Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure.

Published byGary Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure."— Presentation transcript:

1 Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure

2 Format of the Presentation One hour presentation Examples Followed by two hours ‘Hands On’ Review/Wash up

3 Basic Principles Association of Chief Police Officers (ACPO) Guidelines on Computer Evidence. Establish the basic principles of acquiring evidence from computer systems. These principles accepted by the courts in the United Kingdom.

4 ACPO Principle 1 No action taken by the Police or their agents should change the data held on a computer or other media. Where possible computer data must be ‘copied’ and the copy examined.

5 ACPO Principle 2 In exceptional circumstances it maybe necessary to access the original data held on a target computer. However it is imperative that the person doing so is competent and can account for their actions.

6 ACPO Principles 3 An audit trail must exist to show all the processes undertaken when examining computer data Many forensic tools record logs of processes performed and results obtained

7 ACPO Principle 4 The onus rests with the person in charge of the case to show that a computer has been correctly examined in accordance with the law and accepted practice

8 Forensic Imaging Process Make a bit wise image of the contents of digital media Store the original media and carry out forensic analysis using the copy image If necessary to switch on suspect machine; Restore image to another drive and install it in suspects machine Or mount and start in a Virtual Machine Retrieve evidence in a readable form

9 Image Hard Disk

10 Check BIOS Settings Disconnect hard drive(s) and switch on Check BIOS date and time Check machine specific settings

11 Image all other Storage Media

12 Mobile Phone and PDA Forensics Handset, Memory Card and SIM Card Examinations Handset Examination Logical Dump File System Dump Physical Dump JTAG Dump Chip OFF In certain cases, SIM Cloning a requirement

13 Global Positioning Systems Previous Destinations Sometimes a Route or Way Points Favourite Destinations Link to mobile phone - Bluetooth Contacts Addresses Phone numbers Owner Details - Home Address Unallocated - Previous Owners

14 Forensic Examination Process Decide on best forensic tool(s) for the job Expand ALL compound files Hash ALL File Streams Perform File Signature Analysis Perform Entropy Test Generate Index and/or Thumbnails of Graphics Carve Data Carve Meta Data

15 Forensic Tools Accepted by the court and validated in case law Non-invasive computer forensic investigative tools Cater for large volumes of data. Read FAT, NTFS, HFS, UNIX and LINUX - Proprietary Phone Systems Integrated environment allows users to perform all functions of a forensic analysis FTKEnCaseX-WaysCellebriteXRYOxgyenFTKEnCaseX-WaysCellebriteXRYOxgyen

16 Expand All Compound Files Archive Files ZIP RAR Complex Files OLE (Object Linking and Embedding) Mail Boxes Outlook.pst Inbox.dbx Operating System Files Thumbs Caches Internet History

17 MD5 (Message Digest 5) Generates a unique 128 Bit value for each file or data stream: Example MD5 HashesMD5 = a08a8cf89436f18ea8084817357a59c1 MD5 = 271979ddf56c38805b7562046984fe40 An MD5 Hash can be used to: Identify Files to be ignored (OS Files). Identify Files of importance (Contraband Files). Hash All File Streams “This is a small text file.” “This is a small text file”

18 File Signature Analysis Check file header to determine if file has the correct extension Highlight files with mismatch for manual checking HeaderExtensionTypeResult 4d 5a 90....exe.dll.com ExecutableMatch ff d8 ff e0....vxdJPEGMismatch ****.txtTEXTUnknown

19 Entropy Test Can identify files that may be encrypted or compressed An automated frequency analysis algorithm is used to determine if file content is encrypted Files identified are then exported from the image and transferred to specialist decryption software

20 Generate Index Generate an index of all strings of characters in the disk image Speed up subsequent searches of suspect image Index can be used as a dictionary for password cracking

21 GREP (General Regular Expressions) GREP can be utilised for ‘fuzzy’ searching or pattern matching Above expression will find credit card numbers \

22 Optical Character Recognition Making Text in Pictures Searchable

23 Generate Thumbnails Pre-generation of thumbnail images assists in graphics based cases when large numbers of suspect images exist

24 Data Carve Search through all allocated and unallocated data streams for known headers and recreate pointers to files

25 Meta Carve Search unallocated clusters for folder/sub- directory entries and rebuild if found

26 What happens when a file is deleted? The Windows operating system tracks files (user data) using either a File Allocation Table or a Master File Table. In simple terms, the FAT or MFT tells the computer where the file begins and ends. Macintosh uses a similar system known as Nodes.

27 What happens when a file is deleted? When a file is deleted, the operating system deletes the pointers to the file and in the FAT or MFT the space occupied by the file is mark as available. The computer does not delete the actual data that was contained in the file.

28 Recycle Bin Forensics Hidden System Folder Win 95/98 called Recycled Win2K, NT/XP/2003 called Recycler Hidden system file named INFO2 INFO2 contains Original Filename, Deleted Date & Time Vista/Win7 $Recycle.bin Original Filename, Deleted Date & Time contained in separate files for each deleted record

29 Recycle Bin SID can be mapped to user via Registry Hidden system file in Recycle Bin called INFO2 Maps filename to the actual name and path it was deleted from

30 Recycle Bin Vista/Win 7 Under $Recycle.bin and SID $I file contains Original File path and filename date and time of Deletion $R file contains Recovery data

31 Examination of the Recycle Bin Most forensic tools will parse the data from the INFO2 file

32 Extracting Vista/Win 7 Recycle Bin Forensic tools will extract and display the information for the examiner.

33 FDISK What happens when someone FDisks drive to remove a Partition? The 16 bytes for the partition entry within the MBR are zeroed The actual partition including its data are untouched

34 FDISK Partition recovery is simple Locate VBR Forensic Software will recover the Partition including directory structure

35 ReFormat What happens when you reformat a drive to delete data?

36 Helix Pro

37 Totally new Windows side Not just new interface Totally new code base Very fast data acquisition

38 Helix Pro - Windows 7 Everything works correctly Images all RAM including 64bit OS

39 Helix Pro Linux side very similar to 2.0 Some new tools for mobile phone acquisitions

40 Helix Pro

41

42 Can run in as little as 10 seconds Resulting PDF can be as high as 400 pages Can take a while to produce

43 Helix Pro

44

45 Helix Pro - Listener

46

47 Helix Pro - Sender

48 Helix Pro Easy Exercise Image your RAM Set up a listener with your buddy and send and receive RAM images

49 Helix Pro - Hashing

50 Easy Exercise Hash your USB key

51 Helix Pro - Searching

52 AccessData FTK Imager

53 Digital Forensics and Demonstration of Basic Forensic Techniques Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure

54 Assignment 1 guidance Most of the concepts already covered You will also need to show evidence that you’ve used a forensic disk analysis tool Winhex has a “free” version Locate & Download now… and save the zip file to your newly acquired USB stick –you’ll use this in LG022 after the break…

Download ppt "Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Operating Systems File Management.

Operating Systems File Management.
®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.

®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.

File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

Similar presentations

Ads by Google