550 likes | 932 Views
Ahmed Abbas Ahmed.abbas1992@hotmail.com. Forensic 101. Computer Forensic 101. The Art Of Hunting Tigers . Session Map. Bio . About OWASP-Khartoum. Definition of Forensic. Forensic In The News. Incident Response Team IRT. Role Of T he I nvestigator. Skills Needed.
E N D
Ahmed Abbas Ahmed.abbas1992@hotmail.com Forensic 101
Computer Forensic 101 The Art Of Hunting Tigers .
Session Map • Bio . • About OWASP-Khartoum. • Definition of Forensic. • Forensic In The News. • Incident Response Team IRT. • Role Of The Investigator. • Skills Needed. • Why Do Companies Has Different Way To Do Forensic ?
Session Map • How To be A Forensic Expert ? • How To Build Your Forensic Lab ? • Forensic Steps ? • Disk imaging ? • Log File Analysis ? • The Dark Side Of This Field .
Bio • I am Ahmed Abbas Mohammed . • Network Student At SUST-CSIT. • I am a Programmer For More Than 4 Years. • I Work As A Forensic Investigator At Digital Trust Company. • I Work At OWASP-Khartoum as A Speaker & Event Organizer. • I Spend All My Time Reading Or developing Programs.
About OWASP-Khartoum • OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. • OWASP-Khartoum started at 3/2012.
How To Find OWASP Online • Main Page: https://www.owasp.org/index.php/Khartoum • Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-khartoumLinkedIn Group: https://www.linkedin.com/groups/OWASP-Khartoum-4341719 • Facebook Page: https://www.facebook.com/OWASP.Khartoum/Slide Share: • http://www.slideshare.net/owaspkhartoum
What is Forensic ? • Computer Forensic is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
Simply It means … • Computer forensic experts will have to handle computer device or media storage devices , keep them save , analyze those devices and try to get any information that can helps in the case he is working on. • One SO important thing .. No personal feeling or opinions . You can not hide information to protect some one because you will get … will you know what I mean .
One Misunderstanding . • Some people says that there are hackers that can not be caught and this is wrong . • Every hacking attempt has a weak point that can lead the hacker to jail. • And as there are great hackers … there is great Forensic experts ….
What is CIRT • A CIRT is a carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated , and recovered from. It is usually comprised of members from within the company. They must be people that can drop what they’re doing (or re -delegate their duties) and have the authority to make decisions and take actions
CIRT Members • Management. • Information Security. • IT . • IT Auditor. • Security. • Human Resource. • Public Relations.
Role Of The Investigator • Impartiality : not our job to make decisions about cases .. We just offer the facts of the case. • Must ensure all evidences are probably acquired , handled , documented. • Do the investigation and analysis of all evidences . • Report all findings and maybe testify in court of law.
Technical Skills • Basic computer maintenance and networking skills. • Know laws and criminal procedures. • Know network security in a good way. • Know investigation techniques. • Know multiple OS’s. • Know forensic tool very good.
Presentation skills • Ability to write reports in clear manner and acceptable format. • Ability to translate high technical words to simple non technical words. • Ability to speak well in public forum.
Why Do Companies Has Different Way To Do Forensic • Because Companies have their own security polices . • Companies define what is wrong and what is right to do inside the company which will be used to check if any employee actions are violating the rules or not . • There is no privacy inside company buildings.
How To be A Forensic Expert ? You need to take some certificates :- • Forensics Certs: Certified Computer Examiner (CCE) • IT Certs: Certified Hacking Forensic Investigator (CHFI) • IT Certs: Certified Forensic Computer Examiner (CFCE)
IT Certs: GIAC Certified Forensic Analyst and Forensics Examiner • Forensics Certs: Professional Certified Investigator (PCI) • EnCase Certified Examiner • AccessData Certified Examiner • Hard Work. • Passion.
Sites To Learn From .. • ForensicFocus • computer-forensics.sans.org • Google • DefCon
Commercial Tools (with a lot of money) • Encase. • AccessData Date Forensic Tool Kit FTK • DriveSpy. • Parben.
Free Tools ^_^ • Linux DD. • Autopsy • The Sleuth Kit • Helix. • Forensic incident response environment. • Knoppix.
Forensic Steps • Obtain authorization to search and seize. • Secure the area, which may be a crime scene. • Document the chain of custody of every item that was seized. • Bag, tag, and safely transport the equipment and e-evidence. • Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence.
Keep the original material in a safe, secured location. • Design your review strategyof the e-evidence, including lists of keywords and search terms. • Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy. • Interpret and draw inferences based on facts gathered from the e-evidence. Check your work. • Describe your analysis and findings in an easy-to-understand and clearly written report. • Give testimony under oath in a deposition or courtroom.
Disk imaging • The operation to make an exact copy of a computers hard drive. The copy includes all the partition information, boot sectors, the file allocation table, operating system installation and application software. Disk images are used to copy a hard drives contents during a investigation, to restore a hard drives contents during disaster recovery or when a hard drive is erased.
Disk imaging Tools • DD : a Linux tool. • FTK imager : windows Based Tool.
Log File Analysis • Very important Part of the investigation , it can reveal attempts to hack some devices , accessing unauthorized data , etc. Can analyze : • Windows event log • Security events log • Application events log • Firewall events log.
The Dark Side!!! • Doing computer forensics for any amount of time in your life changes you. It damages you. It makes you unfit to be around others in decent company, because you have to mentally screen absolutely everything you say in fear of drawing looks of horror or disgust from the good people around you. For forty hours a week, a computer forensic examiner is exposed to the worst that the world has to offer — child pornography, beheadings, torture, rape — all in high resolution photo or video formats.
Continued …! • In fact, people in the business have found that for general criminal computer forensic examiners (and we’re not talking about intrusion analysts, as exposure to the badness I’ve mentioned is usually infrequent and incidental), there is a two-year time limit before your soul dies. Around that time, every examiner either has built-up enough of a callus that he/she can continue forever, or that examiner pushes the chair away from the desk, stands up, and says, “I can’t do this anymore.”
Continued …! • Being exposed to this kind of daily horror changes you. I’m not asking for sympathy; I think paramedics or police officers have it worse. I’m just offering an explanation for why people like me might not say the most appropriate thing, or why our humor tends to run a little darker than that of others, or why our Twitter posts might occasionally make you blush.