forensics tries to reconstruct and explain activities and
play

forensics tries to reconstruct and explain activities and events - PowerPoint PPT Presentation

Dec 31, 2022 •128 likes •299 views

forensics tries to reconstruct and explain activities and events their actors and participants causes consequences individual forensic procedures in the best case can only provide parts of the puzzle for the whole

  2. forensics tries to reconstruct and explain activities and events ● their actors and participants – causes – consequences – individual forensic procedures ● in the best case can only provide parts of the puzzle – for the whole picture/story ● they need to be put in the right sequence – interpreted in broader context – the legal ramifications of forensic investigation it is important to ● make sure that forensic material cannot be changed (tampered) – after being acquired ● and that this can be proved – therefore we need a well defined procedure(s) ● 2 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  3. • police (court) forensics ▪ have their required, mandatory procedures ▪ scope defined by law • this course teaches generic/general forensics ▪ applicable in industry • therefore it is not based on procedures defined by any law(s) 3 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  4. • reconnaissance of the target system • planning the evidence acquisition • acquisition of evidence material • storing and guarding the material • analysis of the material • reporting • But! ▪ before the beginning ▪ acquire/define the questions you need to give answers to ◦ in written form 4 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  5. • what is it all about – what are we invetigating ▪ disaster, attack, problems , suspicion… • define the scope of the system – what are we going to observe/analyse ▪ computer/device, cluster, system, data, organization, public … • enumerate/list components ▪ servers, workstations, portable devices, phones, other equipment connected with IT components • interview actors and stakeholders ▪ operators, managers, management, users, partners … • gather the documentation ▪ communication system’s blueprints ▪ logic blueprints of information system 5 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  6. • gather as many as possible information ▪ about the subject of investigation • passive gathering • interviews ▪ users ▪ operates ▪ authorized persons ▪ everybody involved • find out ▪ which network resources are used ▪ which communication systems ◦ mail servers ◦ social networks ◦ … 6 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  7. • identify target device/program/data • if this is not possible, than enumerate/list : ▪ computers: servers, users’ ▪ handheld devices ▪ communication equipment ▪ other • identify other target devices • identify other targed data • determine which devices can be turned off • define the sequence of acquisition • ensure the legitimacy of the procedure, authority, support 7 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  8. • remove all persons from the • physically protect physical space except forensics the objects • do not touch anything ▪ for transport • take photos of the scene ▪ for storage ▪ record (in written) ▪ prepare instructions everything that seems important for transport • take photos and document • label every object how things were connected uniquely • seize devices ▪ the very object • take cables too , if they are special ▪ and its packaging ▪ power supplies • prepare all necessary • take media documentation for • do not forget printed documents takeover of evidence ▪ hand written, reminders etc. ▪ and acquire all signatures 8 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  9. • do not turn off devices which are turned on gasite ▪ du not turn on those which are turned off • communication devices which have wireless communication put in Faraday bags • look around the devices ▪ take all gadgets which could be part of the device • if you have to turn the device off ▪ first take the photo of the screen ▪ make a list of active applications, visited web sites, … ◦ if it can be done safely!!! ▪ capture the RAM ▪ take the battery out from portable devices • when detaching cables ▪ label them, make sketches ▪ and take photos 9 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  10. • storage and protection must be according to law • keep separate inventory of stored materials • copy everything that can be copied ▪ analysis should not be done on original evidence material • access to stored evidence material must be under strict surveillance ▪ this pertains to investigator’s notes and reports ▪ keep the access log to stored material • take special care about parts of devices that can be detached ▪ each part should be separately labeled and logged 10 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  11. • acquire the order for analysis ▪ what are we looking for? ▪ which questions do we need to answer? • perform the forensic analysis ▪ but on copies of data • keep precise log ▪ what was investigated ▪ why ▪ who performed investigation ▪ how , with what ▪ what did they find ◦ data ◦ conclusions • prepare data for report 11 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  12. • question or hypothesis • the object (which material ) will be analyzed • which method • Investigation • which tools • Expert • Date • when (from – to) • Place • results • ID of analysis • …. • conclusion/finding • next step - proposal 12 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  13. • who (all) will receive reports & what are their questions • separate report for different recipients ▪ based on gathered documentation and ▪ results of analyses • Important! Forensic expert is not the judge. Does not define the responsibility. ▪ but merely states facts & offers expert interpretation ▪ in ideal case, the forensic expert merely answers the questions • take care about the level of confidentiality ▪ mark confidentiality in appropriate manner • get ready for oral presentation of findings and or ▪ questions ▪ counter-arguments Keep detailed log about given answers 13 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  14. • Case description • Broader assignment ▪ order/warrant • Expert opinion ▪ answer to question #1 ▪ answer to question # 2 ▪ … ▪ answer to question # N • the report is result of your entire work • Argumentation • others do not seee te rest ▪ by each question ▪ short • any other expert should understand it • Findings od analyses • and reach same conclusions ▪ results ▪ by each question/analysis • Forensic team ▪ their competences • Methods od work • Addenda 14 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

  15. • when you are sure there will be no more investigation ▪ return all evidence material ▪ archive all documentation ◦ lists ◦ minutes ◦ logs ◦ reports ▪ in special cases – destroy all work materials ◦ and have the proof you did it 15 21.12.2018. 2015- 2017 (c) P.Pale: Računalna forenzika - Procedures

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

To Reconstruct or Not to Reconstruct: That is the Question Nicolas GUILLIOT

To Reconstruct or Not to Reconstruct: That is the Question Nicolas GUILLIOT

To Reconstruct or Not to Reconstruct: That is the Question Nicolas GUILLIOT nicolas.guilliot@utoronto.ca http://nicolas.guilliot.chez-alice.fr University of Toronto August 12, 2008 Overview The Starting Point: to develop and compare two

336 views • 15 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics & Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving as few evidence as possible Anti-Forensics techniques help to make forensics investigations difficult Anti-Forensics can be a never

657 views • 38 slides
Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0 30 Days 31 60 Days 61 90 Days 90+ Infinity & Beyond Avoiding Really Bad News! <Your Company Name Here> Data

675 views • 42 slides
IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National

IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National

NIST IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National Institute of Standards and Technology (NIST) US Department of Commerce NIST Integrated, hybrid networks of cyber and engineered physical

361 views • 25 slides
Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn

Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn

Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn 2011 Week 4 Prof Hans Georg Schaathun Security Standards Autumn 2011 Week 4 1 / 1 Evolution of Standards Outline Prof Hans Georg

521 views • 36 slides
Systems Security Final Class! (SysSec) Systems Security - Spring 2020 So what did I learn?

Systems Security Final Class! (SysSec) Systems Security - Spring 2020 So what did I learn?

Systems Security Final Class! (SysSec) Systems Security - Spring 2020 So what did I learn? Experiences Learned concepts covered in class in a hands-on virtual environment Extra competition to gain additional insight Lockdown v8!

496 views • 13 slides
Remote Forensic Investigations (In the Context of COVID-19) Xavier Mertens | PTS20 | July 2020

Remote Forensic Investigations (In the Context of COVID-19) Xavier Mertens | PTS20 | July 2020

Remote Forensic Investigations (In the Context of COVID-19) Xavier Mertens | PTS20 | July 2020 Whos Talking? Xavier Mertens (@xme) 3rd time speaker @ PTS Freelance based in Belgium Blueteamer SANS ISC Senior Handler

427 views • 32 slides
The Return of Diplomatics As A Forensic Discipline Luciana Duranti Director, InterPARES &

The Return of Diplomatics As A Forensic Discipline Luciana Duranti Director, InterPARES &

The Return of Diplomatics As A Forensic Discipline Luciana Duranti Director, InterPARES & DRF Projects Naples, 1 October 2011 The Use of Diplomatics Diplomatics came about as a methodology for establishing the authenticity of records

643 views • 32 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides
Transferring Digital Records to the Archives with ANTS Gregory Wiedeman University Archivist

Transferring Digital Records to the Archives with ANTS Gregory Wiedeman University Archivist

Transferring Digital Records to the Archives with ANTS Gregory Wiedeman University Archivist University at Albany, SUNY ANTS: Archives Network Transfer System Python desktop tool Windows only right now Runs checksums and gathers

606 views • 12 slides

More recommend