Digital forensics.abdallah

Digital ForensicsSupervised by : Dr. Ashraf Tammam

Presented by : Abdallah Hodieb

What

It is a branch of forensic science specialized in recovery and investigation of material found in digital devices.

often related to computer crime.

Why

Due to the growth in computer crime law enforcement agencies began establishing specialized groups to handle the technical aspects of investigations.

Computer Crimes such as :Fraud, Forgery , Extortion , Industrial espionage Virus/Trojan distribution Homicide investigationsTheft of or destruction of intellectual property

Who

● Criminal Prosecutors & law enforcement agencies.● Insurance Companies.● Private Corporations.

How

The process might differ according to the laws enforced by the country .

But the general process mainly consists of :● Acquisition● Preservation● Identification● Evaluation● Presentation

ChallengesLegal rules determine whether potential evidence is admissible in court.

Authenticity and validity of evidence must be ensured.

Evidence can’t damaged, destroyed, or compromised by the procedures used in identification .

Preventing viruses infections during the analysis process

Extraction process is properly handled to protect from mechanical or electromagnetic damage.

Acquisition

Is the process of acquiring any data that can be used as evidence , from the confiscated exhibits.

The process must guarantee that the data is not changed during the acquisition [ ex : no modification date changes ]

Ex: Computer Devices , Network maps , External Devices.

General Acquisition Process

Restrict access ( local / remote ) to the machine.Dump memory ( if possible ).Document Hardware Configuration ( internal and external ).Make a digital copy of all applicable storage devices.Authenticate all copies using Checksums .Document all the search steps and operations executed.

Types of Data

Volatile : Memory Contents.Network Traffic.

Non-Volatile:File System contents [ HD , USB Disks , etc .. ]

Preservation

The original state of the data should be preserved exactly as acquired .

Any operations done on the data should be done on an exact copy , to guarantee the integrity of the original confiscated data.

Identification

Identifying what data could be recovered and retrieving it by using Computer Forensic tools.

Identifying and recovering hidden / deleted data using various tools.

Identification of any tampering or anomalies in the data.

General Identification Process

Make a List of Key Search Words.Evaluate the Windows Swap File.Evaluate Unallocated Space (Erased Files).Document File Names, Dates and Times.Identify File, Program and Storage Anomalies.Evaluate Program Functionality.Document Your Findings.

Examples of hidden data

Changing file names ,extensions.Encryption.Hidden drive space non-partitioned space in-between partitions.Slack Space.Partition waste space.Bad sectors.Other steganography ways.

Steganography Example

To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too.

The duck flies at midnight.

Evaluation

Evaluation of the recovered information , and determining if it can be used as evidence .

Presentation

Presenting of evidence discovered in a manner which complies with the rules and regulations .

ex: It understood by lawyers, non-technically staff and suitable as evidence as determined by country laws.

Tools

Digital Forensic experts use a combination of software and hardware tools.

The tools include disk analysers , steganography analysis tools , decryption , hex viewers , network monitors , etc ..

List of the most used software tools : https://en.wikipedia.org/wiki/List_of_digital_forensics_tools

SANS Investigative Forensic Toolkit

volatility memory forensics

Hex Editors

DD Disk Cloning

Xplico Network Forensics

Tableau forensic write blocker

Versatile Preservation & Examination Responder Kit

DD , Hex editor

Live Example