1 / 21

Dan marsh

Dan marsh. Montana State University Support Services Supervisor dmarsh@montana.edu 406-994-5093. 4N6. =10. What is Digital Forensics?.

mead
Download Presentation

Dan marsh

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dan marsh Montana State University Support Services Supervisor dmarsh@montana.edu 406-994-5093

  2. 4N6 =10

  3. What is Digital Forensics? Digital Forensics is the acquiring and scientific examination and analysis of data retrieved from computer or other digital devices (mobile phones, games consoles, memory sticks etc.) in such a way that the information can be used in a court of law.

  4. What is Chain of custody? Chain of Custody Evidence audit trail 04/11/08 – 12:02 Exhibit 34a taken from suspect by officer John 04/11/08 – 13:42 Exhibit 34a past from officer John to officer Bob 04/11/08 – 13:42 Exhibit 34a past from officer Bob to officer Joanne 04/11/08 – 13:42 Exhibit 34a past from officer Bob to officer Joanne

  5. What about in the digital world? File System audit log Date User Task 04/11/08 – 12:02 John_12 Create 04/11/08 – 12:07 John_12 Move 04/11/08 – 12:11 Lucy_99 Read 04/11/08 – 12:17 Ben_45 Read 04/11/08 – 12:17 ALI_04 Read 04/11/08 – 12:17 ALI_04 Move 04/11/08 – 12:31 System Backup 04/11/08 – 12:32 System Backup 04/11/08 – 12:17 System Backup 04/11/08 – 12:17 System Backup

  6. forensics • Training • Triage • Capture Volatile Data • Drive Image Capture • Analysis • Reporting • Court Presentation

  7. training • SANS • http://www.sans.org/ • HTCIA • High Technology Crime Investigation Association • http://www.htcia.org/ • ISSA

  8. Triage • Corporate versus Law Enforcement • Corporate – Detection & Prevention • Law Enforcement - Prosecution • Be Prepared - Have your jump kit ready • Incident Response Team • Search Warrant • http://www.knock-knock.com/federal_guidelines.htm • Protect Chain of Custody • Take pictures • Take notes

  9. Is it live or dead? Live System Dead System • Image Hard Drive • Raid • SAN • NAS • USB Devices • Cameras • Game Consoles • Look for passwords • Capture volatile data • Memory • Open Ports • Running Processes • Attached shares (servers, cloud) • Windows OS • Linux • Macintosh • Mobile Devices • Phones • PDA’s • GPS

  10. Capture volatile Data • Problems with Live Response • Collections are not repeatable • Your tools will leave a footprint • How well do you know your tools? • Will you be able to explain your actions in court? • Memory(You can get running processes, active ports, passwords, encrypted drives) • Win32/64DD/DumpIt, RedLine/Memoryze, Helix, Fast Dump, WinEn/Winacq, FTK Imager, MacMarshall OSX 10.4-7 PPC G4 or Intel • Open Ports • ipconfig, netstat, nbtstat, tcpview, portmon, route, arp, net • Running Processes • pslist, psloggedon, psinfo, tasklist

  11. Drive Image Capture • Write Block (Software, Hardware ) • IDE, SCSI, SATA, SSD • GIF, 2.5”, 3.5” • Target Mode (FireWire, Thunderbolt disabled with OF/EFI password) • eSATA, USB3, USB2, FireWire 400-800, ThunderBolt • Forensic Image • Compare Hash • Encryption • BitLocker, PGP, TrueCrypt (full disk, volume) • Wipe Destination Drive • Tools • EnCase, LinEn, DD, Win32/64DD, ImageW, FTKImager

  12. Analysis • Hardware • Tools • EnCase • Forensic • Enterprise • FTK 4 • OS Forensics • XWays • SIFT • Anti-Forensics • Mobile Forensics • Network Forensics

  13. reporting • Clear and easy to understand • Detailed • Pictures • Meta Data

  14. Court presentation • Expert Witness • Know your tools • Be prepared for the unexpected • Good notes

  15. links

  16. Memory dump and analysis • http://www.mandiant.com/resources/download/memoryze • Use memorydd.bat to dump ram • http://www.mandiant.com/resources/download/redline/ • Use redline to analyze raw memory dump file from many sources • http://macmarshal.com/ • Use macmarshall to dump and analyze Macintosh memory • http://www.hbgary.com/free-tools • Use fd.exe to dump memory small 80K footprint 32bit only • http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/ • Use dumpit.exe to get memory dump

  17. Web based analysis sites and software • http://anubis.iseclab.org/ • Check your executable and .dll files to see if they are suspicious • http://wepawet.iseclab.org/ • Check your JavaScript, PDF, and Flash files to see if they contain malware • http://malwr.com/ • Check your executable and .dllfiles using its HASH code • https://www.virustotal.com/ • Enter a hash code of a suspect file to see if it has been flagged by 43 different anti-virus and anti-malware tools or submit a file for inspection • http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx • Run getsusp.exe on a desktop you think may be compromised and it returns a list of running processes and open ports and flags them if they are suspicious or unknown. It will create a HASH of all of the files and you can go directly to VirusTotal by clicking on the link. The password of the created zip file is infected

  18. List of forensic applications • http://accessdata.com/support/adownloads • FTK for forensic analysis or FTK Imager for getting a memory or hard drive image • http://osforensics.com/download.html • A free and pro version of a less expensive alternative to forensic analysis • http://www.x-ways.net/forensics/ • Another low cost alternative to forensic analysis • http://www.guidancesoftware.com/ • The premier software of forensics applications • http://computer-forensics.sans.org/community/downloads/ • SIFT is a free alternative Ubuntu Linux version used in SANS training

  19. Must have tools for volatile data • http://live.sysinternals.com/ • Live site with the latest tools from Sysinternalsnow part of Microsoft • http://technet.microsoft.com/en-us/sysinternals/bb545021 • Sysinternals site with the tools in categories and information on each of the tools • http://nirsoft.net/ • Another must have set of tools. Try nirlauncher.exe to have ready access to both the Nirsoft and Sysinternals suite of products.

  20. Hard Drive Image tools • http://sourceforge.net/projects/windd/ • The windows version of the venerable Linus DD tool can be used for both hard drive and memory capture to an image file or other drive • http://www.terabyteunlimited.com/image-for-windows.htm • Imagew.exe comes with LANDesk or you can purchase it directly from the company and very versatile hard drive imager • http://accessdata.force.com/RegisterForDownload?redirectName=000051 • FTK Imager is able to image and view hard drive images there is also a free version FTH Imager Lite

  21. Training and professional development • http://www.sans.org/ • http://www.htcia.org/ • https://www.issa.org/

More Related