Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano
Introduction - What is Digital Forensics? Digital forensics defined - The process of recovering and interpreting electronic data where the main goal is to preserve any evidence in it’s most original form while performing a structured investigation by identifying, collecting and validating the digital information for the purpose of reconstructing past events. - In this presentation we will examine three parts Network forensics ○ Mobile forensics ○ USB/Computer forensics ○
Understanding Mobile Forensics ● Torrents of information is stored on mobile phones ● Smartphones store private and sensitive data ● In several developed countries, users are allowed to do mobile banking ● Phones retrieved cannot be analyzed without a warrant Phone Generations Inside a Mobile Phone ● Analog ● Microprocessor ● PCS ● ROM and RAM ● Third Generation (3G) ● Digital signal processor ● Fourth-generation (4G) ● Radio module ● Microphone and Speaker ● Hardware interphases ● LCD display Basiru Speaking
Scenario Suspect A has been monitored by the internal security of a local electronic store fraud department about a large amount of fraudulent activity of gift cards. The local bank has alerted the merchant of questionable transactions which prompted an internal investigation to prove no liability on their behalf. Through the investigation surveillance footage, the transactions were synonymous with the date/time stamps of the bank. In order to solidify their findings to law enforcement, our team was hired to conduct computer forensics analysis to support their findings. With documentation provided by both merchant and bank, our team was able to establish a proper investigation and set time lines to secure search warrants for network, mobile and hardware analysis… Hector Speaking
Network Forensics Applied - Connect to electronics store’s network - Connect to bank’s network - Connect to suspect’s home network - Gathered all information from these network packets using: - Wireshark - CloudShark - Networkminer Robert speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Applied Michael speaking
Network Forensics Wrap-up 1. Pieces of evidence were found using the cyber security tools 2. Enough evidence was found in the network forensics side of things to prove guilt 3. Wireshark, Cloudshark, and Network Miner were very useful tools towards the goal of obtaining relevant evidence towards the case Michael speaking
Mobile Forensics Applied Acquisition Procedures for Mobile Devices ● Retrieve RAM data before it loses power ● Keep devices off when off ● When on, check the display for battery level and charge ● Isolate phone from all forms of synchronization Tools Used ● AccessData FTK Imager ● Forensic Toolkit 1.81
Mobile Forensics Applied Mobile Phone Brand: LG_600 ● Call log of the suspect obtained ● No SMS ● No saved number from addressbook
Mobile Forensics Applied The only real image obtained from the suspect’s phone.
Mobile Forensics Wrap-up ● Evidence obtained from the suspect’s mobile phone corroborate the fact the he is really interested in the store ● The highlighted number is the Sales Department help line ● Possible image of an accomplice of the suspect obtained to be determined via further investigation
USB/Computer Forensics Applied Step 1: Preserve the data Utilize write blocker to stop the OS from writing to the evidence drive ● Monitor who had access, when, and why ● Hard Drive duplicators to set up a working drive that we can run diagnostics on ● Devices should remain unmounted during investigation ● FTK imager to create hashes of the image as it sits prior to manipulation/investigation of data ●
USB/Computer Forensics Applied • Search for words translated to hex Step 2: Acquiring data Display process\services that where running • Live acquisition ran at the crime scene while ● when memory was dumped host was up and running, to avoid data being • • DiskExplorer - ran on client side - aka the encrypted. inhouse forensic workstation Use Hex workshop ● HDHOST - ran on client server side aka the • evidence drive- for remote acquisition Open .mem file for the live acquisition to view ● files and have full access.
USB/Computer Forensics Applied Step 3: Analyzing Data Created an Index of the drive to make getting to Hex Workshop / useful for checking files that ● • data items much faster may have been renamed with incorrect extensions to throw off investigators Search - keywords based on the case we are ● working on Use Magic tables to cross reference Hex code • from files/ with this info you can change the Viewed deleted files and restore them ● incorrect file type to the correct one so you can open it Use of report generators to build reports that can ● be used in the legal arena, as well as marking evidence found Ricardo Speaking
Hex Workshop Results ● We observed a suspicious document “secret.jpg” ● Ran HexTool on file to assist with discovery of original file extension. Ricardo Speaking
● Used Magic tables to match the file type signatures in hex / with this info we can change the incorrect file type to the correct type, enabling us to open it’s contents ● After discovering file type of .DOCX we renamed the file, saved our changes and were able to open it without error. Ricardo speaking
● After opening the file with the newly appended file type, we discovered the contents of the secret.docx file to containing multiple stole credit card numbers that matched back to to our case, along with multiple other credit card numbers that matched back to other reported fraudulent claims.
USB/Computer Forensics Wrap-up We found even more evidence from the suspects computer of the reported crime. - Data included a .docx file that contained a large list of stolen credit/gift card numbers
Conclusion Our Senior Cyber Security Forensics Analyst were able to verify our findings. Ensuring appropriate measures were taken in the proper tagging and handling of the evidence, they were able to present the case on the merchants behalf to properly submit a arrest warrant through local law enforcement agencies… Hector Speaking
Recommend
More recommend