1.Ahmed AbbasAhmed.abbas1992@hotmail.com Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum

2. Computer Forensic101The Art Of Hunting Tigers . 2 3. 3 4. BioO Network Student At SUST-CSIT.O I am a Programmer For More Than 4Years.O I Spend All My Time Reading Ordeveloping Programs.4 5. 5 6. What is Forensic ?O Computer Forensic is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media 6 7. Goal of Computer Forensics O The goal of computer forensicsis to examine digital media in aforensically sound manner withthe aim ofidentifying, preserving, recovering, analyzing and presentingfacts and opinions about theinformation.7 8. 8 9. Simply It means O Computer forensic experts will have to handle computer device or media storage devices , keep them save , analyze those devices and try to get any information that can helps in the case he is working on. 9 10. But One Thing O One SO important thing .. No personal feeling or opinions . You can not hide information to protect some one because you will get will you know what I mean . 10 11. Keep This In Mind O Every hacking attempt has a weak point that can lead the hacker to jail.11 12. Forensic in News.. 12 13. 13 14. 14 15. 15 16. Critical Incident ResponseTeam CIRT 16 17. What is CIRTO A CIRT is a carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated , and recovered from. 17 18. Who is CIRT members ?O Itis usually comprised ofmembers from within thecompany. They must be peoplethat can drop what theyredoing (or re -delegate theirduties) and have the authorityto make decisions and takeactions. 18 19. CIRT MembersO Management.O Information Security.O IT .O IT Auditor.O Security.O Human Resource.O Public Relations.19 20. Role Of The InvestigatorO Impartiality : not our job to make decisions about cases .. We just offer the facts of the case.20 21. Role Of The InvestigatorO Must ensure all evidences are probably acquired , handled , documented.21 22. Role Of The InvestigatorODo the investigation and analysis of all evidences . 22 23. Role Of The InvestigatorOReport all findings and maybe testify in court of law. 23 24. As a forensic expert you may go to Court 24 25. Skills Needed. 25 26. Technical SkillsO Basic computer maintenance andnetworking skills.O Know laws and criminal procedures.O Know network security in a goodway.O Know investigation techniques.O Know multiple OSs.O Know forensic tool very good.26 27. Presentation skillsO Ability to write reports in clearmanner and acceptable format.O Ability to translate hightechnical words to simple nontechnical words.O Ability to speak well in publicforum.27 28. Good Speaker ? You Will Do A great Job At Court 28 29. Why Do Companies Has Different Way To DoForensic 29 30. Perfect policy !!! 30 31. How To be A Forensic Expert ?31 32. How To be A Forensic Expert ?32 33. How To be A Forensic Expert ? O You need to learn computers maintenance , computer security , network security. O You need strong self confidence .33 34. How To be A Forensic Expert ? You can take some certificates :- O Forensics Certs: Certified Computer Examiner (CCE) O IT Certs: Certified Hacking Forensic Investigator (CHFI) O IT Certs: Certified Forensic Computer Examiner (CFCE) 34 35. O IT Certs: GIAC Certified Forensic Analystand Forensics ExaminerO Forensics Certs: Professional CertifiedInvestigator (PCI)O EnCase Certified ExaminerO AccessData Certified Examiner.35 36. Sites To Learn From ..O ForensicFocus The Place For You ..O computer-forensics.sans.org Who dontknow Sans .O Google Our best friend O DefCon The top conference for hackers ..And forensic men too. 36 37. 37 38. How To Build Your ForensicLab ? 38 39. Commercial Tools (High Cost)O Encase.O AccessData Date Forensic Tool Kit FTKO DriveSpy.O Parben.39 40. Free Tools ^_^O Linux DD.O AutopsyO The Sleuth KitO Helix.O Forensic incident response environment.O Knoppix.40 41. Linux Distribution for Forensics 41 42. Linux Distribution for ForensicsO CAINE (Computer Aided investigationEnivrement).O DEFT .O Helix 3.42 43. Forensics Steps43 44. Forensic StepsO Obtain authorization to search and seize.44 45. Forensics StepsO Secure the area, which may be a crime scene. 45 46. Forensics StepsO Document the chain of custody of every item that was seized. 46 47. Forensics StepsO Bag, tag, and safely transport the equipment and e- evidence. 47 48. Forensics StepsAcquire the e-evidence from theequipment by using forensicallysound methods and tools to createa forensic image of the e-evidence.48 49. Forensics StepsO Keep the original material in a safe, secured location. 49 50. Forensics StepsO Design your review strategy of the e-evidence, including lists of keywords and search terms.50 51. Forensics StepsO Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy.51 52. Forensics StepsO Interpret and draw inferences based on facts gathered from the e- evidence. Check your work. 52 53. Forensics StepsO Describe your analysis and findings in an easy-to-understand and clearly written report. 53 54. Forensics StepsO Give testimony under oath in a deposition or courtroom. 54 55. Disk imagingO The operation to make an exact copy of a computers hard drive. 55 56. Disk ImagingO The copy includes all the partition information, boot sectors, the file allocation table, operating system installation and application software.56 57. Disk ImagingO Disk images are used to copy a hard drives contents during a investigation, to restore a hard drives contents during disaster recovery or when a hard drive is erased. 57 58. Disk imaging ToolsO DD : a Linux tool.O FTK imager : windows Based Tool. 58 59. Log File AnalysisO Very important Part of the investigation , it can reveal attempts to hack some devices , accessing unauthorized data , etc. 59 60. Log File AnalysisWe can Analyze a lot of log fileslike :-- Windows event log- Security events log- Application events log- Firewall events log.60 61. Forensic Experts!! 61 62. The Dark Side!!! 62 63. The Dark Side!!!O Doing computer forensics for any amount of time in your life changes you. It damages you. It makes you unfit to be around others in decent company, because you have to mentally screen absolutely everything you say in fear of drawing looks of horror or disgust from the good people around you.63 64. The Dark SideO For forty hours a week, a computer forensic examiner is exposed to the worst that the world has to offer child pornography, beheadings, torture, r ape all in high resolution photo or video formats. 64 65. The Dark SideO In fact, people in the business have found that for general criminal computer forensic examiners there is a two-year time limit before your soul dies. 65 66. The Dark SideO Around that time, every examiner either has built-up enough of a callus that he/she can continue forever, or that examiner pushes the chair away from the desk, stands up, and says, I cant do this anymore.66 67. The Dark SideO Being exposed to this kind of daily horror changes you. Im not asking for sympathy; I think paramedics or police officers have it worse.67 68. OWASP Forensic Guide..O OWASP is working on A massivedocument covering all aspects offorensic work .O Not Yet Out O Coming Soon . 68 69. After All .. Why To be a Forensic?O Three of the top coolest security jobs are related to forensics.69 70. After All .. Why To be a Forensic?O It pays well thousands of dollars if youleveled up to expert stage of the sience . 70 71. After All .. Why To be a Forensic?O Most important .. No Social Life O Of course I am Joking .. 71 72. Questions ???!!72 73. I hope this was entertaining . 73