data64-live and non-live forensics

Live and Non-live Forensics

Applied Cyber ForensicsBy- Catalyst

Digital Evidence Searching

Examining Collecting Preserving

Live Forensics What is Live Forensics ??? What Do we Need live Forensics ???

Evidence may be on the RAM [Main Memory]

File is in Unencrypted form when suspect using it.

Paging file Could be Lost.

Conducting a Live Forensic

Three Steps

Retrieval of Volatile Data

Forensic Imaging of a Live System

Evidence Retrieval Using Portable Tools

Retrieval of Volatile DataVolatile Evidence retrieval Tool.

[vertool.exe]

Portable [Run from the USB]

Creates Folder named Reports.

Reports contains 12 Text Files.

• Arp.txt

• Boot_configuration.txt

• Driver_list.txt

• Event_triggers.txt

• Exe_ports.txt

• File_associations.txt

• Gp_settings.txt

• Mac.txt

• network_config.txt

• Process_list.txt

• Stats.txt

• System_info.txt

Forensic Imaging of a Live System

WinHex tools is used.

Allows copying sectors from a disk into an uncompressed, unsplit, raw, header-less image file.

To copy Main Memory Mantech Physical Dump Utility is Used.

Evidence Retrieval Using Portable Tools

CDROM or USB For Quick Evidence Analysis Adaptor Watch

IP addressesHardware AddressWINS ServersDNS ServersMTU ValueNumber of bytes Received or SentCurrent Transfer SpeedTCP/UDP/ICMP Statistics

Adaptor Watch

• CurrPorts ,CurrProcess

• Clipboardic

• MyUnistaller, InsideClipboard

• MyLastSearch , NetResView

• MacMatch , MacAddressView

• OpenedFilesView , RecentFileView

Other Live Forensic TOols

Browser Forensic Tools ChromeCacheView ChromePass IEcacheView IEHistoryView IECookiesView IE PassView MozillaCacheView MozillaHistoryView MozillaCookiesView FavoritesView

DATA Recovery software FDRS [Free Data Recovery Software]

Disk Digger

Wireless Key View

Dialupass

MessenPass

Network Password Recovery

VNCPassView

Mail PassView

Encryption Analyzer

Non-Live Forensics

What Is Non-Live Forensics ???

Winhex is mainly Used.

Cloning and ImagingSector Wise Including Slack spaces

Image created by Winhex should be mathematically authenticated using a suitable hash function. [MD5 , SHA-256 ]

We can Also Split and Concatenate the Image for ease of Storage .

Analyzing for Digital Forensics

First Process is to boot the Evidence image Copy.

Live View The investigator should first attempt to “boot” the image using it.

Virtual Machine environment .

Analyzing for Digital Forensics

X-way Forensics

It can Automatically Create Reports.

.xfc File Extention

Modus Operandi

1. The “Disk drive “ of a computer is imaged.

2. The hash value of this image is computed.

3. This image is split into parts so that they can be stored

on CDs for easy archival.

4. The parts are later concatenated for analysis. The hash

value of the concatenated parts is also computed.

5. The image is then analyzed to recover exe files.

6. Search for Suspected file .

7. The free space is gathered.

8. The slack space is gathered.

9. The text in the slack space is recovered.

Analyzing Active Data Active Data ?? Opened data !

Active data can be password protected or Encrypted.

Methods for password recovery Dictionary AttackBrute Force Attack

Latent Data

• deleted files

• memory dumps

• slack space,

• swap files,

• temporary files,

• printer spool files,

• metadata

THANKYOU