Professional Documents
Culture Documents
Ioana Vasiu
Computer forensics
Cyber forensics. Definitions
Techniques
Importance
Areas
Basic elements and essential steps
Situations, methods, services
Types and details
Recent solutions for cyber investigations
Resources
Network forensics
Lawful interception as its meaning is the operation by
law enforcement authority to conduct tap wiring
operation on telecom facilities for the sake of crime
investigation and prevention based on law.
Network forensics is actually an act to collect data of
both network user information and his associated
communication content on IP network and conduct
the extensive analys
Identification
2. Preservation
3. Extraction
4. Documentation
5. Interpretation
6. Presentation
Of computer data in such way that can be legally
admissible
1.
notes
unplug the system from the network if possible
do not back the system up with dump or other backup
utilities
if possible without rebooting, make two byte by byte
copies of the physical disk
Techniques- 1
Cross-drive analysis
A forensic technique that correlates
Techniques-2
steganography,
One of the techniques used to hide data is via
Techniques- 3
Deleted files
A common technique used in computer forensics is
Techniques- 4
Live analysis
The examination of computers from within the
Computer forensics-areas
Image Capture - The Imaging process is fundamental
purports?
reliability - can the substance of the story the material tells
be believed and is it consistent? In the case of computerderived material are there reasons for doubting the correct
working of the computer?
completeness - is the story that the material purports to
tell complete? Are there other stories which the material
also tells which might have a bearing on the legal dispute
or hearing?
conformity with common law and legislative rules acceptable levels of freedom from interference and
contamination as a result of forensic investigation and
other post-event handling
Acquisition
Acquisition involves creating an exact sector
Guest?
Support for Court Ordered Subpoena?
Analysis
The actual process of analysis can vary
period
computer peripherals keep on changing as well
wide area telecoms methods are being used more and more.
the growth of e-mail
the growth of client / server applications, the software outcome of the
more complex hardware architectures.
the greater use of EDI and other forms of computer-based orders, bills
of lading, payment authorizations, etc.
computer graphics
the greater use of computer-controlled procedures
the methods of writing and developing software have changed also
forgery.
reports, computer generated from human input.
real evidence - machine readable measurements, etc.
reports, generated from machine readable measurements, etc.
electronic transactions - to prove that a transaction took place or to demonstrate that a presumption that it had taken place was
incorrect.
conclusions reached by "search- programs which have searched
documents, reports, etc.
event reconstruction- to show a sequence of events or
transactions passing through a complex computer system.
liability in situations where CAD designs have relied on autocompletion or filling in by a program conclusions of computer
"experts" - the results of expert systems.
Computer evidence
...is like any other evidence, it must be:
admissible
authentic
accurate
complete
convincing to courts ( or juries)
Computer evidence
Computer evidence represented by physical items such as
Computer evidence
The result that is reported from the examination is the
Password (decryption)
Limited Source Code (analysis or compare)
Storage Media (many types)
Cyber forensics-methods
Valid and reliable methods to recover data from
Software/application/malicious code
Image/steganography/
Digital image/sound/watermark/encryption
Computer resources
Data communications
Computer forensics
data/information
Relevant issues to consider:
Huge volume of data
Multiple location
Multiple servers
Multiple desktops/modes
Multiple backup media / archived
Multiple OS/RDBMS/Files Types
Original media not to be altered
To be made exact mirror image
Computer forensics
Email
Threats/obscene/defamatory
Spam/frauds/phishing
Loaded with malware
Password hijacking/mail forward
Computer forensics
Webpages
Defacement/DOS (or DDoS) attack
Malicious content
Malware distributor
Personal info grabber
System
Program coding
Security
Malicious code (Trojans/Trap door/Bomb)
Patch management
Zero day vulnerabilities
Processing logs
Database logs
Access management and logs
Trojans/keyloggers/monitors/virus/worms/back-
doors
Reverse ENGG/whos author
Overloading/denial of service
Investigator
PC
Incriminating
file
Dial-up,
leased line,
network,
Internet
Network Forensics
Evidence collected in normal operations
logs
IDS outputs
Evidence collected under specific surveillance
extended logs
sniffers etc
Network forensics
Methods of surveillance
active interception direct, very local
interception of individual at ISP or LAN
semi-active interception targeted on the basis
of access to means of dynamic allocation of IP
addresses
passive interception no information from ISP
etc about dynamically allocated IP address requires further information to link packet to
individual
no information from ISP etc about dynamically allocated IP address - requires further information to link packet to
individual no information from ISP etc about dynamically allocated IP address - requires further information to link
packet to individual o information from ISP etc about dynamically allocated IP address - requires further information
to link packet to individual
Network forensics
Problems of disclosure
specific methods
network topology / configuration
Examples
Most banks are now considering saving their data in the cloud.
This definitely saves cost, but creates headaches for central
banks supervision and inspection teams. The major problem
with this idea is jurisdictional limitations when it comes to legal
request for data during investigation. As data is being stored
offsite, there will be a little the central bank can do to unravel
instances of financial malfeasance should there be one.
The idea of data being stored offsite could also aid banks to
launder money without being caught
Wireless-Detective
Wireless-Detective is a complete and comprehensive
Wireless-Detective
Wireless-Detective is capable of decoding and reconstructing
Wireless-Detective
Standalone System Deployment
Wireless-Detective Multiple or
Distributed Systems
VoIP-Detective Implementation
Resources
Ioana Vasiu & Lucian Vasiu,
Criminalitatea n cyberspaiu,
Ed. Universul Juridic, Bucureti,
2011.
Resources
RCMP Article on the Forensic Process.
http://www.rcmpgrc.gc.ca/tsb/pubs/bulletins/bull41_3.htm
Lance Spitzners Page: Forensic Analysis, Building
Honeypots
http://www.enteract.com/~lspitz/pubs.html
Fish.com Securitys Forensic Page: The Coroners
Toolkit (Unix), Computer Forensic Class
Handouts. http://www.fish.com/forensics/
Resources
The Forensic Toolkit (NT).
http://www.ntobjectives.com/forensic.htm
Long Play Video Recorders.
http://www.pimall.com/nais/vrec.html
FBI Handbook of Forensic Services.
http://www.fbi.gov/programs/lab/handbook/intro.htm
Solaris Fingerprint Database for cryptographic comparison
of system binaries. http://sunsolve.sun.com/pubcgi/fileFingerprints.pl
Inspecting Your Solaris System and Network Logs for
Evidence of Intrusion. http://www.cert.org/securityimprovement/implementations/i003.01.html