Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Published byShauna Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP AppSec Washington DC 2009 Digital Forensics Worry about data loss Motashim Al Razi OWASP member alrazimotashim@gmail.com

2 2 What is Digital Forensics? Branch of forensic science – uses scientific method The preservation, recovery, analysis and reporting of digital artifacts including information stored on: - Computer/laptop systems (hard drives) - Storage media (USBs, CDs, DVDs, cameras, etc.) - Mobile phones - Electronic documents Typically used reactively, move toward proactive - Reactive: court cases, incident response - Proactive: mobile app security audits, continuous forensic monitoring

3 Storage Devices There are 3 main types of storage devices used today: 1. Hard-disk drive (HDD) – Contains a spinning magnetic drive used to store non-volatile data. 2. Solid-state drive (SSD) – Contains internal microchips for the purpose of storing non-volatile data. 3. NAND Flash memory  Typically found in smart phones, USB thumb drivers and other portable devices  Not removable like typical HDD or SSD  Very unique characteristics from standard HDD (limited writes/erase)  In constant state of change (FTL) 3

4 Acquisition strategies Forensics Analysts can acquire/receive data 3 different ways Backup Files - Backup files are provided from the “custodian”. This could include backup software from corporations, PST file, iTunes backup, etc. Logical Acquisition - A copy of the file system is created (i.e. tar.gz of / or recursive copy that preserves date/time) Physical Acquisition - Creates an exact digital replica of the storage medium - Can recover deleted data - This process requires specialized analysis tools and techniques - Drive management firmware may still affect acquisition (FTL, bad blocks, etc.) 4

5 Image Verification Hash value – A calculated hex signature based on a set of data. - A hash value can be used to verify forensic image integrity. One slight change in source will cause “avalanche” effect in hash value - In order to prove that two data sets are identical, their hash values must match. - In some instances, hash values are not stable (NAND Flash) so a hash of the data as it’s extracted is taken but won’t necessarily match if source is imaged again. Common hash techniques - mad5 (128-bit value) - Sha256 (256-bit value) md5 of “Andrew Hoog” = 9bdbad9aecd74fce6e6bb48ee18100b8 5

6 6

7 7

8 How to acquire a forensic image If possible, connect drive to a physical write blocker - This prevents any writes to the drive - There are software techniques but not as effective - Generally, impossible with NAND Flash devices Forensically acquire device with software - Open source: dd, dcfldd and dc3dd - Free: FTK imager and many others - Commercial: FTK, EnCase, etc. Perform verification of source and image with hash signature and record in Chain of Custody. 8

9 Digital evidence What Constitutes Digital Evidence? –Any information being subject to human intervention or not, that can be extracted from a computer. –Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. Computer Forensics Examples –Recovering thousands of deleted emails –Performing investigation post employment termination –Recovering evidence post formatting hard drive –Performing investigation after multiple users had taken over the system 9

10 Reasons For Evidence Wide range of computer crimes and misuses –Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: Theft of trade secrets Fraud Extortion Industrial espionage Position of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Forgery Perjury 10

11 Reasons For Evidence (cont) Computer related crime and violations include a range of activities including: –Business Environment: Theft of or destruction of intellectual property Unauthorized activity Tracking internet browsing habits Reconstructing Events Inferring intentions Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy 11

12 Who Uses Computer Forensics? Criminal Prosecutors –Rely on evidence obtained from a computer to prosecute suspects and use as evidence Civil Litigations –Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies and Banking sector –Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) –When an entity is compromised and CHD has been stolen then the entity must be investigated by an authorized forensic company. (Commonly referred to as a QIRA or QFI) Private Corporations –Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases Law Enforcement Officials –Rely on computer forensics to backup search warrants and post-seizure handling Individual/Private Citizens –Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment 12

13 How do computer forensics relate to Law enforcement? 13 ControllerDetection centreCyber police Computer forensics lab Magistrate court for civil offence and high court for criminal offence.

14 Case Study Banking Industry Executive Level Financial Fraud Case Study – Digital Forensics Case Type – Internal Corporate Fraud Environment – Complex Multi-Location Network and Desktop computer forensics Industry – Banking 14

15 Scenario: A large accounting firm was hired to audit certain activities related to loans to individuals on the Board of Directors of a medium size, publicly traded bank (the “Bank”). During the Audit, the auditors needed to examine several computer systems used by certain Bank employees as well as by certain Board Members. digital forensic examiners were immediately dispatched and sent in to arrange for the forensic analysis of the computer systems and to search for corroborating evidence in support of the audit team’s suspicions and findings. The systems analysts forensically analyzed included laptop computers issued to managers in the loan origination department, desktop systems used by managers and board members. Email (Exchange) servers as well as Voicemail Systems were examined 15

16 Existing law for digital forensics in Bangladesh There is a specific version in ICT act-2006. 8th chapter, part-2 No. 68: Cyber tribunal Implementation, criminal investigation, trial, Appeal etc. Part-3, No. 82: Cyber Appeal tribunal. 16

17 International Guideline National Institute of Science and Technology – NIST Association of Chief Police Officers – ACPO (UK) It is a major part of IS auditing. 17

18 Summary & Conclusion

Download ppt "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.

Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.
Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO.515020181-9.

Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Information Technology & Computer Science E-Discovery Lab Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information.

Information Technology & Computer Science E-Discovery Lab Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Chapter 11 Security and Privacy: Computers and the Internet.

Chapter 11 Security and Privacy: Computers and the Internet.
SUMMER BRIDGE PROGRAM DR. HWAJUNG LEE DR. ASHLEY PODHRADSKY Computer Forensics.

SUMMER BRIDGE PROGRAM DR. HWAJUNG LEE DR. ASHLEY PODHRADSKY Computer Forensics.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.

7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.

Similar presentations

Ads by Google