Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru - - PowerPoint PPT Presentation

digital forensics a cybersecurity approach
SMART_READER_LITE
LIVE PREVIEW

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru - - PowerPoint PPT Presentation

Feb 18, 2023 174 likes •483 views

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano Introduction - What is Digital Forensics? Digital forensics defined - The process of recovering and interpreting

slide-1
SLIDE 1

Digital Forensics: A Cybersecurity Approach

Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano

slide-2
SLIDE 2

Introduction - What is Digital Forensics?

Digital forensics defined - The process of recovering and interpreting electronic data where the main goal is to preserve any evidence in it’s most original form while performing a structured investigation by identifying, collecting and validating the digital information for the purpose of reconstructing past events.

  • In this presentation we will examine three parts

Network forensics

Mobile forensics

USB/Computer forensics

slide-3
SLIDE 3

Understanding Mobile Forensics

  • Torrents of information is stored on mobile phones
  • Smartphones store private and sensitive data
  • In several developed countries, users are allowed to do mobile banking
  • Phones retrieved cannot be analyzed without a warrant

Phone Generations

  • Analog
  • PCS
  • Third Generation (3G)
  • Fourth-generation (4G)

Inside a Mobile Phone

  • Microprocessor
  • ROM and RAM
  • Digital signal processor
  • Radio module
  • Microphone and Speaker
  • Hardware interphases
  • LCD display

Basiru Speaking

slide-4
SLIDE 4

Scenario

Suspect A has been monitored by the internal security of a local electronic store fraud department about a large amount of fraudulent activity of gift cards. The local bank has alerted the merchant of questionable transactions which prompted an internal investigation to prove no liability on their behalf. Through the investigation surveillance footage, the transactions were synonymous with the date/time stamps of the bank. In order to solidify their findings to law enforcement,

  • ur team was hired to conduct computer forensics analysis to support their
  • findings. With documentation provided by both merchant and bank, our team was

able to establish a proper investigation and set time lines to secure search warrants for network, mobile and hardware analysis…

Hector Speaking

slide-5
SLIDE 5

Network Forensics Applied

  • Connect to electronics store’s network
  • Connect to bank’s network
  • Connect to suspect’s home network
  • Gathered all information from these network packets using:
  • Wireshark
  • CloudShark
  • Networkminer

Robert speaking

slide-6
SLIDE 6

Network Forensics Applied

Michael speaking

slide-7
SLIDE 7

Network Forensics Applied

Michael speaking

slide-8
SLIDE 8

Network Forensics Applied

slide-9
SLIDE 9

Network Forensics Applied

Michael speaking

slide-10
SLIDE 10

Network Forensics Applied

Michael speaking

slide-11
SLIDE 11

Network Forensics Applied

Michael speaking

slide-12
SLIDE 12

Network Forensics Applied

Michael speaking

slide-13
SLIDE 13

Network Forensics Applied

Michael speaking

slide-14
SLIDE 14

Network Forensics Applied

Michael speaking

slide-15
SLIDE 15

Network Forensics Applied

Michael speaking

slide-16
SLIDE 16

Network Forensics Applied

Michael speaking

slide-17
SLIDE 17

Network Forensics Applied

Michael speaking

slide-18
SLIDE 18

Network Forensics Wrap-up

1. Pieces of evidence were found using the cyber security tools 2. Enough evidence was found in the network forensics side of things to prove guilt 3. Wireshark, Cloudshark, and Network Miner were very useful tools towards the goal of obtaining relevant evidence towards the case

Michael speaking

slide-19
SLIDE 19

Mobile Forensics Applied

Acquisition Procedures for Mobile Devices

  • Retrieve RAM data before it loses power
  • Keep devices off when off
  • When on, check the display for battery level and charge
  • Isolate phone from all forms of synchronization

Tools Used

  • AccessData FTK Imager
  • Forensic Toolkit 1.81
slide-20
SLIDE 20

Mobile Forensics Applied

Mobile Phone Brand: LG_600

  • Call log of the suspect
  • btained
  • No SMS
  • No saved number from

addressbook

slide-21
SLIDE 21

Mobile Forensics Applied

The only real image

  • btained from the suspect’s

phone.

slide-22
SLIDE 22

Mobile Forensics Wrap-up

  • Evidence obtained from the suspect’s mobile phone corroborate the fact the

he is really interested in the store

  • The highlighted number is the Sales Department help line
  • Possible image of an accomplice of the suspect obtained to be determined via

further investigation

slide-23
SLIDE 23

USB/Computer Forensics Applied

Step 1: Preserve the data

  • Utilize write blocker to stop the OS from writing to the evidence drive
  • Monitor who had access, when, and why
  • Hard Drive duplicators to set up a working drive that we can run diagnostics on
  • Devices should remain unmounted during investigation
  • FTK imager to create hashes of the image as it sits prior to manipulation/investigation of data
slide-24
SLIDE 24

USB/Computer Forensics Applied

Step 2: Acquiring data

  • Live acquisition ran at the crime scene while

host was up and running, to avoid data being encrypted.

  • Use Hex workshop
  • Open .mem file for the live acquisition to view

files and have full access.

  • Search for words translated to hex
  • Display process\services that where running

when memory was dumped

  • DiskExplorer - ran on client side - aka the

inhouse forensic workstation

  • HDHOST - ran on client server side aka the

evidence drive- for remote acquisition

slide-25
SLIDE 25

USB/Computer Forensics Applied

Step 3: Analyzing Data

  • Created an Index of the drive to make getting to

data items much faster

  • Search - keywords based on the case we are

working on

  • Viewed deleted files and restore them
  • Use of report generators to build reports that can

be used in the legal arena, as well as marking evidence found

  • Hex Workshop / useful for checking files that

may have been renamed with incorrect extensions to throw off investigators

  • Use Magic tables to cross reference Hex code

from files/ with this info you can change the incorrect file type to the correct one so you can

  • pen it

Ricardo Speaking

slide-26
SLIDE 26
  • We observed a

suspicious document “secret.jpg”

  • Ran

HexTool on file to assist with discovery of

  • riginal file

extension.

Hex Workshop Results

Ricardo Speaking

slide-27
SLIDE 27
  • Used Magic

tables to match the file type signatures in hex / with this info we can change the incorrect file type to the correct type, enabling us to open it’s contents

  • After discovering

file type of .DOCX we renamed the file, saved our changes and were able to open it without error. Ricardo speaking

slide-28
SLIDE 28
  • After opening the file with the newly

appended file type, we discovered the contents of the secret.docx file to containing multiple stole credit card numbers that matched back to to our case, along with multiple other credit card numbers that matched back to other reported fraudulent claims.

slide-29
SLIDE 29

USB/Computer Forensics Wrap-up

We found even more evidence from the suspects computer of the reported crime.

  • Data included a .docx file that contained a large list of stolen credit/gift card

numbers

slide-30
SLIDE 30

Conclusion

Our Senior Cyber Security Forensics Analyst were able to verify our findings. Ensuring appropriate measures were taken in the proper tagging and handling of the evidence, they were able to present the case on the merchants behalf to properly submit a arrest warrant through local law enforcement agencies…

Hector Speaking