Computer forensic

sComputer Forensic Workshop - 2013

Computer Forensic InvestigationProcedure, tools, and practice

Ahmad Zaid Zam [email protected]

About the speaker


Bachelor's degree in Electronic Engineering

Digital forensic analyst

GCFA, CHFI, CEH, ENSA, ECIH, CEI

Founder Indonesia Digital Forensic Community

Case involved : Corporate espionage, data leak, banking fraud, cyber attack,etc

Agenda


Digital forensic introduction

Digital evidence

Computer forensic Procedure

Evidence acquisition

Data organization

Demo

Introduction


Today, many business and personal transactions are conducted electronically

Business professionals regularly negotiate deals by e-mail

People store their personal address books and calendars on desktop computers or tablet.

People regularly use the Internet for business and pleasure

Cyber Crime


Any illegal act involving a computer and a network

The computer may have been used in the commission of a crime or it may be the target

Computer viruses, denial-of-service attacks, malware

Fraud, identity theft, phishing, spam, cyber warfare

Introduction


“A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices

and digital media, that can be presented in a court of law in a coherent and meaningful format” - DR. H.B. Wolfe

Introduction


The collection, preservation, analysis and presentation of digital evidence

Scientific procedure

Develop and test hypotheses that answer questions about incidents that occurred

Admissible in a court of law

Why is computer forensic important ?


Help reconstruct past event or activity

Extend the target of information security to the wider threat from cybercrime

Show evidence of policy violation or illegal activity

Ensure the overall integrity of network infrastructure

Digital evidence


Two basic type of evidence :

Persistent evidence the data that is stored on a local hard drive and is preserved when the computer is turned off

Volatile evidence any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off

Persistent evidence


Documents (word, slide, sheet, pdf) Images Chat log Browser history Registry Audio / Video Application Email SMS / MMS Phone book Call log

Volatile evidence


Memory

Network status and connection

Process running

Time information

Procedure


Preparation

Preliminary investigation

Site investigation


Preservation

Analysis

Report

Preparation


Media is freshly prepared

Forensic workstation is scanned for any malware

Validate all software licenses

Toolkits

Forms - Computer worksheet forms - Hard drive worksheet form

Preparation


Establish file directories

Essential forms : - Letter of authorization - Chain of custody - Non-Disclosure Agreement

Letter of authorization


Chain of custody


Evidence worksheet


Preliminary investigation


Who ? Profile the target user – are they computer savvy?

What ? What kind of evidence could be associated with this case? Images? Documents? Spreadsheets?

When? How long has it been since the digital activity?

Where? How do you plan on procuring the digital evidence?

Site investigation


Take picture of the scene

Asset tag

Inventory and describe all hardware

Identify every process or network information

Ensure chain of custody form is properly completed

Order of Volatility


● Memory

● Network status and connections

● Process running

● Hard disk



Bit-stream imaging (court-certified)

Write blocking device

Static prevention wrist strap

Record initial configuration

Record all activity



Physical imaging - Grab entire drive (MBR) - Considered best evidence - Break out the partitions using dd

Logical imaging - File system partition only - Useful in obtaining backup of RAID drive



Three evidence acquisition method - Hardware - Live CD - Live

Resultant file will be an image file in all three cases

Hardware acquisition


Situation : Removed hard drive containing evidence

1. Attach drive adapter 2. Plug into acquisition workstation 3. Image attached drive to a image file

Evidence will be in static state

Volatile evidence not available

Live CD acquisition


Situation : Boot into Forensic Live CD

System will be rebooted

Loss of volatile evidence

Hard drive not removed

Image system to attached drive or file share

Live acquisition


Situation : Live System Acquisition

Snapshot of system

System stays power on

Capability to gather volatile evidence

Evidence will be changing while imaging

Image system to a file on attached drive or file shares

Write blocker


Prevent any accidental writes to source data

Hardware based Adapter based placed on hard drive

Software based Software will not allow writes to system

http://www.cftt.nist.gov/software_write_block.htm

Preservation


Create cryptographic hash

Create bit-image copies

Compare the hash results

Lock original disk in a limited container

Analysis of data


Only work on the forensic copy

Stay within your scope of work

Analysis step - Timeline analysis - Media analysis - String or byte search - Data recovery

Questions ?


Computer forensic

Documents

computer forensic important

forensic live cdsystem

best evidence

kind of evidence

digital activity

computer savvy

networkthe computer

drive adapter2