes are increasing at a great speed.
3.Computer Crimes
4.Tools for Computer Forensics
5.Three Branches
Network forensics
Database forensics
Mobile Device forensics
Network forensics
Database forensics
Mobile Device forensics
6.Network Forensics
Network Forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
Two Systems:
1"Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
2"Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.
Network Forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
Two Systems:
1"Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
2"Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.
7.Database forensics
Forensic study of databases
Currently many database software tools are in general not reliable and precise enough to be used for forensic work
Forensic study of databases
Currently many database software tools are in general not reliable and precise enough to be used for forensic work
8. Mobile Device forensics
Using such things as cell phones, digital cameras, psp’s, and I pods to find stored evidence.
Mobile devices can be used to save several types of personal information like contacts, photos, calendar and notes.
Therefore it can be supposed that these devices will play an important role in forensics.
Using such things as cell phones, digital cameras, psp’s, and I pods to find stored evidence.
Mobile devices can be used to save several types of personal information like contacts, photos, calendar and notes.
Therefore it can be supposed that these devices will play an important role in forensics.
9.Computer Forensic Companies
AccessData
ACR Data Recovery, Inc.
Burgess Consulting and Forensics
Center for Computer Forensics
Computer Forensics Associates
10.When is it used?
In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
To recover data in the event of a hardware or software failure.
To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
To gather evidence against an employee that an organization wishes to terminate.
To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
AccessData
ACR Data Recovery, Inc.
Burgess Consulting and Forensics
Center for Computer Forensics
Computer Forensics Associates
10.When is it used?
In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
To recover data in the event of a hardware or software failure.
To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
To gather evidence against an employee that an organization wishes to terminate.
To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
11.Common cases
Financial crimes
Drug crimes
Child Pornography
Adultery
Murders/ Suicides
Financial crimes
Drug crimes
Child Pornography
Adultery
Murders/ Suicides
12.How it is Preformed
There are Five basic steps to the computer forensics
1. Preparation (of the investigator, not the data)
2. Collection (the data)
3. Examination
4. Analysis
5. Reporting
There are Five basic steps to the computer forensics
1. Preparation (of the investigator, not the data)
2. Collection (the data)
3. Examination
4. Analysis
5. Reporting
13.Preparation
The Investigator must have the proper training or the specific operations of the investigation.
Tools that are used to generate reports for court should be validated.
There are many tools that are used in the field and the investigator needs determine the proper tool to be used based on the case.
An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology.
In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant.
The Investigator must have the proper training or the specific operations of the investigation.
Tools that are used to generate reports for court should be validated.
There are many tools that are used in the field and the investigator needs determine the proper tool to be used based on the case.
An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology.
In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant.
14.Collection
Collection sources include computers, cell phones, digital cameras, hard drives, CD-ROM, and USB memory devices
Other sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages
Special care must be taken when handling computer evidence. Most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place
Collection sources include computers, cell phones, digital cameras, hard drives, CD-ROM, and USB memory devices
Other sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages
Special care must be taken when handling computer evidence. Most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place
15.Collection Practices
Imaging computer media using a write blocking tool to ensure that no data is added to the suspect device.
Establish and maintain the chain of custody.
Documenting everything that has been done.
Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
Imaging computer media using a write blocking tool to ensure that no data is added to the suspect device.
Establish and maintain the chain of custody.
Documenting everything that has been done.
Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
16.Examination
Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence
Forensic laboratories have detailed plans describing acceptable methods for handling physical evidence
Evidence, while stored in these physical items, is latent and exists only in a metaphysical electronic form
Procedures and techniques are software and hardware solutions to specific forensic problems
Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence
Forensic laboratories have detailed plans describing acceptable methods for handling physical evidence
Evidence, while stored in these physical items, is latent and exists only in a metaphysical electronic form
Procedures and techniques are software and hardware solutions to specific forensic problems
17.Procedures and techniques
Procedures are step by step instructions
A laboratory may require that examinations be conducted, if possible and practical, on copies of the original evidence
Digital evidence can be duplicated exactly to create a copy that is true and accurate
Examiner must make a decision as to how to implement this principle on a case-by-case basis.
Procedures are step by step instructions
A laboratory may require that examinations be conducted, if possible and practical, on copies of the original evidence
Digital evidence can be duplicated exactly to create a copy that is true and accurate
Examiner must make a decision as to how to implement this principle on a case-by-case basis.
18.Analysis
All digital evidence must be analyzed to determine the type of information that is stored upon it
Specialty tools are used that can display information
Analysis tools include: AccessData's FTK, Guidance Software's EnCase, Technology Pathways' ProDiscover, Dr. Golden Richard III's file carving tool Scalpel, and Brian Carrier's Sleuth Kit
Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review
All digital evidence must be analyzed to determine the type of information that is stored upon it
Specialty tools are used that can display information
Analysis tools include: AccessData's FTK, Guidance Software's EnCase, Technology Pathways' ProDiscover, Dr. Golden Richard III's file carving tool Scalpel, and Brian Carrier's Sleuth Kit
Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review
19. Reporting
Once the analysis is complete, a report is generated.
This report may be a written report, oral testimony, or some combination of the two.
Once the analysis is complete, a report is generated.
This report may be a written report, oral testimony, or some combination of the two.
20.What tools are needed and what do they do?
CRCMD5
DIBS Forensic Workstation
DRIVESPY
FileList
FILTER/Filter I
NTI-DOC
CRCMD5
DIBS Forensic Workstation
DRIVESPY
FileList
FILTER/Filter I
NTI-DOC
21.CRCMDS 5
Mathematically creates a unique signature for the contents of one, multiple or all files on a given storage device
Signatures such as these are used to identify whether or not the contents of one or more computer files have changed
This forensics tool relies upon 128 bit accuracy and can easily be run from a floppy diskette to benchmark the files on a specific storage device
Bench marking can help computer specialists isolate problems and deal with computer incidents after they occur ( such as altered evidence and modifications )
Mathematically creates a unique signature for the contents of one, multiple or all files on a given storage device
Signatures such as these are used to identify whether or not the contents of one or more computer files have changed
This forensics tool relies upon 128 bit accuracy and can easily be run from a floppy diskette to benchmark the files on a specific storage device
Bench marking can help computer specialists isolate problems and deal with computer incidents after they occur ( such as altered evidence and modifications )
22.Other tools used
23.Hardware & Software
24.Forensic Machine
Includes USB, firewire, media reader, removable hard drive bays, internal write blocker, cd/dvd burner, floppy drive, connections for labtops, and lots of memory
Type: FRED-Digital Intelligence
Includes USB, firewire, media reader, removable hard drive bays, internal write blocker, cd/dvd burner, floppy drive, connections for labtops, and lots of memory
Type: FRED-Digital Intelligence
25.Write Blocker
Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents
They do this by allowing read commands to pass but by blocking write commands, hence their name
Types: Fast Block, Fire Fly, Tableau, My Key, and USB Write Blocker
Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents
They do this by allowing read commands to pass but by blocking write commands, hence their name
Types: Fast Block, Fire Fly, Tableau, My Key, and USB Write Blocker
26.Additional Items
Printer- to produce professional looking reports and good Images
Digital Camera and several Memory Cards
DVD’S- for achieving case
Hard Drives- several big ones
Floppy Diskettes
Electrical Wire Labels- used to label connections of cables to hard drives for easy reconnection after removing hard drive to Image
Tool Kit- containing a screw driver with many heads, needle nose pliers, tweezers, flashlight, ect….
Printer- to produce professional looking reports and good Images
Digital Camera and several Memory Cards
DVD’S- for achieving case
Hard Drives- several big ones
Floppy Diskettes
Electrical Wire Labels- used to label connections of cables to hard drives for easy reconnection after removing hard drive to Image
Tool Kit- containing a screw driver with many heads, needle nose pliers, tweezers, flashlight, ect….
27.Forensic Examination
28.Password Cracking
Process of recovering passwords from data that has been stored in or transmitted by a computer system
Types: Revelation, Password Recovery Toolkit, and Advanced Password Recovery Toolkit
Process of recovering passwords from data that has been stored in or transmitted by a computer system
Types: Revelation, Password Recovery Toolkit, and Advanced Password Recovery Toolkit
29.Email
Email Examiner
DBXtract
Mailbag Assistant
Data Lifter
Neo Trace Pro (to help trace emails)
Visual Route (to help trace emails)
Email Examiner
DBXtract
Mailbag Assistant
Data Lifter
Neo Trace Pro (to help trace emails)
Visual Route (to help trace emails)
30.Internet History
Net Analysis
Data Lifter
Quick View Plus
Net Analysis
Data Lifter
Quick View Plus
31.Insurance
Yergey Insurance
A family owned and operated agency
Specialize in Private Investigators and Private Detectives, Background Investigators, Process Servers, Security Consultants, Security Guards, Technology and Computer Related Firms
http://www.yergeyins.com/private_investigator_insurance.html
Yergey Insurance
A family owned and operated agency
Specialize in Private Investigators and Private Detectives, Background Investigators, Process Servers, Security Consultants, Security Guards, Technology and Computer Related Firms
http://www.yergeyins.com/private_investigator_insurance.html
32.Related websites
Htcia.org
Cops.org
Forensic-intel.com
Usdoj.gov
Htcn.org
SamSpade.org
Dmares.com
Toolsthatwork.com
Mykeytech.com
Htcia.org
Cops.org
Forensic-intel.com
Usdoj.gov
Htcn.org
SamSpade.org
Dmares.com
Toolsthatwork.com
Mykeytech.com
Posts
0 comments