Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.

Published byMonica Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations."— Presentation transcript:

1 Forensic Investigation Techniques Michael Jones

2 Overview Purpose People Processes Michael Jones2Digital Forensic Investigations

3 The (Digital) Forensic Process Photographs Faraday bags Photographs Faraday bags Imaging - forensically sound copying Analyse file system and analyse files Produce Report Scene Store Laboratory Chain of Custody Michael Jones3Digital Forensic Investigations

4 Review: Logical and Physical Views Logical view – As seen via the file manager Physical view – What is (physically) on the device Questions – What might these be different? – What is ‘striping’? – Is ‘physical’ really physical? Michael Jones4Digital Forensic Investigations

5 Imaging Low (device) level – Duplicating the bit sequence – Output is a file – Multiple copies may be taken Verification – Applying (hashing) algorithms to device and copy MD5, SHA1 If device and copy hashes match then copy is forensically sound Devices and copies returned to (case) store Michael Jones5Digital Forensic Investigations

6 Analysing the Image Before: apply hashing algorithms Processes: – Identify file system – Scan for known file types – Compare with logical view – Match logical and physical views and identify deleted files – Deeper analysis After: apply hashing algorithms Michael Jones6Digital Forensic Investigations

7 Digital Forensics Triage Triage – Quick analysis to identify priorities – Why? Focus on logical view – Plus deleted files Ideal outcomes of triage Michael Jones7Digital Forensic Investigations

8 Main Analysis That which is actually there – File dates and times – File and directory (folder) names – Metadata That which might require interpretation – Examples encoding and encryption File manipulation (e.g., changing first byte of a jpeg) Michael Jones8Digital Forensic Investigations

9 Finding Hidden Files In *nix (including OS X) and Windows – Hidden files have names starting with ‘.’ In *nix – Files with names ending in ‘~’ are also hidden Finding hidden files – Via ‘View’ menu – Using the ‘ls –a’ command in the Terminal Michael JonesDigital Forensic Investigations9

10 Deeper Analysis Can be time consuming Secondary data – Additional processes needed Examples – Encoding and encryption – Steganography E.g., Snow – Use of slack space, unused space Michael Jones10Digital Forensic Investigations

11 Summary Rigorous processes need to be followed – E.g., ACPO guidelines All investigations produce documentation All documents and artefacts must be labelled and stored appropriately Chain of custody must be unbroken Michael Jones11Digital Forensic Investigations

12 Conducting a Digital Forensic Investigation

13 Overview Creating the image – Copying the device to a file – Verifying the copy Creating a logical copy – Drag and drop Carving the image (creating the physical view) – E.g., using foremost Identifying the deleted files Analysing the (logical and physical) files Michael Jones13Digital Forensic Investigations

14 Assignment 1 Supplied: a zip file – Only the logical view (once extracted) – Physical view not included File carving not relevant Will not be able to identify any deleted files – Why might this not be that important? Michael Jones14Digital Forensic Investigations

15 Organisation of the Secure Store Secure Analysis Physical Logical Image Michael Jones15Digital Forensic Investigations

16 Organising the Analysis Identifying the file types – Identifying incorrect extensions Processing order options: – By directory/folder – By file type – By file name Michael JonesDigital Forensic Investigations16

17 Conducting the Analysis At least 4 windows involved – View of Logical files – View of physical files – Command (terminal) window – Web browser Command window located at secure store – All commands executed from there Michael Jones17Digital Forensic Investigations

18 Documenting the Analysis Need to document: – Process (e.g., finding comments in HTML) – Source (i.e., the file) – Result – Date and time – Investigator What if nothing was found? Michael JonesDigital Forensic Investigations18

19 Documenting a Process ‘Finding comments in HTML documents’ – Can be ambiguous Need to specify exact actions: – E.g., ‘open with text editor and search for ‘<!--’ using the Edit/Find menu entry’ These should be included in an appendix to the report Michael JonesDigital Forensic Investigations19

20 Example Command exiftool Logical/* > Analysis/exiftool_YYYY-MM-DD-HH-MM-SS.txt This will find the metadata of all files in the Logical directory and put then in a file in the Analysis directory Replace ‘YYYY-MM-DD-HH-MM-SS’ with current date and time Repeat command for all subdirectories Michael Jones20Digital Forensic Investigations

21 Repeating Commands Two main techniques: – Manual Using up arrow to access previous commands Manually edit the commands to apply to another file OK for small datasets – Programmatic Create a program (or shell script) to iterate through a set of files Needed for large datasets Michael Jones21Digital Forensic Investigations

22 Recording Data Potentially interesting data is recorded – Via the ‘evidence summary’ spreadsheet Do NOT change the column headings In FC assignments: – Each piece of data has 2 elements: Attribute (e.g., First Name 1 of 4) Value (e.g., Fred) Care when inserting data – Make sure all cells are of type ‘text’ Michael JonesDigital Forensic Investigations22

23 Assignment 1 Tasks Retrieve ‘interesting’ data – Record on ‘data’ sheet Identify pictures (people, buildings, cars, etc.) – Record on ‘images’ sheet Identify sounds – Record on ‘sounds’ sheet Identify files with incorrect extensions – Record on ‘extensions’ sheet Note: ignore ‘bin’ and ‘dat’ extensions Michael JonesDigital Forensic Investigations23

24 Assignment Submission 2 files – Evidence summary spreadsheet XLSX: Must be readable by Excel (2007 onwards) – Technical report Report structure – Numbered headings and subheadings – Hyperlinked table of contents Processes and findings PDF Michael JonesDigital Forensic Investigations24

25 Verifying the Analysis Issue: how can we know if the analysis has been tampered with – Or the image, logical, or physical elements? Solution: hashing – But keeping the hashes elsewhere But: cannot hash a directory – So zip the directory then hash the zip file – Use an ‘archive’ directory Michael Jones25Digital Forensic Investigations

26 Forensic Soundness Some tools may have to be shown to be forensically sound – E.g., websites used to decode base64 All tests should be documented and kept in the secure store – Make sure the dates of the tests are included – Separate directory for each tool Michael Jones26Digital Forensic Investigations

27 Summary When conducting an investigation – Use a PLAN Step-by-step guide – Follow the plan And document each stage – Question the plan Is it complete, appropriate – Check and verify At the start and end of each session (at least) Michael Jones27Digital Forensic Investigations

Download ppt "Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
1 CA202 Spreadsheet Application Combining Data from Multiple Sources Lecture # 6.

1 CA202 Spreadsheet Application Combining Data from Multiple Sources Lecture # 6.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Microsoft Expression Web-Illustrated Unit L: Using Code Tools.

Microsoft Expression Web-Illustrated Unit L: Using Code Tools.
US Army Corps of Engineers BUILDING STRONG ® Creating a Data Dictionary for Your Local Data USACE SDSFIE Training Prerequisites: Preparing Your Local Data.

US Army Corps of Engineers BUILDING STRONG ® Creating a Data Dictionary for Your Local Data USACE SDSFIE Training Prerequisites: Preparing Your Local Data.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.
File Management Systems

File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.

A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.
Database Design IST 7-10 Presented by Miss Egan and Miss Richards.

Database Design IST 7-10 Presented by Miss Egan and Miss Richards.
Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.

Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.
COMPREHENSIVE Excel Tutorial 8 Developing an Excel Application.

COMPREHENSIVE Excel Tutorial 8 Developing an Excel Application.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Integrating Microsoft Project with Other Programs

Integrating Microsoft Project with Other Programs
Ch 71 Using ATTRIB, SUBST, XCOPY, DOSKEY, and the Text Editor.

Ch 71 Using ATTRIB, SUBST, XCOPY, DOSKEY, and the Text Editor.

Similar presentations

Ads by Google