digital forensics research workshop challenge 2009
play

Digital Forensics Research Workshop Challenge 2009 Wouter van - PowerPoint PPT Presentation

Jan 12, 2023 •153 likes •353 views

Digital Forensics Research Workshop Challenge 2009 Wouter van Dongen, Alain van Hoof Research Project 2 1 July 2009 1 Research project 2 Introduction Challenge details Research questions Method Time zones and Linux time

  1. Digital Forensics Research Workshop Challenge 2009 Wouter van Dongen, Alain van Hoof Research Project 2 1 July 2009 1

  2. Research project 2 • Introduction • Challenge details • Research questions • Method • Time zones and Linux time stamps • SSH traces • Recovery of deleted files • The big picture • Questions 2

  3. Challenge details 3

  4. Research questions 1. What relevant user activity can be reconstructed from the available forensic data and what does it show? 2. Is there evidence of inappropriate or suspicious activity on the system? 3. Is there evidence of collaboration with an outside party? If so, what can be determined about the identity of the outside party? How was any collaboration conducted? 4. Is there evidence that illicit data (specifically, Mardi Gras images) was exchanged? If so, what can be determined about that data and the manner of transfer? 5. What data (if any) was provided by the Johns Hopkins PS3? 6. The suspect claims that he was not responsible for any transfer of data. What evidence do you have to show that remote, unauthorized access to the system might have occurred, and does this evidence exonerate the suspect? 4

  5. Method (1) • Standard Linux commands on read-only mounted images • Additional Linux utilities • Restored images on Playstation 3 to observe and test behaviour • Aftertime to parse and export 100,000 log entries of both systems • Excel to quickly filter and search • Created timeline 5

  6. Method (2) 6

  7. Timezones • 1 hour time difference • Summertime: 8th of March • Aftertime 7

  8. Linux time stamps (1) • Modified, Access and Change time stamps, crucial for investigation. • Mount options affect behaviour, not mentioned in literature! • relatime • noatime • nodiratime • /etc/fstab 8

  9. Linux time stamps (2) Determining the mount options using time stamps 9

  10. Linux time stamps (3) Determining the mount options using time stamps 10

  11. 11

  12. Investigation - Recovery of deleted files (1) • ext3 zeros out block pointer on deletion • Journaling: inode (entire block!) update is first recorded in journal 12

  13. Investigation - Recovery of deleted files (2) Carving is not always possible  journal based recovery • Search for deleted files and their inode address in directory entries 505479 (16) Recipes 503339 (16) .lesshst 503412 (2688) memdump-powerpc.tar <505465> (2660) .ICEauthority-n <505482> (20) andromachi <505483> (2604) bateman's <505484> (20) stanley's <505485> (2564) stoughton's • Find inode copies in journal 13

  14. Investigation - Recovery of deleted files (3) No directory entries? • Search journal for old entries (e.g. with ‘ext3grep –search’) • Read all results (ext3grep --ls – block): • Try to restore inode from journal • Try restoring the inode 14

  15. Investigation - Recovery of deleted files (4) File still not recovered? • Calculate block group data range and export the block (e.g. with dd) and try searching. Recovered: • Bash history • Drug recipes • Backdoor software 15

  16. The big picture 16

  17. 17

  18. Questions Questions? Thanks! 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute

Challenges in Digital Forensic Research R.I. Ferguson ian.ferguson@abertay.ac.uk 2 minute intro to Digital Forensics Some challenges scale cloud the encryption boundary anti-forensics Digital Forensics in 2 mins

415 views • 7 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Linux Memory Analysis Workshop Session 1 Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide ranging forensics investigations Volatility Developer Former Blackhat, SOURCE, and DFRWS speaker

1.64k views • 162 slides
Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction to Digital Forensics Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer Forensics? What do you Need for a Careers in Computer Digital Forensics? Educational Background

509 views • 29 slides
Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of

Digital Forensics Unraveling Incidents one byte at a time Digital Forensics Characteristics of Digital Evidence: Admissible evidence must be related to the fact being proved Authentic evidence must be real and related to the

1.13k views • 68 slides
Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert

Digital Forensics: A Cybersecurity Approach Hector Rivera Basiru Mohammed Michael Marin Robert Malegiannakis Ricardo Justiniano Introduction - What is Digital Forensics? Digital forensics defined - The process of recovering and interpreting

478 views • 30 slides
Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc

Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc

Effective Digital Forensics Research is Investigator- Centric Robert J. Walls Brian Neil Levine Marc Liberatore Clay Shields University of Massachusetts Amherst Georgetown University rjwalls@cs.umass.edu 1 forensics.umass.edu

578 views • 39 slides
CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of

1.04k views • 65 slides
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico

Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools Lodovico Marziale, Golden G. Richard III, Vassil Roussev Me: Professor of Computer Science Co-founder, Digital Forensics Solutions golden@cs.uno.edu

489 views • 28 slides
HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics

HACKING PARIS 2014 EXTREME FORENSICS RELOADES 2Q /2014 Alvaro Alexander Soto Digital Forensics Lab Director HTCIA/ICFP/ACM/IEEE/ACIS/ISSA asoto@asoto.com INTENDED AUDIENCE Forensic lab directors / analysts - Law enforcement - Researchers -

568 views • 36 slides
SPORTS WAGERING WEST VIRGINIA John A. Myers Director, West Virginia Lottery WV Lottery

SPORTS WAGERING WEST VIRGINIA John A. Myers Director, West Virginia Lottery WV Lottery

SPORTS WAGERING WEST VIRGINIA John A. Myers Director, West Virginia Lottery WV Lottery Oversight Traditional Lottery Instant and On-line Racetrack and Casino Video Lottery Limited Video Lottery 7 machines in Bars and Taverns

529 views • 14 slides
Surplus Lines Market Overview B . S C O T T L A N D R Y , C P C U , A S L I , A I S

Surplus Lines Market Overview B . S C O T T L A N D R Y , C P C U , A S L I , A I S

Surplus Lines Market Overview B . S C O T T L A N D R Y , C P C U , A S L I , A I S Characteristics of Insurance Purchase of a prom ise - intangible Com plex docum ent - legal contract Provides im portant benefits paym ent of

508 views • 22 slides
The View of the British Public Joe Twyman Co-founder and Director Deltapoll The Importance of

The View of the British Public Joe Twyman Co-founder and Director Deltapoll The Importance of

Immigration: The View of the British Public Joe Twyman Co-founder and Director Deltapoll The Importance of Immigration as a Political Issue 60% 50% 40% 30% 20% 10% 0% 1997 1999 2001 2003 2005 2007 2009 2011 2013 2015 2017

493 views • 21 slides
Building franchise value in an uncertain world Stephen Hester, CEO, The Royal Bank of Scotland

Building franchise value in an uncertain world Stephen Hester, CEO, The Royal Bank of Scotland

Building franchise value in an uncertain world Stephen Hester, CEO, The Royal Bank of Scotland Group Bank of America Merrill Lynch - Banking &amp; Insurance CEO Conference 25 th September 2012 Important Information Certain sections in this

948 views • 30 slides
Emergency Response Plans Preparing, not Scaring, Students US Study Abroad Students in Numbers

Emergency Response Plans Preparing, not Scaring, Students US Study Abroad Students in Numbers

Rich Kurtzman Cory Smith Founder and Director Assistant Director, Study Abroad On-site, Barcelona University of Cincinnati Rich@BarcelonaSAE.com smith7cy@ucmail.uc.edu Emergency Response Plans Preparing, not Scaring, Students US Study

661 views • 26 slides
Why even worry about this stuff? 1 2/14/2019 Everyday could be the day Disasters are never

Why even worry about this stuff? 1 2/14/2019 Everyday could be the day Disasters are never

2/14/2019 Why even worry about this stuff? 1 2/14/2019 Everyday could be the day Disasters are never scheduled One big event doesnt mean the entire system stops Its about who you knowand what you do to serve the healthcare needs of

722 views • 14 slides
Universal Orlando Resort Vacation like you mean it The Basics: Onsite Hotels 3 resort

Universal Orlando Resort Vacation like you mean it The Basics: Onsite Hotels 3 resort

Universal Orlando Resort Vacation like you mean it The Basics: Onsite Hotels 3 resort categories: Prime Value (Cabana Bay, Aventura - coming summer 2018) Preferred (Sapphire Falls, Royal Pacific) Premier (Hard Rock,

479 views • 19 slides
and The Canal Street Ferry Terminal/Vessels Rampart Streetcar Update PROJECT STARTED IN

and The Canal Street Ferry Terminal/Vessels Rampart Streetcar Update PROJECT STARTED IN

A PRESENTATION TO THE AUGUST 2016 Rampart Streetcar Expansion and The Canal Street Ferry Terminal/Vessels Rampart Streetcar Update PROJECT STARTED IN JANUARY 2015 COMPLETION BY THE END OF AUGUST 2016 Utilities, Tracks,

340 views • 13 slides

More recommend