forensics tries to reconstruct and explain activities and
play

forensics tries to reconstruct and explain activities and events - PowerPoint PPT Presentation

Dec 31, 2022 •128 likes •299 views

forensics tries to reconstruct and explain activities and events their actors and participants causes consequences individual forensic procedures in the best case can only provide parts of the puzzle for the whole

  2. forensics tries to reconstruct and explain activities and events ● their actors and participants – causes – consequences – individual forensic procedures ● in the best case can only provide parts of the puzzle – for the whole picture/story ● they need to be put in the right sequence – interpreted in broader context – the legal ramifications of forensic investigation it is important to ● make sure that forensic material cannot be changed (tampered) – after being acquired ● and that this can be proved – therefore we need a well defined procedure(s) ● 2 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  3. • police (court) forensics ▪ have their required, mandatory procedures ▪ scope defined by law • this course teaches generic/general forensics ▪ applicable in industry • therefore it is not based on procedures defined by any law(s) 3 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  4. • reconnaissance of the target system • planning the evidence acquisition • acquisition of evidence material • storing and guarding the material • analysis of the material • reporting • But! ▪ before the beginning ▪ acquire/define the questions you need to give answers to ◦ in written form 4 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  5. • what is it all about – what are we invetigating ▪ disaster, attack, problems , suspicion… • define the scope of the system – what are we going to observe/analyse ▪ computer/device, cluster, system, data, organization, public … • enumerate/list components ▪ servers, workstations, portable devices, phones, other equipment connected with IT components • interview actors and stakeholders ▪ operators, managers, management, users, partners … • gather the documentation ▪ communication system’s blueprints ▪ logic blueprints of information system 5 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  6. • gather as many as possible information ▪ about the subject of investigation • passive gathering • interviews ▪ users ▪ operates ▪ authorized persons ▪ everybody involved • find out ▪ which network resources are used ▪ which communication systems ◦ mail servers ◦ social networks ◦ … 6 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  7. • identify target device/program/data • if this is not possible, than enumerate/list : ▪ computers: servers, users’ ▪ handheld devices ▪ communication equipment ▪ other • identify other target devices • identify other targed data • determine which devices can be turned off • define the sequence of acquisition • ensure the legitimacy of the procedure, authority, support 7 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  8. • remove all persons from the • physically protect physical space except forensics the objects • do not touch anything ▪ for transport • take photos of the scene ▪ for storage ▪ record (in written) ▪ prepare instructions everything that seems important for transport • take photos and document • label every object how things were connected uniquely • seize devices ▪ the very object • take cables too , if they are special ▪ and its packaging ▪ power supplies • prepare all necessary • take media documentation for • do not forget printed documents takeover of evidence ▪ hand written, reminders etc. ▪ and acquire all signatures 8 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  9. • do not turn off devices which are turned on gasite ▪ du not turn on those which are turned off • communication devices which have wireless communication put in Faraday bags • look around the devices ▪ take all gadgets which could be part of the device • if you have to turn the device off ▪ first take the photo of the screen ▪ make a list of active applications, visited web sites, … ◦ if it can be done safely!!! ▪ capture the RAM ▪ take the battery out from portable devices • when detaching cables ▪ label them, make sketches ▪ and take photos 9 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  10. • storage and protection must be according to law • keep separate inventory of stored materials • copy everything that can be copied ▪ analysis should not be done on original evidence material • access to stored evidence material must be under strict surveillance ▪ this pertains to investigator’s notes and reports ▪ keep the access log to stored material • take special care about parts of devices that can be detached ▪ each part should be separately labeled and logged 10 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  11. • acquire the order for analysis ▪ what are we looking for? ▪ which questions do we need to answer? • perform the forensic analysis ▪ but on copies of data • keep precise log ▪ what was investigated ▪ why ▪ who performed investigation ▪ how , with what ▪ what did they find ◦ data ◦ conclusions • prepare data for report 11 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  12. • question or hypothesis • the object (which material ) will be analyzed • which method • Investigation • which tools • Expert • Date • when (from – to) • Place • results • ID of analysis • …. • conclusion/finding • next step - proposal 12 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  13. • who (all) will receive reports & what are their questions • separate report for different recipients ▪ based on gathered documentation and ▪ results of analyses • Important! Forensic expert is not the judge. Does not define the responsibility. ▪ but merely states facts & offers expert interpretation ▪ in ideal case, the forensic expert merely answers the questions • take care about the level of confidentiality ▪ mark confidentiality in appropriate manner • get ready for oral presentation of findings and or ▪ questions ▪ counter-arguments Keep detailed log about given answers 13 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  14. • Case description • Broader assignment ▪ order/warrant • Expert opinion ▪ answer to question #1 ▪ answer to question # 2 ▪ … ▪ answer to question # N • the report is result of your entire work • Argumentation • others do not seee te rest ▪ by each question ▪ short • any other expert should understand it • Findings od analyses • and reach same conclusions ▪ results ▪ by each question/analysis • Forensic team ▪ their competences • Methods od work • Addenda 14 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  15. • when you are sure there will be no more investigation ▪ return all evidence material ▪ archive all documentation ◦ lists ◦ minutes ◦ logs ◦ reports ▪ in special cases – destroy all work materials ◦ and have the proof you did it 15 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

Recommend

To Reconstruct or Not to Reconstruct: That is the Question Nicolas GUILLIOT

To Reconstruct or Not to Reconstruct: That is the Question Nicolas GUILLIOT

To Reconstruct or Not to Reconstruct: That is the Question Nicolas GUILLIOT nicolas.guilliot@utoronto.ca http://nicolas.guilliot.chez-alice.fr University of Toronto August 12, 2008 Overview The Starting Point: to develop and compare two

336 views • 15 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics & Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving as few evidence as possible Anti-Forensics techniques help to make forensics investigations difficult Anti-Forensics can be a never

657 views • 38 slides
Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer forensics, also called cyber forensics, is the applica6on of scien6fic method to computer

464 views • 33 slides
EXPLAIN Demystified Baron Schwartz Percona Inc Outline What is EXPLAIN? How MySQL

EXPLAIN Demystified Baron Schwartz Percona Inc Outline What is EXPLAIN? How MySQL

EXPLAIN Demystified Baron Schwartz Percona Inc Outline What is EXPLAIN? How MySQL executes queries How the execution plan becomes EXPLAIN How to reverse-engineer EXPLAIN Hopelessly complex stuff you'll never remember

721 views • 27 slides
CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics General Forensic Science CSE 469: Computer and Network Forensics Definition Forensic Science is the

1.32k views • 90 slides
HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics Lab Director HTCIA/ICFP/ACM/IEEE/ACIS/ISSA asoto@asoto.com INTENDED AUDIENCE Forensic lab directors / analysts - Law enforcement - Researchers -

568 views • 36 slides
Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction to Digital Forensics Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer Forensics? What do you Need for a Careers in Computer Digital Forensics? Educational Background

509 views • 29 slides
Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano Introduction - What is Digital Forensics? Digital forensics defined - The process of recovering and interpreting

478 views • 30 slides
Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &

858 views • 55 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides

More recommend