csn11121 csn11122 system administration and forensics
play

CSN11121/CSN11122 System Administration and Forensics Introduction - PowerPoint PPT Presentation

Jan 08, 2024 •370 likes •1.04k views

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of

  1. CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk

  2. Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of the main theoretical concepts 4. Storage Devices 5. Partitions

  3. Recommended Reading 1. B Carrier, File System Forensic Analysis , March 27 2005, Addison-Wesley Professional 2. H Carvey, Windows Forensic Analysis DVD Toolkit , 11th June 2009, Syngress 3. C Pogue, Unix and Linux Forensic Analysis DVD Toolkit , 30th June 2008, Syngress 4. M.E. Russinovich and D.A. Solomonm, Windows Internals 5th Edition , 7th January 2009, Microsoft Press (chapter 1 to chapter 3) 5. K.J. Jones, Real Digital Forensics , 3rd October 2005, Addison-Wesley Professional

  4. Online Resources • Digital Forensic Research Workshop (DFRWS) – http://www.dfrws.org – Challenges – Projects • National institute of Standards and technology (NIST) – http://www.nist.gov • Journal - Digital Investigation – http://www.sciencedirect.com • Forensics Wiki – http://www.forensicswiki.org

  6. DIGITAL FORENSICS

  7. It is impossible for the criminal to act, especially considering the intensity of a crime, without leaving traces of his presence. - Edmond Locard

  8. With contact between two items, there will be an exchange - Locard’s exchange principle

  9. Computer Forensics • 1984 – Scotland Yard: Computer Crime Unit – FBI computer forensics departments • 1990 – Computer Misuse Act (CMA)

  14. Digital Forensics The use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from the digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. - Digital Forensics Research Workshop

  15. Investigative Context Primary Secondary Environment Objectives Objectives Law Enforcement Prosecution Post-Mortem Continuity of Real-Time/Post- Military IW Ops Prosecution Operations Mortem Business and Continuity of Real-Time/Post- Prosecution Industry Service Mortem

  16. Digital Investigation A digital investigation is a process where we develop and test hypotheses that answer questions about digital events. This is done using the scientific method where we develop a hypothesis using evidence that we find and then test the hypothesis by looking for additional evidence that shows the hypothesis is impossible. Digital Evidence is a digital object that contains reliable information that supports or refutes a hypothesis. - B. Carrier, 2006 File System Forensic Analysis,

  17. Static vs. Live • Traditional Static Investigations – Hard disk or some other form of static resource – Data at a resting state – Able to image, return to original source and conduct further analysis • Live investigation – Occurs when the machine is running

  18. Volatile Investigations • Has impact on device under investigation • Not repeatable • Does not fit in with classic forensic investigative models • OS must be trusted • New questions cannot be asked later

  19. Investigation Process • Acquisition – Preservation – Collection – Verification • Analysis – Search for evidence – Hypothesis Creation – Confirm or refute hypothesis with evidence • Presentation – Report the findings of the investigation – Objective manner

  20. Characteristics of Evidence 1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality

  21. Characteristics of Evidence 1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality

  22. Characteristics of Evidence 1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality

  23. Characteristics of Evidence 1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality

  24. Characteristics of Evidence 1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality

  25. Best Practice • ACPO – Principle 1 - No action taken by law enforcement or their agents should change data held on an electronic device or media which may subsequently be relied upon in Court. – Principle 2 - In exceptional circumstances where a person finds it necessary to access original data held on an electronic device or media, that person must be competent to do so, and be able to give evidence explaining the relevance and the implications of their actions.

  26. Best Practice • ACPO – Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

  27. Best Practice • ACPO – Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

  28. Tools • 1 st Generation – Command Line, Task oriented, Act on original data • 2 nd Generation – GUI interface, capable of making copies, multi- functional • 3 rd Generation – Work on distributed systems and live systems – Live… ?

  29. Tool Characteristics • Verifiable - Can it be shown to behave within certain bounds of behaviour? • Reproducibility - Can a tool produce results which are reproducible? • Non-interference - Are the results obtained with a tool that has open source code, and thus does not contain obfuscated code? • Usability - Can the tool help the investigator review and make decisions about the layer of abstraction being viewed? • Comprehensive - Can the tool allow the investigator access the data output of the tool at any given level of abstraction?

  30. Future • Research Challenges facing the investigation community – S.L. Garfinkel, Digital forensics research: The next 10 years , Digital Investigation, vol. 1, no. 7, pp. 64- 73, 2010 – “The coming Digital Forensics Crisis”

  31. Challenges • Size of storage devices • Embedded flash devices • Proliferation of operating systems and file formats • Multi-device analysis • Pervasive Encryption • Cloud computing • RAM-only Malware • Legal Challenges decreasing the scope of forensic investigations

  32. STORAGE DEVICES & PARTITIONS

  33. Required Reading D. Byers, N. Shahmehri, “Contagious errors: Understanding and avoiding issues with imaging drives containing faulty sectors” , Digital Investigation, no. 5, pp. 29 – 33, 2008 A. Jones, C. Meyler, “What Evidence is left after disk cleaners?” , Digital Investigation, no. 1, pp. 183 – 188, 2004 B.J. Nikkel, “Forensic Analysis of GPT disks and GUID partition tables” , Digital Investigation, no.6, pp. 39-47, 2009

  34. Required Reading M. Belford, “Methods of discovery and exploration of Host Protected Ares on IDE storage devices that conform the ATAPI-5” , Digital Investigation, no.2, pp. 268-275, 2006 K. MacDonald, “To Image a Macintosh”, Digital Investigation, no. 2, pp. 175 -179, 2006 J. R. Lyle, “A strategy for testing hardware write block devices” , Digital Investigation, no. 3, pp. 3-9, 2006

  35. Storage Media • Hard disks, floppy disk, thumb drives etc. • Hard disks are the richest in digital evidence • Integrated Disk Electronics (IDE) or Advanced Technology Attachment (ATA) • Higher performance SCSI drives • Fireware is an adaptation of SCSI standards that provides high speed access to a chain of devices • All hard drives contain platters made of light, rig-hid material such aluminum, ceramic or glass

  36. More on Hard Drives – Platters have a magnetic coating on both sides and spin between a pair of read/write heads – These heads move like a needle on top of the old LP records but on a cushion of air created by the disk above the surface – The heads can align particles of magnetic media called writing, and can detect how the magnetic particles are assigned – called reading – Particles aligned one way are considered “0” and aligned another way “1”

  37. Hard Disks Actuator Arm Spindle Platters Head cc by-sa, Cambridge Cat/Anna, flickr.com

  38. Storage • Cylinders are the data tracks that the data is being recorded on • Each track/cylinder is divided into sectors that contain 512 bytes of information – 512*8 bits of information • Location of data can be determined by which cylinder they are on which head can access them and which sector contains them or CHS addressing • Capacity of a hard drive # of C*H*S*512

  39. Hard Disk Platters

  40. Tracks and Sectors Track Sector (512bytes)

  41. Tracks and Sectors / . Track #0 - 0 3 � 1 2 Track #1, Sector #7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. Investigative Process Analysis Framework 2. File Systems FAT NTFS Required Reading G.H. Fellow,

705 views • 51 slides
CSN11121 System Administration and Forensics Week 2: Introduction/Linux Basics Week 2:

CSN11121 System Administration and Forensics Week 2: Introduction/Linux Basics Week 2:

CSN11121 System Administration and Forensics Week 2: Introduction/Linux Basics Week 2: Introduction/Linux Basics Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance Learning Version) System

547 views • 50 slides
CSN11121 System Administration and Forensics Week 5: Essential Apache and Log Analysis Week 5:

CSN11121 System Administration and Forensics Week 5: Essential Apache and Log Analysis Week 5:

CSN11121 System Administration and Forensics Week 5: Essential Apache and Log Analysis Week 5: Essential Apache and Log Analysis Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance Learning Version)

650 views • 48 slides
CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes Week 3 : Users, Permissions, Processes, and Pipes Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance

644 views • 51 slides
CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk

CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk

CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk Overview Forensics on Internet Explorer and Firefox Structure Information storage Access to the Information storage Tools used to

1.04k views • 40 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
Forensics for Managers x Ryan Washington MBA, CISSP, CCE, CEH, NSA/IAM 703-961-9456 Extension

Forensics for Managers x Ryan Washington MBA, CISSP, CCE, CEH, NSA/IAM 703-961-9456 Extension

Forensics for Managers x Ryan Washington MBA, CISSP, CCE, CEH, NSA/IAM 703-961-9456 Extension 128 Introduction US Marines, Special Intelligence Communicator Bachelors in Management Masters of Business Administration Solaris

698 views • 26 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly.

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly.

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly. # M.Eng. Cybersecurity # JOATMON Full Stack Developer, Security Engineer, Scripting/Automation, Researcher # Twitter: dev0x01 # Web:

1.03k views • 43 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics & Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Computer Misuse Act 1990 Anti-hacking legislation Background No laws specifically to deal

Computer Misuse Act 1990 Anti-hacking legislation Background No laws specifically to deal

Computer Misuse Act 1990 Anti-hacking legislation Background No laws specifically to deal with computer crime prior to 1990 Other laws tried instead Examples. Cox v Riley 1986 (Criminal Damage Act 1971) R. v Whitely 1990

463 views • 14 slides
Logic-Independent Premise Selection for Automated Theorem Proving Eugen Kuksa AITP 2017

Logic-Independent Premise Selection for Automated Theorem Proving Eugen Kuksa AITP 2017

29 March 2017 Logic-Independent Premise Selection | 1 FACULTY OF COMPUTER SCIENCE Logic-Independent Premise Selection for Automated Theorem Proving Eugen Kuksa AITP 2017 Obergurgl 29 March 2017 Logic-Independent Premise Selection | 2 FACULTY

852 views • 35 slides
Lectur ture e 15 Logic I Intro a and nd PDCL 1 Announ nouncem emen ents Marked

Lectur ture e 15 Logic I Intro a and nd PDCL 1 Announ nouncem emen ents Marked

Computer Science CPSC 322 Lectur ture e 15 Logic I Intro a and nd PDCL 1 Announ nouncem emen ents Marked midterms will be available on Thursday (with solutions) Assignment 3 will be posted on Th. Due Wed. Nov 15 2 late

852 views • 69 slides
LPS (Logic-based Production Systems) Robert Kowalski and Fariba Sadri Imperial College London

LPS (Logic-based Production Systems) Robert Kowalski and Fariba Sadri Imperial College London

3/20/2018 LPS (Logic-based Production Systems) Robert Kowalski and Fariba Sadri Imperial College London Miguel Calejo Interprolog.com 1 1 3/20/2018 Overview Introduction What is LPS? Logic programming Production systems LPS (Logic

1.15k views • 88 slides
Control from Computer Science Oded Maler CNRS-VERIMA G Grenoble, F rance Control from

Control from Computer Science Oded Maler CNRS-VERIMA G Grenoble, F rance Control from

Control from Computer Science Oded Maler CNRS-VERIMA G Grenoble, F rance Control from Computer Science Oded Maler Mo del-based System Design Experiments World Formal Model Thinking I O Analysis Design Implementation

445 views • 27 slides
CS7496 Computer Animation Instructor: C. Karen Liu Karen Liu Associate Professor at School of

CS7496 Computer Animation Instructor: C. Karen Liu Karen Liu Associate Professor at School of

CS7496 Computer Animation Instructor: C. Karen Liu Karen Liu Associate Professor at School of Interactive Computing Karen Liu Associate Professor at School of Interactive Computing Our TA: Vivek Trivedi Administrations

1.09k views • 67 slides
Lecture 7: Computer Arithmetic Todays topics: Chapter 2 wrap-up Numerical

Lecture 7: Computer Arithmetic Todays topics: Chapter 2 wrap-up Numerical

Lecture 7: Computer Arithmetic Todays topics: Chapter 2 wrap-up Numerical representations Addition and subtraction Reminder: Assignment 3 will be posted by tomorrow 1 Compilation Steps The front-end: deals mostly with

1.21k views • 25 slides
Computer Science 210: Data Structures Object Oriented (OO) concepts Summary Today

Computer Science 210: Data Structures Object Oriented (OO) concepts Summary Today

Computer Science 210: Data Structures Object Oriented (OO) concepts Summary Today object-oriented design principles OO concepts inheritance polymorphism this exceptions interfaces READING:

343 views • 16 slides

More recommend