n|u

Pardhasaradhi.ch

n|u Computer Forensics :

• It is the application of computer investigation and analysis techniques to gather evidence

• It is also called as cyber forensics

Goal :

• The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

Pardhasaradhi.ch

n|u

Preparation

Search and seizure

Acquisition and Authentication

Case storage and Archival

Analysis and Reporting

Stages in digital investigation process

Pardhasaradhi.ch

n|u Rules of computer forensics :

• Rule 1 :Never mishandle Evidence

• Rule 2 :Never trust the subject operating system

Chain of custody

Asset tags

Crime scene details

Ex :

Ex :Avoid Live forensics

Use drive encryption

Check hash value with the image

Pardhasaradhi.ch

n|u

• Rule 3 :Never work on original evidence

• Rule 4 :Document Every thing

Ex : Create a bit stream copy

Do not access the file system during imaging

Document the errors while imaging If any

If any errors arise while imaging take another copy

Pardhasaradhi.ch

n|u

Clone Vs. image :

To copy or replicate the entire contents of a hard disk drive by creating an image of the hard disk drive. Hard disk drives are often cloned for batch installation on other computers, particularly those on a network, or for use as backups.

Clone :

Image :

Some of the image types are dd,E01,smart,ad1,ISO,NRG,

Images are locked format ,these are easy to carry

EX: Symantec ghost

Clone is used to execute the images

Pardhasaradhi.ch

n|u

Access data

MAC times•Modified

•Accessed

•Created

FTK imager

Password recovery toolkit

Registry viewer

Forensic toolkit

Software Forensic Hub

Pardhasaradhi.ch

Stego suite

Mount image pro

Ultimate forensics Tool kit

Elcomsoft

Helix

DD for Linux

n|u

Devices used for forensics

•Shadow device :

•write blocker

As an investigative tool, boot the suspect client and connect to their network

Allows read commands to pass but by blocks write commands,

Hardware Forensic Hub :

•Faraday bag

The product was designed for E items which would isolate it from the networks

Pardhasaradhi.ch

n|u Wde

Drive wiper

Ex: True crypt

• whole disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Full Disk Encryption prevents unauthorized access to data storage

• Wipe all data off of two drives at up to 8 GB per minute • Automatically unlocks and wipes Host Protected Areas • Cut your drive wiping time in half • Very light weight - less than a pound, plus the laptop style power supply • Simple, fast, portable data destruction

Pardhasaradhi.ch

n|u

Steganography is the process of hiding of a secret message within an ordinary message and extracting it at its destination

Steganography

Pardhasaradhi.ch

Alternate Data Streams (NTFS) New Technology File System allows for Alternate Data Streams One file can be a link to multiple Alternate Data Streams of files of any size.

n|u

Pardhasaradhi.ch

n|u Importance of windows files

Pardhasaradhi.ch

Sam SYSTEM32\COFIG

User namesUser information like last logon count ,last login time.

Ntldr

NTLDR will display the versions of operating systems in a boot menu and waits a specified number of seconds before loading the first in the list

System

This file will help us to know details regarding the USB connected and exact time stamps for drive operations done

index

This file will store all the internet related data cookies, Recent history

n|u Making a report for forensic case

Executive summary

Detailed activity log

Proof of process

Forensic image processing

Restoration and verification of images

Document evidences discovered during analysis

Pardhasaradhi.ch

n|u

• File slack

Terminology used

•Data carving

Data carving or File Carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing,

Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.

The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack"

Pardhasaradhi.ch

•Cluster

Storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors which are used to allocate the data storage area

Sites:

Access data- www.accessdata.com -- ace

LADS - www.heysoft.de

Elcom soft – www.elcomsoft.com

Helix - www.e-fense.com/helix/

Stego suite – www.logon-int.com/product.asp

I2analyst notebook

www.Forensicfocus.com

www.computerforensics1.com

www.forensics.nl

www.blogs.sans.org/computer-forensics/

n|u

THANK YOU

Pardhasaradhi.ch