Kitpetrie_digitalforensics.ppt

  • Uploaded by: Victor Lopez
  • 0
  • 0
  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Kitpetrie_digitalforensics.ppt as PDF for free.

More details

  • Words: 1,018
  • Pages: 25
Digital Forensics The Science of Searching Computers For evidence

Kit Petrie

Uses of Digital Forensics 

Criminal Investigations

•Copyright infringement •Espionage •Fraud



Network Forensics Network assesment  Hackers  Industrial Espionage 

What do Digital Forensics Experts Do?     

Gather evidence Preserve data integrity (Chain of evidence) Identify critical information Analyze evidence Present evidence

Gather evidence 





Normal collection vs Selective collection Siezure of physical computer/hard drives  Examine/copy RAM from live systems  Maintain/copy live state for Encryption  Use of a hardware write blocking device Online data (email, ISP logs)  Subpoena/request data

Preserve data integrity 

Authenticity and Integrity.



Hardware write blocking device.



Hash Encrypt and sign original Evidence



Document all activities performed on data

Store evidence in a secure environment to prevent tampering and leaking(Ethics?)

Identify critical information 







Search for information related to alleged crime Identify suspects and tie them to login credentials Maintain privacy of info not related to alleged crime (Ethical Considerations) Encryption, files or full disk.

Analyze evidence Goals 

Establish facts to prove crime occurred



Identify suspects



Build a time line of events

Techniques 

Data mining search



File classification



Clustering text based search

Clustering text based search Text pattern matching == Grep! But how to rank the results? Adaptive User Interest Hierarchy (AUIH) 







Investigator groups interesting results into categories

Machine Learning tries to match similar search results Best matches are highest ranked Feedback from Investigator helps the program improve it's rankings.

Present evidence Prosecution: 



Explain importance of data to the prosecuting attorney before court. (Provide analogy) Prepare a statement presenting the evidence in a technically accessible manner.



Points to prove (specific to each criminal act)



Interpret the data (Static vs Dynamic IPs)



Show the time line



Make recommendations about the digital evidence.

What do Digital Forensics Experts Do?     

Gather evidence Preserve data integrity (Chain of evidence) Identify critical information Analyze evidence Present evidence

Digital Forensics Tools Commercial Packages 

Encase



Forensics Tool Kit (FTK)

Open Source Software 

Sleuth Kit libraries



Autopsy GUI

Digital Forensics Tools Encase Forensic- Guidance Software 

Industry Standard Software



Mobile/Cybersecurity/eDiscovery



EnScript scripting language requires programming experience



Court approved forensic file format.



Extensive training program.

Digital Forensics Tools Forensic Tool Kit (FTK)- AccessData 

Memory analysis



Custom tablet for mobile phone acquisition



Built in decryption and password cracking



Email analysis



Built for distributed analysis

Digital Forensics Tools The Sleuth Kit -Open Source 

C Libraries for forensics investigation



“Autopsy” GUI



Hadoop framework for large data sets



Online Wiki and training available





Libraries can be used in automated Forensics tasks

Uses SQLite database

Network Forensics 





Information gathering 

Vulnerability assessment



Network bottlenecks



Network usage profiling

Legal evidence 

Monitoring networks for illegal activity



Gathering evidence of illegal file transfer



Monitoring communications

Intrusion detection 

Hax0rs!



Only info remaining if log files are

Information gathering 





Assess and improve the usage of your network

Test your network to find vulnerabilities before someone else does Penetration testing

Legal evidence 



Monitor communications, chat forums, email, VoIP for illegal or suspicious activities Gather evidence of illegal file transfer such as copyright infringement or child pornography



Monitoring networks for signs of espionage



“Federal networks have been thoroughly penetrated by foreign spies, and current perimeter-based defenses that attempt to curb intrusions are outdated and futile”

- director of Information Systems Analysis Center, Sandia National Laboratories

Need for Intrusion Detection 

Network intrusion can cost lots of money 



PlayStation Network breach cost Sony $171m

Industrial espionage can cost companies their competitive advantage 

“Every major company in the United States has already been penetrated by China.” -Richard Clarke, Counterterrorism Czar

Intrusion detection 



Honeypots 

Systems set up as targets for intruders



Monitor what an intruder does



Attempt to identify the intruder

Tampering detection 



Monitoring the integrity of log files and system files Alert administrator when critical files are changed

Intrusion detection 

Outbound Packet Inspection 





Outgoing firewall that inspects all outbound communications Uses a Man in the Middle attack to intercept all encrypted communications

Network Mapping 



Examine and identify all hosts on a network to guard against rogue access

Determine which hosts offer what services and why

Network Forensics Tools 



Wireshark/Snort (Ethical/unEthical Uses) 

“Sniff” all TCP/IP packets on a network



Make a record of suspicious/all packets

Nmap 





Map a network

Determine what services are available and being used

Honeypots/Honeyd  

Creates virtual hosts on a network Designed to lure intruders and track their activities

Network Forensics Tools 



Metasploit (Ethics?) 

Test known exploits against a network



Use existing components to write exploits

Sqlmap/sqlninja(Ethics?) 





Take over back end databases

Aircrack(Ethics?) 



Penetration testing for SQL injection attacks

WEP and WPA Encryption cracking

Tripwire/AIDE 

Monitor key files and directories for

Network Forensics 





Information gathering 

Vulnerability assessment



Network bottlenecks



Network usage profiling

Legal evidence 

Monitoring networks for illegal activity



Gathering evidence of illegal file transfer



Monitoring communications

Intrusion detection  

Hax0rs! Only info remaining if log files are deleted

End of Presentation Digital Forensics: A growing field for computer scientists in Law Enforcement. Questions:

1)Criminal forensics? 2)Network forensics? 3)Forensic tools?

References Halboob, W.; Abulaish, M.; Alghathbar, K.S.; , "Quaternary privacy-levels preservation in computer forensics investigation process," Internet Technology and Secured Transactions (ICITST), 2011 International Conference for , vol., no., pp.777-782, 11-14 Dec. 2011

URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=6148437&isnumber=6148349 CPP! Dan Manson; Anna Carlin; Steve Ramos; Alain Gyger; Matthew Kaufman; Jeremy Treichelt; , "Is the Open Way a Better Way? Digital Forensics Using Open Source Tools," System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on , vol., no., pp.266b, Jan. 2007 doi: 10.1109/HICSS.2007.301

URL: http://0ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnu mber=4076922&isnumber=4076362

More Documents from "Victor Lopez"

Cont De Negocio.docx
November 2019 19
Emprendedores
May 2020 22
July 2020 8
Crear Empresa
May 2020 5