Cyber Security Fundamentals (M): Digital Forensics
Glasgow, 21st March 2022.
, School of Computing Science, University of Glasgow, Scotland.
Copyright By Assignmentchef assignmentchef
Structure of Lectures
Sections that will be covered:
Cyber Security Basic background, Look into networking,
Cyber Attacks and defence,
Web applications vulnerabilities, Trending in Cyber,
Penetration testing & Digital Forensics. Guest lectures to be confirmed.
CSF 2022 Digital Forensics
Lecturers instructions
When you see the red sign in a slide it means that you must not use anything described in the specific slide without the necessary authorisation. The lecturer of this course will not be responsible for any misuse.
When you see the green sign in a slide it means that you can use anything described in the specific slide on your own.
CSF 2022 Digital Forensics
Do not use any NO NO tools..
CSF 2022 Digital Forensics
Types of Digital Forensics
Digital Forensics is a procedure of acquiring and processing data found in digital devices. Digital Forensics was used as a synonym of computer forensics in early years but now there are different categories depending on the type of the digital evidence and procedures.
Computer Forensics is the procedure of acquiring a snapshot of the internal state of a computer system (cloning the hard drive/memory) and moving on in analysing the acquired copy.
Network forensics is focusing on the communication aspect of the device and it captures the traffic as data for further analysis; helps in intrusion detection.
Mobile Forensics is representing practices employed for recovering data from a mobile device. Forensic data analysis is another branch which focuses on structured data analysis relevant to financial crimes. Most of the time these practices are used in digital crime investigations and the goal is to lead into successful prosecution.
CSF 2022 Digital Forensics
Step 3 Gain Access
CSF 2022 Digital Forensics
Is Computer Forensics important?
CSF 2022 Digital Forensics
Computer Forensics Steps
Upon arriving at a crime scene a forensic investigator should be cautious. The forensic investigator must search the crime scene extensively, label and register in a formal form all the hardware equipment found and place them safely in antistatic bags. The hard drive must be removed if a dektop is discovered powered off and placed in a safe box. If a desktop is powered on an investigator needs to decide if he/she will proceed with a live forensics procedure.
All these steps will be analysed in the following slides.
Taking pictures and screenshots for supporting evidence is essential in the investigation.
CSF 2022 Digital Forensics
Step 1: Seizure (1/3)
CSF 2022 Digital Forensics
Step 1: Seizure (2/3)
CSF 2022 Digital Forensics
Step 1: Seizure (3/3)
Getting the time from BIOS is important as if this is set wrongly some evidence might be pointing us in the wrong direction. A registry table example is given to you on your top right-hand side.
Why do you think we should register every single cable? Because it will be easier to identify if something is missing from the crime scene and prove if any equipment like a camera is connected to a suspect etc.
CSF 2022 Digital Forensics
Step 2: Acquisition
CSF 2022 Digital Forensics
Step 2: Acquisition
After the seizure has taken place the forensic investigator will take the hard drive or laptop and generate a clone copy of its content. For this clone a specific hash value will be generated and kept safely; in this way the forensic examiner will ensure that while analysing the data heshe will not make any changes in the copy and use it as a proof that can be presented in court. It is a good practice for an investigator to work on a second copy; so if anything goes wrong he/she does not have to re-do this step.
Here is an example of a command line approach for making a forensic copy. Tools can be used in the FTK Imager to acquire a copy of a forensic image too.
It is out of our scope to explain all the different types of format that exist; raw format is a bit by bit copy often accompanied with metadata of the suspect drive.
Write blockers ensure that nothing can be written on the suspect drive which helps in eliminating the possibility of contaminating evidence.
Step 3: Analysis Physical Searching (1/3)
Creating a case using Autopsy.
First thing is to make a hash check.
String commands, indexing, grep search via index & foremost, file carving.
Use of foremost for extracting all the files.
Use of metacam getting into the jpeg directory.
CSF 2022 Digital Forensics
CSF 2022 Digital Forensics
Step 3: Analysis Physical Searching (2/3)
CSF 2022 Digital Forensics
Step 3: Analysis Physical Searching (3/3)
In the analysis step the forensics investigator searches for evidence in the acquired copy. There are multiple searching techniques that can be employed that will result in different types of information. List of users, emails, documents, and pictures are some of the files that can be fully recovered and examined.
Always make a hash comparison to ensure your copy has not been compromised in any way. A good tool that can be used for loading an image and moving into the analysis is called Autopsy.
There are different commands that can be used upon searching for evidence in a forensic copy. Keyword searching reminds a bit of google searching. Depending on what type of investigation you have different relevant words that can be good candidates. It is something like a dictionary attack but with not the purpose of password cracking.
The grep command is used for specific files that you want to be extracted. Foremost is one of the most useful ones as it can extract from our copy all the recovered data and separate them in different folders depending on their file type; one for .doc, .pdf etc. Metacam is specifically used for getting into the .jpeg directory. As you dig deeper you might find information also about the type of the camera that was used to take these photos.
CSF 2022 Digital Forensics
Step 3: Analysis Whitelist Production
Depending on the suspects operating system in this case Windows XP you will have to load and create a good hashing list (whitelist) and then compare it with the list that you can extract from your forensic copy.
CSF 2022 Digital Forensics
Step 3: Analysis Registry Examination (1/2)
CSF 2022 Digital Forensics
Step 3: Analysis Registry Examination (2/2)
You have to examine all the registry files in order to identify all the users and the applications which were part of the system. Regviewer is a tool that will help you examine registry files and it gives the data in a structured manner.
CSF 2022 Digital Forensics
Step 3: Analysis Browser Analysis (1/2)
CSF 2022 Digital Forensics
Step 3: Analysis Browser Analysis (2/2)
Notice that the suspect has installed a windows update and has been accessing some photos saved on their device.
CSF 2022 Digital Forensics
Step 3: Analysis & Reconstruction (1/2)
CSF 2022 Digital Forensics
Step 3: Analysis & Reconstruction (2/2)
Identification of current user at a certain time is really important as this can be used as evidence. So establishing a timeline is one of the most crucial parts of the investigation.
CSF 2022 Digital Forensics
Step 4: Report
Once the analysis is complete the forensic investigator will need to prepare a report with all the findings and prepare to testify if needed in court. The report should be extensive containing a register of evidence not biased by any personal opinions.
In the report a specific structure should be followed and all evidence should be referenced and presenting with not any personal opinions emerging.
CSF 2022 Digital Forensics
Interesting hot topics
CSF 2022 Digital Forensics
Any questions?
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.