subrahmani babu - walidumar.my.id
TRANSCRIPT
![Page 1: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/1.jpg)
Introduction to Computer Forensics
Subrahmani BabuScientist-’C’, Computer Forensic Laboratory
Indian Computer Emergency Response Team (CERT-In)Department of Information Technology Govt of IndiaDepartment of Information Technology, Govt of India.
![Page 2: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/2.jpg)
Topics to be Covered• What is Computer Forensics• Why it is important to the OrganizationWhy it is important to the Organization• Role of First Responder• Difference b/w Copying and Imaging• Types of Evidences• Types of Evidences• List free Forensic Tools• Importance of Write blockers• Demo (if time available)• Demo (if time available)
![Page 3: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/3.jpg)
Definition
F i d i d f th l ti dForensics derived from the latin word‘Forensis’ which means that "of or beforethe forum” as in olden days. It entered theEnglish vocabulary in the 17th century as theEnglish vocabulary in the 17th century as theterm “forensics”.(The word forensics
“t b i t th t ” )means “to bring to the court.” )
Source : http://www.computerforensis.com/
![Page 4: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/4.jpg)
Computer Forensics Process
Forensics is the process of singForensics is the process of usingscientific knowledge for collecting,g ganalyzing, and presenting evidenceto the courtsto the courts.
![Page 5: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/5.jpg)
Stakeholders in CF
Vi ti C i i l• Victim or Criminal• First Responder (From LawFirst Responder (From Law
Enforcement )C t F i E t d• Computer Forensics Expert and
• Judiciaryy
![Page 6: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/6.jpg)
Why it is important
• Legal action against the criminal based on severity of the incident
• To File a case, we need have to preserve , pthe evidence
• It should be admissible in the court of law• It should be admissible in the court of law
![Page 7: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/7.jpg)
Role of First Responders
• Identifying the crime scene• Protecting the crime scene• Preserve the Digital Evidence (Volatile &• Preserve the Digital Evidence (Volatile &
Non Volatile evidence)• Maintain chain of custody form• Proper packing & Transport to Lab• Proper packing & Transport to Lab.• Document Everything (Crime scene
details, Hard disk details, etc.,)
![Page 8: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/8.jpg)
Role of Forensic Analyst
• Create required Forensic Images of the original suspected media.
• Preserve the Original suspected mediaPreserve the Original suspected media• Maintain chain of custody form• Examination with Forensic Images• Use Standards & Procedures• Use Standards & Procedures• Use Standard Forensic Tools• Report Findings
![Page 9: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/9.jpg)
What you can expect from the CF Experts?
• Evidences from– Deleted Files– Unallocated Clusters and slack space
Formatted Hard Drives– Formatted Hard Drives– Data Carving and – Password recovery
![Page 10: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/10.jpg)
DifferencesDifferences
Bi l i l F i• Biological Forensics– Examinations with
O i i l id
• Computer Forensics– Examinations with
Original evidences (Samples)
Images (Duplications) of Original evidences
![Page 11: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/11.jpg)
Stages in Computer Forensics
• Identification• Preservation• Preservation• Analysis and• Report Preparations
![Page 12: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/12.jpg)
Classifications
• Disk ForensicsNet ork Forensics• Network Forensics
• Handheld Devices Forensics• Email Forensics• Registry Forensics• Registry Forensics• OS(Windows, Linux) Forensics• Source Code Forensics• Browser ForensicsBrowser Forensics
![Page 13: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/13.jpg)
Basic rules• Never work on original evidence.• Never mishandle evidence.• Use proper software utilities to retrieveUse proper software utilities to retrieve
evidence from the media.D t thi hil h dli th• Document everything while handling the suspected media
![Page 14: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/14.jpg)
Types of Evidence• Volatile Evidence
R i P• Non Volatile Evidence
W d D t– Running Processes– Active N/W
Connections
– Word Documents– Email messages
D t bConnections– Passwords, Disk
Encryption Keys are
– Databases– Internet History
fEncryption Keys are available
– Email accounts login
– Registry information– Deleted files,
U ll t d Cl tEmail accounts login passwords
– Memory resident
Unallocated Clusters, Slack space evidencescould be recoveredy
malwarescould be recovered
![Page 15: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/15.jpg)
Free Forensic ToolsVolatile evidence collection tools• Volatile evidence collection tools– Nigilant32, Helix– DD (Forensic Acquisition Utilities),– FTK ImagerFTK Imager, – WFT (Windows Forensics Toolchest)
M DD– MemoryzeDD• Volatile evidence Analysis toolsy
– MemParser– WMFT– WMFT– Volatility Framework,– PyFlag
![Page 16: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/16.jpg)
Free Forensic Tools – contd…Forensic Imaging Tools• Forensic Imaging Tools– True Back from CDAC, TVM– DD (Forensic Acquisition Utilities),– FTK ImagerFTK Imager, – Helix, DEFT… (more than 15 Forensic Live
CD)CD)• Analysis tools
– SIFT from SANS containing 32 tools– TSK, Autopsy browser, PTKTSK, Autopsy browser, PTK– PyFlag
» Best site: www e-evidence info» Best site: www.e-evidence.info
![Page 17: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/17.jpg)
DD – Disk Dump
• Available in Linux OS•Rewritten for windows FAUD l d f thi li k•Download from this link
•http://gmgsystemsinc.com/fau/
Syntax:
dd.exe -v if=\\.\F: of=h:\filename.img conv=noerror --chunk 2GiB l l t2GiB –localwrt
![Page 18: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/18.jpg)
Hardware or Software Acquisition
• Hardware:– ImageMaster Solog– Logicube Forensic MD5– Talon
H d 3 f V T h– Hardcopy3 from Voom Tech• Software:
Cyber Check Suite– Cyber Check Suite– EnCase– Forensic Toolkit (FTK)Forensic Toolkit (FTK)– SafeBack– DriveSpy– Paraben– DD command : Unix/Linux
![Page 19: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/19.jpg)
Imaging –vs- CopyingWhi h i B t?Which one is Best?
![Page 20: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/20.jpg)
Copying of Disk
Newfile docNewfile doc
Suspected disk(Source)
Sterile disk(Target)
Test.docTest.docNewfile.docNewfile.doc
Cert-in_trainee.pptCert-in_trainee.ppt
Search &seizure .pdfSearch &seizure .pdf
MD5: f55573e2a21c4161d1eb45c014646956
Active files
Deleted filesDeleted files
20CERT-In, New Delhi
![Page 21: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/21.jpg)
Imaging of the Disk
Newfile docNewfile doc
Suspected disk (Source) Sterile disk (Target)
Test.docTest.docNewfile.docNewfile.doc
Cert-in_trainee.pptCert-in_trainee.ppt
1010101010101010101010000011
Search &seizure .pdfSearch &seizure .pdf
1010101010101010101010000011111111010100011010101011011111111111111111101000000000010101011010101011010101101010
111111010100011010101011011111111111111111101000000000010101011010101011010101101010
MD5: f55573e2a21c4161d1eb45c014646956
1010110101010110101010101010101100101010101000000000000010101101010101101010101010101011001010101010000000000000
Active filesActive files
Deleted files 21
![Page 22: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/22.jpg)
Is Imaging Always Possible?
• NO – It may sometimes be necessary to accessthe original machine to recover evidencethe original machine to recover evidence
Computer Forensic examiner must be able to• Computer Forensic examiner must be able toexplain and demonstrate the methodologies andprocesses used to acquire evidenceprocesses used to acquire evidence
• Findings must be repeatable by an independent• Findings must be repeatable by an independent3rd party
![Page 23: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/23.jpg)
Dead versus Live Acquisition
• Dead Acquisition - occurs when the datafrom the suspects computer is beingp p gcopied without the assistance of thesuspect’s OSsuspect s OS.
• Live Acquisition – occurs when thesuspect’s OS is still running and beingsuspect s OS is still running and beingused to copy data.
![Page 24: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/24.jpg)
Forensic Image File Formats
• RAW – only contains the data from the source device.Very easy to compare data with the source (e.g. dd-images)images).
• Embedded Image – contains data from the source plusadditional descriptive data about the acquisition (e.g.p q ( ghash values, dates, times). EnCase & FTK areexamples.
• Some RAW imaging tools will create descriptive data butSome RAW imaging tools will create descriptive data butthis is saved to a separate file.
• Many acquisition tools that create embedded images areproprietary (e g Encase FTK)proprietary (e.g. Encase, FTK).
• Most analysis tools will import a RAW image, making thisthe most flexible format.
![Page 25: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/25.jpg)
Types of Data Acquisition
• Physical copy (entire physical disk) is thepreferred method.preferred method.
• Logical copy (disk partition or volume)• Data acquisition format (RAW/Compressed)Data acquisition format (RAW/Compressed)• Command-line acquisition (low overheads –
use less system resources. May run fromy yfloppy disk or thumb drive)
• GUI acquisitionq• Remote acquisition (over a network)• Verification
– Checksum : CRC32– Hashing : MD5, SHA1
![Page 26: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/26.jpg)
Very Important
• Connect your Suspected Storage Media (Hard Disk USB Drive etc )Through HARDWAREDisk, USB Drive, etc )Through HARDWARE WRITE-BLOCKERI id difi i• It avoids unnecessary modification on your media and helps to maintain Integrity of the
idevidence.• Make sure that Source and Destination media
are readily connected with forensic work station• Now you may launch True Back (Forensic y y (
Imaging Software)
![Page 27: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/27.jpg)
Write Blockers
S/W Write Blocker H / W Write Blocker
• Software should be enable prior to
• Hard ware device Th S t dienable prior to
connect the t d M di
• The Suspect media should be
suspected Media.– Ex:
connected through this device.
UsbWriteProtect
![Page 28: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/28.jpg)
Drive Imaging Hardware
• Forensic mobile field system (MFS)– Laptop with NIC– Portable workstation
![Page 29: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/29.jpg)
Hard Disk Information
![Page 30: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/30.jpg)
BIOS - Date
![Page 31: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/31.jpg)
IP Address
![Page 32: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/32.jpg)
![Page 33: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/33.jpg)
![Page 34: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/34.jpg)
![Page 35: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/35.jpg)
![Page 36: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/36.jpg)
![Page 37: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/37.jpg)
![Page 38: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/38.jpg)
![Page 39: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/39.jpg)
![Page 40: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/40.jpg)
![Page 41: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/41.jpg)
![Page 42: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/42.jpg)
![Page 43: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/43.jpg)
TOOL BOX
![Page 44: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/44.jpg)
Entire System
![Page 45: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/45.jpg)
CPU -Inside
![Page 46: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/46.jpg)
Rearview - CPU
![Page 47: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/47.jpg)
Primary Memory
![Page 48: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/48.jpg)
Secondary Memory
1 ” HDD1 ” HDD3.5” HDD3.5” HDD 2.5” HDD2.5” HDD
1. HDD1. HDD
1” HDD1” HDD 0.85” HDD0.85” HDD
![Page 49: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/49.jpg)
References• File System Forensic Analysis by brian carrier• http://www.e-evidence.info• http://www Blackhat comhttp://www. Blackhat.com• http://www.sans.org/reading_room/index.php• http://www.crime-research.org/articles/• http://geschonneck com/security/forensics/• http://geschonneck.com/security/forensics/• http://www.cerias.purdue.edu/research/forensics/resources.php• http://www.forensicfocus.com• http://csrc nist gov/publications/nistir/• http://csrc.nist.gov/publications/nistir/• http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A8B3F3-94D2-
F7E5-D32D97CF1539EBB4.pdf• http://www cdactvm inhttp://www.cdactvm.in• http://www.guidancesoftware.com
![Page 50: Subrahmani Babu - walidumar.my.id](https://reader030.vdocuments.us/reader030/viewer/2022032806/623ec5729b4ad8738b4b206e/html5/thumbnails/50.jpg)
Thanks & DemonstrationThanks & Demonstration