SlideShare a Scribd company logo

Basics of Digital Forensics, techniques and tools

Download as PPT, PDF
M
madhulikarsit

Introduction to Digital Forensics

Engineering
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Introduction to Digital Introduction to Digital Forensics Forensics Florian Buchholz
What is Digital Forensics? What is Digital Forensics? • Emerging discipline in computer security – “voodoo science” – No standards, few research • Investigation that takes place after an incident has happened • Try to answer questions: Who, what, when, where, why, and how
Types of investigations Types of investigations • Determine what the incident was and get back to a working state • Internal investigation – Should be based on IR policy – May lead to criminal investigation • Criminal investigation • Support for “real world” investigations
Typical investigation phases Typical investigation phases 1. Acquisition 2. Recovery 3. Analysis 4. Presentation
Phase 1: Acquisition Phase 1: Acquisition • Analogous to crime scene in the “real world” • Goal is to recover as much evidence without altering the crime scene • Investigator should document as much as possible • Maintain Chain of Custody
Acquisition (2) Acquisition (2) • Determine if incident actually happened • What kind of system is to be investigated? – Can it be shut down? – Does it have to keep operating? • Are there policies governing the handling of the incident? • Is a warrant needed?
Acquisition (3) Acquisition (3) • Get most fleeting information first – Running processes – Open sockets – Memory – Storage media • Create 1:1 copies of evidence (imaging) • If possible, lock up original system in the evidence locker
Phase 2: Recovery Phase 2: Recovery • Goal is to extract data from the acquired evidence • Always work on copies, never the original – Must be able to repeat entire process from scratch • Data, deleted data, “hidden” data
File systems File systems • Get files and directories • Metadata – User IDs – Timestamps (MAC times) – Permissions, … • Some deleted files may be recovered • Slack space
File deletion File deletion • Most file systems only delete directory entries but not the data blocks associated with a file. • Unless blocks get reallocated the file may be reconstructed – The earlier the better the chances – Depending on fragmentation, only partial reconstruction may be possible
Slack space Slack space • Unallocated blocks – Mark blocks as allocated to fool the file system • Unused space at end of files if it doesn’t end on block boundaries • Unused space in file system data structures
Steganography Steganography • Data hidden in other data • Unused or irrelevant locations are used to store information • Most common in images, but may also be used on executable files, meta data, file system slack space
Encrypted data Encrypted data • Depending on encryption method, it might be infeasible to get to the information. • Locating the keys is often a better approach. • A suspect may be compelled to reveal the keys by law.
Recovery (cont.) Recovery (cont.) • Locating hidden or encrypted data is difficult and might even be impossible. • Investigator has to look at other clues: – Steganography software – Crypto software – Command histories
File residue File residue • Even if a file is completely deleted from the disk, it might still have left a trace: – Web cache – Temporary directories – Data blocks resulting from a move – Memory
Phase 3: Analysis Phase 3: Analysis • Methodology differs depending on the objectives of the investigation: – Locate contraband material – Reconstruct events that took place – Determine if a system was compromised – Authorship analysis
Contraband material Contraband material • Locate specific files – Databases of illegal pictures – Stolen property • Determine if existing files are illegal – Picture collections – Music or movie downloads
Locating material Locating material • Requires specific knowledge of file system and OS. • Data may be encrypted, hidden, obfuscated • Obfuscation: – Misleading file suffix – Misleading file name – Unusual location
Event reconstruction Event reconstruction • Utilize system and external information – Log files – File timestamps – Firewall/IDS information • Establish time line of events
Time issues Time issues • Granularity of time keeping – Can’t order events that occur in the same time interval • Multiple systems: – Different clocks – Clock drift • E-mail headers and time zones
The needle in the haystack The needle in the haystack • Locating files: – Storage capacity approaches the terrabyte magnitude – Potentially millions of files to investigate • Event reconstruction: – Dozens, hundreds of events a second – Only last MAC times are available – Insufficient logging
Compromised system Compromised system • If possible, compare against known good state – Tripwire – Databases of “good” files • Look for unusual file MACs • Look for open or listening network connections (trojans) • Look for files in unusual locations
Unknown executables Unknown executables • Run them in a constrained environment – Dedicated system – Sandbox – Virtual machine • Might be necessary to disassemble and decompile – May take weeks or months
Authorship analysis Authorship analysis • Determine who or what kind of person created file. – Programs (Viruses, Tojans, Sniffers/Loggers) – E-mails (Blackmail, Harassment, Information leaks) • If actual person cannot be determined, just determining the skill level of the author may be important.
Phase 4: Presentation Phase 4: Presentation • An investigator that performed the analysis may have to appear in court as an expert witness. • For internal investigations, a report or presentation may be required. • Challenge: present the material in simple terms so that a jury or CEO can understand it.
Forensics Tools Forensics Tools • Acquisition – dd, pdd – SafeBack, … • Recovery – Encase – TCT and SleuthKit • Analysis – ? • Presentation – ?
DF Investigator Profile DF Investigator Profile • Understanding of relevant laws • Knowledge of file systems, OS, and applications – Where are the logs, what is logged? – What are possible obfuscation techniques? – What programs and libraries are present on the system and how are they used? • Know what tools exist and how to use them • Be able to explain things in simple terms
Future in DF Future in DF • The need for standards – Acquisition procedure: develop step- by-step instructions to be followed – Certification • Investigators • Tools • Operating Systems
Future in DF (2) Future in DF (2) • Research – Create more meaningful audit data – Ensure integrity and availability of audit data – Privacy and Digital Forensics – Develop detection techniques – Develop automation processes
Future in DF (3) Future in DF (3) • Documentation – File systems • Over 50 different FS currently in use • Most are poorly documented – Malware • “fingerprint” of bad programs – Good system state • Accessible databases • Every OS, version, patchlevel

More Related Content

PPTX
DigitalForensics foundation and investigation tools
lexwill2000
 
PPT
DigitalForensics.ppt
ssuserba01a3
 
PPT
DigitalForensics.ppt
TamannaTabassum21
 
PDF
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
PPT
Computer Forensic
Tawhidur Rahman
 
PPTX
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
PPT
Introduction to computer forensic
Online
 
PDF
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 
DigitalForensics foundation and investigation tools
lexwill2000
 
DigitalForensics.ppt
ssuserba01a3
 
DigitalForensics.ppt
TamannaTabassum21
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
Computer Forensic
Tawhidur Rahman
 
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
Introduction to computer forensic
Online
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 

Similar to Basics of Digital Forensics, techniques and tools (20)

PPT
Collecting and preserving digital evidence
Online
 
PPT
3871778
Christiaan Beek
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
PPT
Digital forensics
Nicholas Davis
 
PPT
Digital Forensics
Nicholas Davis
 
PPT
Chapter 2 - Understanding Computer Investigations.ppt
kong100
 
PPTX
Draft current state of digital forensic and data science
Damir Delija
 
PDF
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPT
CF.ppt
KhusThakkar
 
PDF
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
PPT
Preserving and recovering digital evidence
Online
 
PPTX
Introduction to computer forensics in IT society
norhasiahakhir1
 
PPTX
cyber Forensics
Muzzammil Wani
 
PDF
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
PDF
20170222 ku-librarians勉強会 #211 :海外研修報告:英国大学図書館を北から南へ巡る旅
kulibrarians
 
PPTX
Memory Forensics
Anshul Tayal
 
PPT
Computer Forensics Analysis and Validation.ppt
mcjaya2024
 
PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PPTX
Computer forensics and its role
Sudeshna Basak
 
PPTX
Data Management 101
Kristin Briney
 
Collecting and preserving digital evidence
Online
 
3871778
Christiaan Beek
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
Digital forensics
Nicholas Davis
 
Digital Forensics
Nicholas Davis
 
Chapter 2 - Understanding Computer Investigations.ppt
kong100
 
Draft current state of digital forensic and data science
Damir Delija
 
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
CF.ppt
KhusThakkar
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
Preserving and recovering digital evidence
Online
 
Introduction to computer forensics in IT society
norhasiahakhir1
 
cyber Forensics
Muzzammil Wani
 
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
20170222 ku-librarians勉強会 #211 :海外研修報告:英国大学図書館を北から南へ巡る旅
kulibrarians
 
Memory Forensics
Anshul Tayal
 
Computer Forensics Analysis and Validation.ppt
mcjaya2024
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
Computer forensics and its role
Sudeshna Basak
 
Data Management 101
Kristin Briney
 
Ad

Recently uploaded (20)

PDF
Traditional Exams vs Continuous Assessment in Boarding Schools.pdf
The Asian School
 
PDF
Chad Ayach - A Versatile Aerospace Professional
Chad Ayach
 
PDF
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
PPT
SCOPE_~1- technology of green house and poyhouse
bala464780
 
PDF
FLEX-LNG-Company-Presentation-Nov-2017.pdf
jbloggzs
 
PDF
Introduction to Data Science: data science process
ShivarkarSandip
 
PPT
Ppt for engineering students application on field effect
lakshmi.ec
 
PDF
2025 Laurence Sigler - Advancing Decision Support. Content Management Ecommer...
Francisco Javier Mora Serrano
 
PPTX
IoT_Smart_Agriculture_Presentations.pptx
poojakumari696707
 
PPTX
Victory Precisions_Supplier Profile.pptx
victoryprecisions199
 
PDF
EVS+PRESENTATIONS EVS+PRESENTATIONS like
saiyedaqib429
 
PDF
Zero Carbon Building Performance standard
BassemOsman1
 
PPTX
Chapter_Seven_Construction_Reliability_Elective_III_Msc CM
SubashKumarBhattarai
 
PDF
flutter Launcher Icons, Splash Screens & Fonts
Ahmed Mohamed
 
PDF
settlement FOR FOUNDATION ENGINEERS.pdf
Endalkazene
 
PPTX
Inventory management chapter in automation and robotics.
atisht0104
 
PDF
2010_Book_EnvironmentalBioengineering (1).pdf
EmilianoRodriguezTll
 
PPTX
FUNDAMENTALS OF ELECTRIC VEHICLES UNIT-1
MikkiliSuresh
 
PPTX
Module2 Data Base Design- ER and NF.pptx
gomathisankariv2
 
DOCX
SAR - EEEfdfdsdasdsdasdasdasdasdasdasdasda.docx
Kanimozhi676285
 
Traditional Exams vs Continuous Assessment in Boarding Schools.pdf
The Asian School
 
Chad Ayach - A Versatile Aerospace Professional
Chad Ayach
 
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
SCOPE_~1- technology of green house and poyhouse
bala464780
 
FLEX-LNG-Company-Presentation-Nov-2017.pdf
jbloggzs
 
Introduction to Data Science: data science process
ShivarkarSandip
 
Ppt for engineering students application on field effect
lakshmi.ec
 
2025 Laurence Sigler - Advancing Decision Support. Content Management Ecommer...
Francisco Javier Mora Serrano
 
IoT_Smart_Agriculture_Presentations.pptx
poojakumari696707
 
Victory Precisions_Supplier Profile.pptx
victoryprecisions199
 
EVS+PRESENTATIONS EVS+PRESENTATIONS like
saiyedaqib429
 
Zero Carbon Building Performance standard
BassemOsman1
 
Chapter_Seven_Construction_Reliability_Elective_III_Msc CM
SubashKumarBhattarai
 
flutter Launcher Icons, Splash Screens & Fonts
Ahmed Mohamed
 
settlement FOR FOUNDATION ENGINEERS.pdf
Endalkazene
 
Inventory management chapter in automation and robotics.
atisht0104
 
2010_Book_EnvironmentalBioengineering (1).pdf
EmilianoRodriguezTll
 
FUNDAMENTALS OF ELECTRIC VEHICLES UNIT-1
MikkiliSuresh
 
Module2 Data Base Design- ER and NF.pptx
gomathisankariv2
 
SAR - EEEfdfdsdasdsdasdasdasdasdasdasdasda.docx
Kanimozhi676285
 
Ad

Basics of Digital Forensics, techniques and tools

  • 1. Introduction to Digital Introduction to Digital Forensics Forensics Florian Buchholz
  • 2. What is Digital Forensics? What is Digital Forensics? • Emerging discipline in computer security – “voodoo science” – No standards, few research • Investigation that takes place after an incident has happened • Try to answer questions: Who, what, when, where, why, and how
  • 3. Types of investigations Types of investigations • Determine what the incident was and get back to a working state • Internal investigation – Should be based on IR policy – May lead to criminal investigation • Criminal investigation • Support for “real world” investigations
  • 4. Typical investigation phases Typical investigation phases 1. Acquisition 2. Recovery 3. Analysis 4. Presentation
  • 5. Phase 1: Acquisition Phase 1: Acquisition • Analogous to crime scene in the “real world” • Goal is to recover as much evidence without altering the crime scene • Investigator should document as much as possible • Maintain Chain of Custody
  • 6. Acquisition (2) Acquisition (2) • Determine if incident actually happened • What kind of system is to be investigated? – Can it be shut down? – Does it have to keep operating? • Are there policies governing the handling of the incident? • Is a warrant needed?
  • 7. Acquisition (3) Acquisition (3) • Get most fleeting information first – Running processes – Open sockets – Memory – Storage media • Create 1:1 copies of evidence (imaging) • If possible, lock up original system in the evidence locker
  • 8. Phase 2: Recovery Phase 2: Recovery • Goal is to extract data from the acquired evidence • Always work on copies, never the original – Must be able to repeat entire process from scratch • Data, deleted data, “hidden” data
  • 9. File systems File systems • Get files and directories • Metadata – User IDs – Timestamps (MAC times) – Permissions, … • Some deleted files may be recovered • Slack space
  • 10. File deletion File deletion • Most file systems only delete directory entries but not the data blocks associated with a file. • Unless blocks get reallocated the file may be reconstructed – The earlier the better the chances – Depending on fragmentation, only partial reconstruction may be possible
  • 11. Slack space Slack space • Unallocated blocks – Mark blocks as allocated to fool the file system • Unused space at end of files if it doesn’t end on block boundaries • Unused space in file system data structures
  • 12. Steganography Steganography • Data hidden in other data • Unused or irrelevant locations are used to store information • Most common in images, but may also be used on executable files, meta data, file system slack space
  • 13. Encrypted data Encrypted data • Depending on encryption method, it might be infeasible to get to the information. • Locating the keys is often a better approach. • A suspect may be compelled to reveal the keys by law.
  • 14. Recovery (cont.) Recovery (cont.) • Locating hidden or encrypted data is difficult and might even be impossible. • Investigator has to look at other clues: – Steganography software – Crypto software – Command histories
  • 15. File residue File residue • Even if a file is completely deleted from the disk, it might still have left a trace: – Web cache – Temporary directories – Data blocks resulting from a move – Memory
  • 16. Phase 3: Analysis Phase 3: Analysis • Methodology differs depending on the objectives of the investigation: – Locate contraband material – Reconstruct events that took place – Determine if a system was compromised – Authorship analysis
  • 17. Contraband material Contraband material • Locate specific files – Databases of illegal pictures – Stolen property • Determine if existing files are illegal – Picture collections – Music or movie downloads
  • 18. Locating material Locating material • Requires specific knowledge of file system and OS. • Data may be encrypted, hidden, obfuscated • Obfuscation: – Misleading file suffix – Misleading file name – Unusual location
  • 19. Event reconstruction Event reconstruction • Utilize system and external information – Log files – File timestamps – Firewall/IDS information • Establish time line of events
  • 20. Time issues Time issues • Granularity of time keeping – Can’t order events that occur in the same time interval • Multiple systems: – Different clocks – Clock drift • E-mail headers and time zones
  • 21. The needle in the haystack The needle in the haystack • Locating files: – Storage capacity approaches the terrabyte magnitude – Potentially millions of files to investigate • Event reconstruction: – Dozens, hundreds of events a second – Only last MAC times are available – Insufficient logging
  • 22. Compromised system Compromised system • If possible, compare against known good state – Tripwire – Databases of “good” files • Look for unusual file MACs • Look for open or listening network connections (trojans) • Look for files in unusual locations
  • 23. Unknown executables Unknown executables • Run them in a constrained environment – Dedicated system – Sandbox – Virtual machine • Might be necessary to disassemble and decompile – May take weeks or months
  • 24. Authorship analysis Authorship analysis • Determine who or what kind of person created file. – Programs (Viruses, Tojans, Sniffers/Loggers) – E-mails (Blackmail, Harassment, Information leaks) • If actual person cannot be determined, just determining the skill level of the author may be important.
  • 25. Phase 4: Presentation Phase 4: Presentation • An investigator that performed the analysis may have to appear in court as an expert witness. • For internal investigations, a report or presentation may be required. • Challenge: present the material in simple terms so that a jury or CEO can understand it.
  • 26. Forensics Tools Forensics Tools • Acquisition – dd, pdd – SafeBack, … • Recovery – Encase – TCT and SleuthKit • Analysis – ? • Presentation – ?
  • 27. DF Investigator Profile DF Investigator Profile • Understanding of relevant laws • Knowledge of file systems, OS, and applications – Where are the logs, what is logged? – What are possible obfuscation techniques? – What programs and libraries are present on the system and how are they used? • Know what tools exist and how to use them • Be able to explain things in simple terms
  • 28. Future in DF Future in DF • The need for standards – Acquisition procedure: develop step- by-step instructions to be followed – Certification • Investigators • Tools • Operating Systems
  • 29. Future in DF (2) Future in DF (2) • Research – Create more meaningful audit data – Ensure integrity and availability of audit data – Privacy and Digital Forensics – Develop detection techniques – Develop automation processes
  • 30. Future in DF (3) Future in DF (3) • Documentation – File systems • Over 50 different FS currently in use • Most are poorly documented – Malware • “fingerprint” of bad programs – Good system state • Accessible databases • Every OS, version, patchlevel