Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Survey of Information Assurance.

Published byBruno Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Forensics Survey of Information Assurance."— Presentation transcript:

1 Digital Forensics Survey of Information Assurance

2 Agenda What is Digital Forensics? Procedure Identification Acquisition Analysis Presentation Analysis Techniques Techniques Examples Real Action: 0x80 Present and Future

3 Forensics Forensic science is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action. Ref: http://en.wikipedia.org/wiki/Forensichttp://en.wikipedia.org/wiki/Forensic

4 Digital Forensics Computer forensics... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Ref: http://en.wikipedia.org/wiki/Computer_forensicshttp://en.wikipedia.org/wiki/Computer_forensics

5 Procedures 1. Identification 2. Acquisition 3. Analysis 4. Presentation

6 Procedures The basic procedure to follow for examination of digital data is as follows: Identification – Answers “WHAT” information is sought, where to obtain it. Acquisition – Obtain forensic copies of all digital data required; including snapshots and live datasets. Analysis – Aggregation, correlation, filtering, transformation and meta-data generation to obtain digital evidence. Presentation – Creating a final report to present the digital evidence.

7 Procedure Flow IdentificationAcquisitionAnalysisPresentation

8 Procedure Step #1: Identification Evidence will often be based on scenario. Places to look: For Intrusions Logs Rootkits Hidden files For Illegal graphic images Image files Web history Intelligence Documents E-mails

9 Procedure Step #2: Acquisition Preserve Evidence Prevent computer state from changing Copy the hard disk bit wise Copy memory before powered off Save state of all network connections Disconnect from network if connected Copying Hard disk Boot hard disk in trusted media e.g. DOS floppy, Linux Live CD Remove the hard disk and place in the trusted system

10 Procedure Step #3: Analysis Heavily dependant of the skills of Analyst and nature of evidence sought. Aggregation, Correlation, Filtering, Transformation and Meta-Data Generation. Pre-analysis (~ Acquisition) Aggregation + Transformation: Data Recovery and Unification. Meta-Data Generation: Categorization, indexing, hashing… Data to Evidence mapping, isolation & contextualization Difference from data and evidence

11 Procedure Step #4: Presentation Prepare report of noteworthy evidence. Relate evidence to crime; i.e. explain the role of evidence in given case.

12 Analysis Techniques 1. Text Analysis 2. Image Analysis 3. Video Analysis 4. Executable Analysis 5. Executable Analysis 6. File Clustering 7. Password Cracking 8. Data Searching

13 Analysis: General Types Text analysis Unicode normalization Language Identification Named entity extraction Transliteration Image analysis Steganography detection Computer-generated vs. real image Video analysis Executable analysis

14 Analysis: General Types (2) File clustering / classification Password cracking Data Searching Keyword search File attributes (name, date or creation/access, type etc.) Specific files

15 Examples Unicode Normalization “In many cases, Unicode allows multiple representations of what is, linguistically, the same string. For example: Capital A with dieresis (umlaut) can be represented either as a single Unicode code point "Ä" (U+00C4) or the combination of Capital A and the combining Dieresis character ("A" + "¨", that is, U+0041 U+0308). ” Ref: http://msdn2.microsoft.com/en-us/library/ms776393(VS.85).aspxhttp://msdn2.microsoft.com/en-us/library/ms776393(VS.85).aspx Transliteration Ref: http://acharya.iitm.ac.in/multi_sys/translit.phphttp://acharya.iitm.ac.in/multi_sys/translit.php

16 Examples (2) Steganography Ref: http://www.strangehorizons.com/2001/20011008/steganography.shtmlhttp://www.strangehorizons.com/2001/20011008/steganography.shtml

17 Real Action: An Example The case of Metadata in image

18 Real Action: 0x80 The Hacker: “0x80” Time: Early 2006 Event: “0x80” chooses to be interviewed in the Washington Post about his alleged violation of federal law. Claim: Having broken into 2000+ personal computers, these hacked computers or “bots” begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. Ref: http://www.washingtonpost.com/wp- dyn/content/article/2006/02/14/AR2006021401342.htmlhttp://www.washingtonpost.com/wp- dyn/content/article/2006/02/14/AR2006021401342.html

19 Real Action: 0x80 (2) Mistake: Allowed The Washington Post to publish several photographs, including a doctored image of himself, face seen partially. How he got Tracked: The images in said article had metadata, indicating towards his location “Roland, Oklahoma” Details: Then it was noticed that retouched pictures showing the obfuscated hacker included meta tags -- information in plain text attached to many photos. This information revealed the name of the photographer, the type of camera used to take it, the time and date it was taken, as well as the fact that the picture was taken in Roland, Oklahoma. The pictures themselves seemed to reveal that the hacker has blond hair -- at least the hair on his arms appears blond in one photo. Ref: http://antiworm.blogspot.com/2006/02/hacker-0x80-0wn3d-by-fbi-arrested.htmlhttp://antiworm.blogspot.com/2006/02/hacker-0x80-0wn3d-by-fbi-arrested.html Eventually “0x80” was arrested by FBI.

20 Present and Future

21 Present and Future - Digital Forensics NowLater… Unorganized Science Treated with skepticism as evidence in cases other than cyber-crimes. Struggling to keep up with staggering amount of data. Lack of clarity on policy and policing. Always a step behind Likely to be formalized May gain acceptance as evidence to crimes other than cyber-crimes Newer and innovative approach needed. Policy could be created in future. Likely to remain so…

22 References www.basistech.com/knowledge- center/forensics/crash-course-in-digital- forensics.pdf www.basistech.com/knowledge- center/forensics/crash-course-in-digital- forensics.pdf www.opensourceforensics.org/www.opensourceforensics.org/ http://www.garykessler.net/library/steganography.html https://www.spammimic.com/explain.shtml http://www.strangehorizons.com/2001/20011008/steg anography.shtml http://www.strangehorizons.com/2001/20011008/steg anography.shtml

Download ppt "Digital Forensics Survey of Information Assurance."

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.

Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Crime Scene Investigation Roles 1.0 Describe responsibilities of various personnel involved in crime scene investigations. Examples: police, detectives,

Crime Scene Investigation Roles 1.0 Describe responsibilities of various personnel involved in crime scene investigations. Examples: police, detectives,
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.

Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.

COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
Security Guidelines and Management

Security Guidelines and Management
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (

Similar presentations

Ads by Google