Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics.

Published byKristin Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics."— Presentation transcript:

1 Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics

2

3 Introduction: Steve Simpson CCE, CISSP, CSFA, PMP Information Security Professional, Computer Engineer, entrepreneur, educator – 35+ years high tech experience Computer Engineer, Product Development, 3 rd party Design and Manufacturing, Network Architecture, Software development, Cyber Forensics, Industry Compliance – Education BS Electronic Engineering, MS Systems Engineering, Digital Forensics Certificate – Director of Technology / Senior Analyst, S2 Forensics – Develop and teach course, BAS Cyber Security and Forensics Highline College Network Forensics, Mobile Forensics, Mobile Security, Network Scripting 3/5/2015S2 Forensics - www.s2forensics.com3

4 Cybersecurity Defense of data or information in transit, in use, or in storage 3 pillars of data, or “cyber” security – Confidentiality – Integrity – Availability Often referred to as the “CIA Triangle” 3/5/2015S2 Forensics - www.s2forensics.com4

5 Confidentiality Keeping data secret Read protection Military very concerned with confidentiality Integrity Keep data free from changing Write protection Financial institutions very concerned with integrity Availability Maintaining services and functionality of resources ISPs and service providers concerned with availability 3/5/2015S2 Forensics - www.s2forensics.com5

6 Various jobs with Cybersecurity industry Vulnerability assessment Penetration testing Network engineering/security System administration Software development Etc. etc., etc. 3/5/2015S2 Forensics - www.s2forensics.com6

7 Various jobs with Cybersecurity industry 3/5/2015S2 Forensics - www.s2forensics.com7

8 Webster says of Forensics: – Pronunciation: f&-'ren(t)-sik, -'ren-zik 1.belonging to, used in, or suitable to courts of judicature or to public discussion and debate 2.Argumentative, Rhetorical 3.relating to or dealing with the application of scientific knowledge to legal problems US-CERT says: – Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. – The word forensics means “to bring to the court.” 3/5/2015S2 Forensics - www.s2forensics.com8 Digital Forensics recognized as a forensic science discipline in 2003

9 The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found 3/5/2015S2 Forensics - www.s2forensics.com9 Computer forensics is considered both a science and an art

10 Scientific Method is a body of techniques for -investigating phenomena -acquiring new knowledge -correcting and integrating previous knowledge [1] Locard’s Exchange Principle -Attributed to Dr. Edmond Locard -"Every contact leaves a trace“ [2] -“no matter where a criminal goes or what a – criminal does … a criminal [will] leave evidence …” [3] [1] Goldhaber & Nieto 2010, p. 940Goldhaber & Nieto 2010 [2] http://en.wikipedia.org/wiki/Locard%27s_exchange_principlehttp://en.wikipedia.org/wiki/Locard%27s_exchange_principle [3] http://www.forensichandbook.com/locards-exchange-principle/http://www.forensichandbook.com/locards-exchange-principle/ 3/5/2015S2 Forensics - www.s2forensics.com10

11 Four Principles of Digital Forensics Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to. 3/5/2015S2 Forensics - www.s2forensics.com11

12 3 Types of Data – Active: Data that can be seen or readily used Data files, programs, utilities, apps, operating system files Easily accessed, easy to use – Archival: Data that has been backed up and stored Tapes, CDs, hard drives, cloud Visible data Easy to retrieve, but not as easy as Active data. – Latent: Data that requires specialized tools & skills to view Includes deleted and/or partially overwritten data May also be referred to as Ambient data 3/5/2015S2 Forensics - www.s2forensics.com12 We will be concentrating on active and latent data

13 Digital Forensic Terms; Bits, Bytes, Sectors, Clusters Data is stored as magnetic charges on the hard drive. These charges represent data as a “1” or a “0” – Bit = a single charge, as a 1 or a 0 – Byte = 8 bits in most cases – Sector = 512 bytes – Cluster = multiple sectors Usually 2 n sectors – 2, 4, 8, 16, or 32 OS dependent Sys Admin usually has the option to set cluster size 3/5/2015S2 Forensics - www.s2forensics.com13 HDDs manage data in terms of Sectors, OS’s manage data as Clusters

14 3/5/2015S2 Forensics - www.s2forensics.com14 Hard Drive Physical Components Read/Write head Track 0 Track 1 Track 2 Track Sector Platter Spindle Cylinder Cluster

15 What does data look like? – Humans cannot see magnetic fields. – Represent magnetism as a 1 or a 0 (bit) – Group bits into bytes words, double words, quad words, etc – bits and bytes are difficult to read and understand 1010 0001 1010 1100 1010 1110 0010 0010 1010 1000 0010 1111 – Hexadecimal representation of data 0x0-9A-F Above is represented as 0xA1ACAD2A82F 3/5/2015S2 Forensics - www.s2forensics.com15

16 What does data look like? -ascii representation -American Standard Code for Information Interchange -8 bits per character -http://www.ascii-code.com/http://www.ascii-code.com/ -How to read computer data 3/5/2015S2 Forensics - www.s2forensics.com16

17 Slack Space demo 3/5/2015S2 Forensics - www.s2forensics.com17

18 Files are what data storage is all about -How do we know a text file from an executable? -Windows requires file extensions -.docx,.txt, ppt,.dll,.exe,.jpg, gif -Linux: extensions are optional -How does the PC know the difference between -text files -executable files -audio files -photos -movies 3/5/2015S2 Forensics - www.s2forensics.com18 The answer is file headers aka file signatures

19 File signatures -http://www.garykessler.net/library/file_sigs.htmlhttp://www.garykessler.net/library/file_sigs.html -Sort by hex value or text -PDF (Portable Document Format) -25 50 44 46%PDF -Note trailers/footers on web page -JPEG file, widely used photo format -Joint Photographic Experts Group -FF D8 FF E0 xx xx 4A 46ÿØÿà..JF -Note footer of FF D9 -GIF file (Graphics Interchange Format) – 47 49 46 38 37 61GIF87a – 47 49 46 38 39 61GIF89a – Footer/trailer00 3B.; - Microsoft document files – docx, xlx, pptx – D0 CF 11 E0 A1 B1 1A E1 ÐÏ.ࡱ.á – Object Linking and Embedding (OLE) compound file 3/5/2015S2 Forensics - www.s2forensics.com19

20 How do we read these files in binary? – Use a “hex editor” HxDhttp://mh-nexus.de/en/hxd/http://mh-nexus.de/en/hxd/ WinHEXhttp://www.x-ways.net/winhex/http://www.x-ways.net/winhex/ Many other no cost options available. Google search for “hex editor” – Utilities that have hex reader capabilities FTK Imagerhttp://accessdata.com/product-download orhttp://accessdata.com/product-download http://accessdata.com/product-download/digital-forensics/ftk- download-page 3/5/2015S2 Forensics - www.s2forensics.com20

21 Using HxD – demo 3/5/2015S2 Forensics - www.s2forensics.com21

Download ppt "Tech Acodemy Highline College August 20, 2015 Cybersecurity Steve Simpson S2 Forensics."

Similar presentations

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
File Management Chapter 3

File Management Chapter 3
COEN 252 Computer Forensics

COEN 252 Computer Forensics
E-Discovery for System Administrators Russell M. Shumway.

E-Discovery for System Administrators Russell M. Shumway.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics

COEN 252 Computer Forensics
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Distinguish between primary and secondary storage.

Distinguish between primary and secondary storage.
T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.

T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Objectives Learn what a file system does

Objectives Learn what a file system does
Communicating with Blogs and Online Maps Peter Linehan Associate Professor of Forestry Penn State Mont Alto Teaching and Learning with Technology Symposium.

Communicating with Blogs and Online Maps Peter Linehan Associate Professor of Forestry Penn State Mont Alto Teaching and Learning with Technology Symposium.
Computer Forensics Iram Qureshi, Prajakta Lokhande.

Computer Forensics Iram Qureshi, Prajakta Lokhande.
Objectives Overview Identify the qualities of valuable information Describe various information systems used in an enterprise Identify the components of.

Objectives Overview Identify the qualities of valuable information Describe various information systems used in an enterprise Identify the components of.

Similar presentations

Ads by Google