Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics...
Transcript of Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics...
![Page 1: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/1.jpg)
Overview of Digital Forensics
©2012 Digital Intelligence, Inc. All rights reserved.
NCSTL Training
Charles M. Giglia - Digital Intelligence
August 2012
![Page 2: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/2.jpg)
What is Digital Forensics
� Science for the examination and analysis of digital trace evidence
� Typically conducted “Post
Mortem”
©2012 Digital Intelligence, Inc. All rights reserved.
Mortem”
� Live and Network forensic collections/exams more accepted
� Fragility and longevity of digital evidence
![Page 3: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/3.jpg)
Digital Forensics
� Autopsy of the computer
� Not only the what and wherebut the who, how and why
©2012 Digital Intelligence, Inc. All rights reserved.
but the who, how and why
� Scientific approach
� Defensible process
� Results in opinion/expert testimony
� Controlled scope
![Page 4: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/4.jpg)
Digital Forensics
� Identification
� Preservation
� Recovery
©2012 Digital Intelligence, Inc. All rights reserved.
� Recovery
� Reconstruction
� Analysis / Interpretation
![Page 5: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/5.jpg)
Digital Evidence
� Digital evidence likely present in every case
� Computers
� Cell Phone - Smart Phones - iStuff
©2012 Digital Intelligence, Inc. All rights reserved.
� Telephones
� Automobiles
� Copy Machines
� Refrigerator
� Etc.
![Page 6: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/6.jpg)
Forensic Methods
� Matches other forensic
disciplines
� Allows exact duplication of
the original evidence
©2012 Digital Intelligence, Inc. All rights reserved.
the original evidence
� Involves both data recovery
and analysis
� Governed by valid laboratory
principles
![Page 7: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/7.jpg)
Seizing Digital Evidence
� Limit access
� Protect the original
� Duplicate to create
©2012 Digital Intelligence, Inc. All rights reserved.
� Duplicate to create
“forensic safety net”
� Live forensic analysis a
reasonable option –
when necessary
![Page 8: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/8.jpg)
Other Forensic Evidence
Recognize that other
forms of evidence such
as latent prints,
Questioned
©2012 Digital Intelligence, Inc. All rights reserved.
Questioned
Documents, DNA or
trace evidence may be
present and must be
preserved.
![Page 9: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/9.jpg)
When to involve a Specialist
� What makes a specialist?
� Earlier is better
� Contaminating the evidence
©2012 Digital Intelligence, Inc. All rights reserved.
� Contaminating the evidence
� Fighting the “fear factor”
� Live evidence
� Network forensics
� Recovering from errors
![Page 10: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/10.jpg)
Processing Digital Evidence
� Examine known files
�Data elimination/reduction
� Recover erased/deleted files
©2012 Digital Intelligence, Inc. All rights reserved.
� Recover erased/deleted files
� Examine slack, unallocated, swap space
� Examine the nature of how the computer was being used
� Linking removable media back to the computer
![Page 11: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/11.jpg)
Data Recovery
� Depending on the type of case, the evidence will be found in
©2012 Digital Intelligence, Inc. All rights reserved.
will be found in different areas on the drive
� May require manual reconstruction
![Page 12: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/12.jpg)
Analyzing Digital Evidence
� What does it all mean?
� Written report of findings
� Articulation
©2012 Digital Intelligence, Inc. All rights reserved.
� Facts vs. Opinion
![Page 13: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/13.jpg)
Current Cases
� Serial Killers
� Identity Theft
� Cyber stalking
©2012 Digital Intelligence, Inc. All rights reserved.
� Cyber stalking
� Child pornography
� Wireless theft
� Economic crimes
![Page 14: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/14.jpg)
Case Application
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 15: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/15.jpg)
Cyber Stalking
� 3.4 million cases of stalking per year
�13% of female college students report stalking
©2012 Digital Intelligence, Inc. All rights reserved.
�Approx. 25% of all harassment/stalking cases
involve cyber component
� Social Networks, chat rooms, emails, and GPS devices
![Page 16: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/16.jpg)
Cyber Stalking
� Cellphone GPS tracking
� Listening devices
� Vehicle tracking
©2012 Digital Intelligence, Inc. All rights reserved.
� Vehicle tracking
� Spyware software
![Page 17: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/17.jpg)
Child Pornography
©2012 Digital Intelligence, Inc. All rights reserved.
http://www.familysafemedia.com/pornography_statistics.html
![Page 18: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/18.jpg)
Child Pornography
©2012 Digital Intelligence, Inc. All rights reserved.
http://www.familysafemedia.com/pornography_statistics.html
![Page 19: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/19.jpg)
Social Networks
� MySpace
©2012 Digital Intelligence, Inc. All rights reserved.
� Craigslist
� Pinterist
� Xanga
� Bebo
![Page 20: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/20.jpg)
Social Networks
©2012 Digital Intelligence, Inc. All rights reserved.
Specific Tools?
![Page 21: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/21.jpg)
Computer Evidence
Where the
Evidence is
©2012 Digital Intelligence, Inc. All rights reserved.
Evidence is
![Page 22: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/22.jpg)
Other Media
� Thumb/Flash drives
� CD/DVD/Blu-Ray
� Attached storage (wired and wireless)
©2012 Digital Intelligence, Inc. All rights reserved.
� Attached storage (wired and wireless)
� Unattached Storage – “Cloud”
� iPhones and Smart phones
� GPS
� Copiers
� Digital Cameras
� Portable – Tablets, ipod/pad, Mp3 players
![Page 23: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/23.jpg)
Types of Evidence
� Constant change in the evidence
�Unlike most other physical evidence
� New Technologies make it difficult to
©2012 Digital Intelligence, Inc. All rights reserved.
� New Technologies make it difficult to identify evidence
� Including unique adaptors and connectors for
drives and media
![Page 24: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/24.jpg)
Types of Evidence
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 25: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/25.jpg)
Types of Evidence
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 26: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/26.jpg)
Initial Analysis
� Review active user files
� Review system generated files
�Log files
©2012 Digital Intelligence, Inc. All rights reserved.
�Log files
� Review Internet activity
�History
�Cache
�Bookmarks
![Page 27: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/27.jpg)
Active File Issues
� File Location
�Common Locations
� My Documents
Desktop
©2012 Digital Intelligence, Inc. All rights reserved.
� Desktop
� Link files
� Encryption
� Metadata
� Internal
�External
![Page 28: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/28.jpg)
Metadata
� Data about the file
� External: Path, Name, OS dates
� Internal: Dates, Author(s), Title,
©2012 Digital Intelligence, Inc. All rights reserved.
� Internal: Dates, Author(s), Title,
�Not all files have internal data
�MS Office – Most common
�EXIF
![Page 29: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/29.jpg)
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 30: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/30.jpg)
Metadata
� MS Word
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 31: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/31.jpg)
Internet Cache
� Internet activity
�Downloaded Content
�History
©2012 Digital Intelligence, Inc. All rights reserved.
�History
�Bookmarks
�Passwords
� Web based email
� Online chats
![Page 32: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/32.jpg)
Unallocated Space
� Area of the drive not allocated to active or system files
�500 GB drive – 250 GB of files = ~250 GB
©2012 Digital Intelligence, Inc. All rights reserved.
�500 GB drive – 250 GB of files = ~250 GB
unallocated space
� When a file is deleted the space becomes part of unallocated space
� Previously deleted files can be “carved” out
![Page 33: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/33.jpg)
Unallocated Drive Space� Raw data
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 34: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/34.jpg)
Registry Analysis
� System/software configurations/events
� User preferences / history
�USB Device History
©2012 Digital Intelligence, Inc. All rights reserved.
�USB Device History
�Usernames and Passwords
![Page 35: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/35.jpg)
Hard drive connected via USB
©2012 Digital Intelligence, Inc. All rights reserved.
![Page 36: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/36.jpg)
Challenges in the Field
� Types of evidence
� Volume of evidence
� Changing laws
©2012 Digital Intelligence, Inc. All rights reserved.
� Changing laws
� Training and certifications
�Tool vs. foundational
![Page 37: Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted](https://reader033.fdocuments.us/reader033/viewer/2022050117/5f4db14f660186021b5598b4/html5/thumbnails/37.jpg)
Questions
Charles M. GigliaDigital Intelligence, Inc.17165 W Glendale DrNew Berlin, WI 53151
©2012 Digital Intelligence, Inc. All rights reserved.
email: [email protected] : 262.782.3332www.digitalintelligence.com