Transcript
Computer Computer ForensicsForensics
Yogesh E. Sonawane
yogesh.dfe@gmail.com
CYBER CRIMES
REAL-WORLD & VIRTUAL- WORLD
Current approaches evolved to deal with real-world crime
Cybercrime occurs in a virtual-world and therefore presents different issues
EXAMPLE : THEFT
Real-world theft: Possession of property shifts completely
from A to B, i.e., A had it now B has it
Theft in Virtual-world (Cyber-theft): Property is copied, so A “has” it and so does B
Think before Think before
you Clickyou Click
What is Computer Crime
“Unlawful acts wherein the computer is either a
tool or a target or both".
Two aspects:
•Computer as a tool to commit crime
Child porn, Threatening email, identity
theft, sexual harassment, defamation,
phishing.
•Computer itself becomes target of crime
Viruses, worms, software piracy, hacking.
TYPES OF COMPUTER CRIME
HACKINGHacking in simple terms means illegal
intrusion into a computer system without the permission of the computer owner/user.
SOFTWARE PIRACYAn unauthorized copying of software.
PORNOGRAPHYComputer pornography covers pornographic
websites, pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos.
FORGED DOCUMENTSTo create fake documents such as, fake
academic certificates, mark sheets etc.
CREDIT CARD FRAUDCredit card fraud is a wide-ranging term for
theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction.
Computer STALKINGUse of the e-mail, Internet to harass or
threaten an individual.
CONT… TYPES OF COMPUTER CRIME
PHISHINGIn the field of computer security, phishing is the
criminally fraudulent process of attempting to acquire sensitive
information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Computer DEFAMATIONThis occurs when defamation takes place with the help of
computers and / or the Internet.e.g. Mr. X publishes defamatory matter about Ms. Y on a
website or sends e-mails containing defamatory information to Ms. Y’s friends.
CONT… TYPES OF COMPUTER CRIME
WHAT IS DIGITAL EVIDENCE?
Digital Evidence is any information of
probative value that is either stored or
transmitted in a binary form.
Digital Evidence includes computer evidence,
digital audio recorder, digital video recorder,
mobile phones, pen drives, CD, DVD etc.
ELECTRONIC RECORD
Electronic record - is that which is generated,
stored, sent or received by electronic means and
includes data, image or sound.
CHALLENGES FOR INVESTIGATING AGENCIES
Difficulty in collection of evidence
Fragility of Computer data
Fear of destruction of vital data
Vast volume to be examined
Diversity of hardware & Software.
Admissibility in the courts.
COMPUTER FORENSICS
Definition:
Identification, Extraction, Documentation, and
Preservation of computer media for
evidentiary and/or root cause analysis using
well-defined methodologies and procedures.
COMPUTER FORENSICS
Methodology:
Acquire the evidence without altering or
damaging the original.
Authenticate that the recovered evidence is the
same as the original seized.
Analyze the data without modifying it.
COMPUTER FORENSICS-STEPS
Identification
Seizure
Authentication
Acquisition
Analysis
Presentation
Preservation
Scene of Crime
Forensics Lab
What to carry?
Camera Note or Sketch Pads
– Blank CDs, DVDs, Pen Drives, Hash Calculator, Write-Blocker, Cross-Over cable etc.
Sealing Material – Labels, Pens, Markers
Storage Containers – Anti Static Bags, Plastic Bubble Wrap
Software / Hardware for onsite virtual data retrieval and imaging
How to secure the crime scene?
The entire work area, office, or cubicle is a
potential crime scene, not just the
computer itself.
No one should be allowed to touch the
computer, to include shutting the computer
down or exiting from any programs/files in
use at the time or remove anything from
the scene.
How to secure the crime scene?
Continued….
Disconnect the power supply. Else there
can be a loss of files to hard drive crash.
If required access system to take backup of
volatile data
Computer Forensic Steps - Scene of Crime
Backup Volatile data in RAM / Router etc.
Photograph / Video the scene of incidence /
crime
Identifying Digital storage media
Draw Network Topology
Questions to be asked the
Scene of crime• Login Details : User Name/s and Password/s
• Encryption
• Files of interest
• E-mail accounts
• Internet service provider(s)
• Off site storage
• Hidden storage devices
WHY PRECAUTIONS REQUIRED ?
The integrity of data is essential for making it
presentable in court of law with in acceptable
limits of law.
The active data recovered can give us vital links.
The deleted data too can be recovered and used
for reconstruction of events.
Certain damaged media too can be read/viewed.
Computer Forensic Steps - Scene of Crime
Identification
Seizure
Acquisition
Exhibits Seized
Identification
Identification
Front Side ofCPU Cabinet orCase or Chasis
Back Side ofCPU Cabinet orCase or Chasis
The CPU
Identification Continued….
Internal Hard Disk
Identification Continued….
External Hard Disk
Identification Continued….
FloppyCD/DVD
Identification Continued….
Mobile Phones
SIM Card Memory Cards
Identification Continued….
Skimmer Credit Cards
Identification Continued….
Dongle and Pen Drives
Identification Continued….
Identification Continued….
Identification Continued….
Seizure
What is Seizure?
Definition :-
Seizure is the process of capturing the
suspect computer or storage media for
evidence collection.
The case related reference documents should also be seized from the crime scene.
For Example - In case of Economical Crime look for Account Book Details, Passbook details, Bank Transaction Details, ATM Credit/Debit Card Details.
In case of Forged Documents look for reference documents such as, Academic Certificates, Bill Receipts, Passport, Legal Property Papers etc.
If video files or picture image files of a particular person are to traced, then provide the photographs of the same for identification.
Seizure
Labeling
Labeling
Labeling
Labeling
Labeling
Packaging and Transportation
Properly document and label the evidence before packaging.
Use anti-static wrap or bubble wrap for magnetic media.
Avoid folding, bending or scratching the computer media such as diskettes, CDs, removable media etc.
Labeling
Packaging and Transportation
While transporting, place the computer securely on the floor of the vehicle where the ride is smooth.
Avoid radio transmissions, electromagnetic emissions, moisture
in the vicinity of digital evidence.
Dealing with the Suspected Mobile Phone• At the time of seizing mobile phone, its
components like Battery, SIM card(s),
Memory card(s) should be removed.
• The User Manuals
should also be seized
from the scene,
if present.
Guidelines from Forensics Continued….
If CPU Cabinet is seized from the crime scene,
bring only hard disks for analysis. Not to bring CPU
cabinet.
Printer, Scanner, Monitor, Keyboard, Mouse etc.
should not be seized
Only digital storage media like Hard Disk, Pen
Drive, Floppies, CDs, DVDs, Mobile Phone etc. are
analyzed.
If an exhibit is a hard disk then needs to provide a
blank hard disk with more(double) capacity.
Acquisition
&
Authentication
Precautions while Acquisition
• Use of Write Blocker devices:
Thumbscrew
FAST BLOC
Tablue
• Need of Write Blocker
Acquisition & Authentication
Making Forensic Duplicate copy of the Suspect
Storage
media is Acquisition.
A Forensic Duplicate is a file that contains every
bit of
information from the source disk.
Two Ways
Using Software
Using Hardware
Acquisition & Authentication
Using Software Tool requires a hardware
write blocker at source end e.g. FASTBloc FE /
Tablue and Software EnCase, FTK Imager used to
for Acquisition
Using Hardware Tool has inbuilt write
blocker and gives better speed for acquisition
e.g. TD2, Talon, SOLO, Dossier by LogiCube etc.
Laboratory Work
Authentication
Analysis
Presentation
Preservation
Authentication : Hash Value
How to verify the integrity of Forensic
Duplicate?
It is also known as, “Message Digest” or
“Fingerprint”, is basically a digital signature.
The checksum is created by applying algorithm to
the file. The checksum for each file is unique to
that file.
E.g.
4a24e1e50622c52122406b77e8438c5a
(MD5)
Analysis
Current and Emerging Cyber Forensic Tools of Law Enforcement
Analysis Process
The Process of searching for crime relevant data and extract it.
The analyst has to search data inDeleted Files Slack Space
Unallocated Space Free Space
Log Entries Registry Entries
System Files Printer Spool Files
Cookies Keywords
Analysis Process Continued….
Why is Slack Space Important?
Unallocated Space(New Drive)
Allocated Space
Unallocated Space(After File deletion)
Allocated Space(Reallocated, new file)
Slack SpaceWhy isn’t this also slack space?
Analysis Process Continued….
• “Keyword Search” is one of the most
important
steps of analysis.
• The keywords should be listed for getting
better
and sorted search results. These
keywords
should be case-relevant.
Documentation & Preservation
• Report writing & preparation of notes
• Store the Magnetic Storage Media in a secure area.– Cool– Dry– Away from:
GeneratorsMagnets
Prevention Of Computer Crime
Safe Computing Tips
Do not reveal personal information to unknown
people or websites.
Create hard to guess passwords and keep them
private & change them regularly.
Use anti-virus and update them regularly.
Back up your important files regularly.
Never reveal your true identity while chatting.
Safe Online Banking
Keep your passwords/PIN codes safe and memorize them.
Check that the online banking website is secure.
Logout immediately after you have completed your transaction.
Do not respond to emails asking for your personal information. When in doubt, call the institution that claims to have sent this email.
Read privacy and policy statements before any transaction.
Check your account statements to ensure that no unauthorized transaction has taken place.
Tips for Safe Social Networking
Don’t reveal too much information about yourself online.
Add people as friends to your site only if you know them personally.
Delete inappropriate messages from your profile.
Do not post information about your friends as you may put them at risk. What you post online is not private. It can be seen by everyone.
top related