CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Post on 24-Dec-2015
227 Views
Preview:
Transcript
CYB
ER FORENSIC
S
PR
ES
EN
TE
R:
J AC
O V
EN
TE
R
CYBER FORENSICS - AGENDA• Dealing with electronic evidence –
Non or Cyber Experts• Forensic Imaging / Forensic
Application / Tools• Current Challenges we
experience in the Cyber Sphere
DEALING WITH ELECTRONIC EVIDENCE - ONSITE
Obtain the necessary Authorization in writing / ConsentObtain an high level background of the entire IT infrastructure
from your client • Server/s might be offsite • Local Mail Server (make use of SP) / File Server/ Financial
systems / Backup Solution etc.• Cloud Computing (dropbox, i-cloud etc)• Encryption of data (e.g. local computers)• Printer Audit trail enabled (record all printed document)• Firewall Server• CCTV Footage / Access Control• PABX system• Mobile devices / GPS devices
DEALING WITH ELECTRONIC EVIDENCE - ONSITE
Perform a thorough search at the premises / office for any types of electronic media• Take the necessary pictures / screenshots / notes / floor plan of all media
identified • Obtain the necessary password / pin codes of mobile devices, I-pad’s tablets /
Webmail etc. When desktop computer is on, take pictures of all open applications then pull the
plug!! (If user is present, ask the client to save all open docs before you pull the plug);
For Laptops, perform the same procedure as with desktops then, ask user / IT administrator to shut down the computer and record the shutdown date / time.
For servers call the experts!!!
Secure all evidence in evidence bags / or material available on site• Ensure to record both signatories of the sealed evidence bag of the media
seized including case no, name of computer user and date/time.
Issue a Chain of evidence receipt of all item/s seized / removed from the premises Lockup in safe location for imaging purposes
FORENSIC IMAGING – APPLICATIONS / TOOLSDefinition of a forensic Image
A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record
Each image consist of an unique “electronic fingerprint” called the MD5 Hash value which gets created during the imaging process. This ensure file integrity, also proves no data manipulation took place.
Ensure verification process were completed (hash values must match)
Record hash value onsite and ask someone to witness the hash value
Types of imaging• Physical Imaging – Entire Hard Disk Drive (HDD/ Memstick / Mobile Phone)• Logical Imaging – Partial file and folder imaging (used on Anton Pillar Orders) Emails /
DB’s etc• Live Ram acquisition with Belkasoft Live Ram analysis / Encase
• Discover Running malware/Viruses• Obtaining various password/ Gmail/cloud computing/ decryption keys• Communication via webmail and recent internet Web browsing;
• Live server imaging (especially when PC is encrypted and no password is available) or the server cant’s be switched off .
VARIOUS TYPES OF MEDIA FOR IMAGING
FORENSIC TOOLS / APPLICATIONS
For Forensic Imaging
• Encase Forensics (Physical/ Logical / Live Ram)
• FTK Imager (Physical/ Logical / Live Ram)
• Password Recovery Kit
• Belkasoft
• Netanalysis
MOBILE FORENSIC DEVICES/ TOOLS
Mobile Forensics
• Cellebright
• Paraben
• Blacklight (Apple / MAC)
• Encase
• Mobile Edit Forensics
E-DISCOVERY TOOL – INTELLA
HTTPS://WWW.VOUND-SOFTWARE.COM
CURRENT CHALLENGES IN THE CYBER SPHERELocal PC / Media Encryption / Cell-phone Encryption• Forgot to obtain Password / Pin / Patterns for cell phonesBypassing pin blocked or pattern block mobile phones Possible but limited Use J-Tag Method Use chip-off methodChip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a subject device and then acquiring the raw data using specialized equipment.
Virtual Servers Environment More and more client are using Virtual servers to save hardware cost and backup
solutions Cloud computing / I-pad / Table information Webmail communication
Gmail investigation Yahoo investigation
Anti-Forenscis
CYB
ER FORENSIC
S
PR
ES
EN
TE
R:
J AC
O V
EN
TE
R
Questions
Email Address: Jaco@Shieldtechnology.co.zaContact Details: 0827732542
top related