1 / 10

4. Collecting Evidence Part 2

4. Collecting Evidence Part 2. Topics. Live and Dead Systems Hashing Final Report. Live and Dead Systems. Old School: Pull the Plug. Loses RAM data May render encrypted files unavailable May corrupt data on the disk when power goes off

ahanu
Download Presentation

4. Collecting Evidence Part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 4. Collecting EvidencePart 2

  2. Topics • Live and Dead Systems • Hashing • Final Report

  3. Live and Dead Systems

  4. Old School: Pull the Plug • Loses RAM data • May render encrypted files unavailable • May corrupt data on the disk when power goes off • May lose some evidence that doesn't get properly written to disk

  5. Now: Live Acquisition • Modern tools being marketed to first responders • Non-technical people • Live acquisition is important if RAM is important • Malware -> RAM is important • Possession of child porn -> RAM unimportant • Examiner needs proper skills and tools

  6. Principles of Live Collection • Least invasive procedure possible • RAM may contain • Running processes • Executed console commands • Passwords in cleartext • Unencrypted data • Instant messages • IP Addresses • Trojans

  7. Conducting and Documenting a Live Collection • Work without interruptions • Every interaction with the computer must be noted • I did this…the computer did that • Make desktop visible by moving the mouse • Or press a key (and record which) • Note date and time • Note icons and taskbar buttons of running programs • Open Task Manager & record processes • Capture RAM with a forensic RAM imager • Perform proper shutdown

  8. Task Manager • Show processes from all users • Record all processes • Perpwill probably claim malware did it later

  9. Hashing Algorithms • Even a single changed bit in the input file completely changes the hash • If the hash of two files match, the files can be regarded as identical • MD5 is most common • SHA-1 is better • In practice, either will do • Hash value must accompany all evidence images • So copies can be verified

  10. Final Report • Consider the audience • Many reports are too technical & confusing • Avoid jargon and code • The report generated by FTK or EnCase should be included, but it's not readable enough alone • Add a detailed narrative of all actions taken by the examiner • Add a summary written in plain English

More Related