Forensics Types PDF

Legal Informatics and Multimedia Forensic Analysis for Computer Systems Plan of the course: 1. Introduction 2. Evolution of Computer Forensics 3. Computer Forensics process 4. Types of Computer Forensics 5. Forensics Readiness 1 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 4.1 Introduction 4.2 Computer Forensics Types 4.3 Running computer system artefacts 2 Course 4: Types of Computer Forensics 4.1 Introduction  Digital forensic technologies and tools are developed to capture digital evidence, investigate digital devices and perform relevant network analysis.  As such, the analysis and investigation encompass hard and soft components of digital devices. Although the number of the proposed processes and models are varying.  Gathering digital evidence from computers, networks, and storage media has become a vital weapon against different types of software and hardware attacks and forbidden threats.  As digital evidence can belong to different electronic devices: HDD, flash sticks, RAM, Smartphones, etc. digital forensic examiners may apply different type of digital forensic methods. 3 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these sub-disciplines are: 1) Computer Forensics: The identification, preservation, collection, analysis and reporting of evidence found on computers, laptops and storage media in support of investigations and legal proceedings. 2) Network Forensics: The monitoring, capture, storing and analysis of network activities or events in order to discover the source of security attacks, intrusions or other problem incidents, i.e., worms, virus or malware attacks, abnormal network traffic and security breaches. 4 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 4.2 Computer Forensics Types The standard procedure that is normally used for computer network forensics contains the following guidelines: a. Install an official image of the OS on the network with all standard applications. b. Check the vulnerability issues on the system to mitigate the attack quickly or prevent other attacks from taking place on the network. c. Make a forensic image of the compromised system and store it securely. d. Make a consistency check to ensure that the forensic image is a copy of the original installation image. 5 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Network Forensics) Digital investigators should review the reports presented by the NIST* organization to get more information about how to integrate forensic techniques into the network incident resolution process. Several tasks must be applied to protect networked systems from any security breach. This include:  Updating all system software, all security patches and antivirus software  Applying physical and personal security measures.  Making sure all company’s employees are well trained and aware of the current security trends. * The National Institute of Standards and Technology (NIST). It is continually publishing articles, suggesting tools, and creating reports, and procedures utilizing the ISO 27002 (Information technology — Security techniques — Code of practice for information security management) criteria for testing and validating forensics software. 6 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Network Forensics)  Choosing proper security equipment such as Intrusion Prevention Systems (IPSs) and firewalls.  Applying various penetration tests regularly and couple them with the implemented risk management plan.  Ensuring fast mitigation of any system attack that occurs.  Being aware of all assessment and monitoring procedures for disaster recovery plans. 7 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Network Forensics)  With the growth of the Internet, the location of data files become associated with the local and the Internet networks.  Therefore, external threats started to increase rapidly and badly.  As a solution, Intrusion Detection Sensors (IDS) are very popular security and network analysis tools used for detection and protection of host and network intrusions. 8 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Network Forensics) The following figure illustrates the conventional IDS deployment. 9 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Network Forensics) The main functions of an IDS include: Detect and protect against host and network-based intrusions; Monitor system and network activities; Monitor operating systems logs and application programs; Alert network administrators against suspicious network activities; Provide detailed reports about the network status; Evaluate host and network configurations; Monitor legitimate system activities; Provide defense in depth monitoring system. 10 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont.) 3) Mobile devices Forensics: the recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles. Mobile devices contain sensitive information that must be kept protected all the time. Most mobile models store the following user and application information: Incoming, outgoing, and missed calls Multimedia and Short Message Service (MMS & SMS) E-mail and Web services Instant messaging (IM) 11 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics) Pictures, videos, and other files Calendars and address books GPS data Voice recordings and voicemail  Mobile device acquisition procedures are as important as procedures for personal computers. But some new challenges need to be addressed such as: A mobile device may lose its power quickly. Cloud services synchronization issues. Remote wiping. Main memory is volatile. 12 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics)  To determine which acquisition method to use (logical acquisition or physical acquisition), investigators must first know where information is stored in the smartphone.  To find the stored information, investigators should check the following locations: Internal storage (RAM) SIM card storage External memory device Internet Service Provider (ISP) 13 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics) Mobile device acquisition procedures can be summarized as follows: 1. Make sure to disconnect the suspected mobile device from the network as soon as possible. This way the mobile device will not be able to synchronize with applications on a user’s laptop. 2. Make sure to disconnect any personal computer or laptop that may have an Internet access through the mobile device (A mobile device can be used as a hotspot to share Internet access). 14 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics) 3. Collect all these devices to determine whether location contains any transferred or deleted information. 4. Isolate the mobile device from incoming signals with one of the following options: Put the device in airplane mode. Use the Paraben Wireless StrongHold Bag. Turn the device off. 15 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics) Mobile Phone Basics  Mobile communication systems have evolved from the first generation (1G) to the current fifth generation (5G) and are evolving towards the sixth generation (6G).  Nowadays, 4G networks can use the following communication technologies: Orthogonal Frequency Division Multiplexing (OFDM) Mobile WiMAX (IEEE 802.16) Ultra-Mobile Broadband (UMB) Multiple Input Multiple Output (MIMO) Long Term Evolution (LTE) 16 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics) Evolution of Cellular Mobile Standard from 2G to 5G with the main features. 17 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont. Mobile devices Forensics) Examples of Smartphone Forensic Tools : AccessData FTK Imager: It performs a logical acquisition and a low-level analysis for Android OS. MacLockPick 3.0: It is similar to AccessData FTK Imager, but it is mainly designed for Apple iOS. Paraben Software: It offers several built-in tools including device seizure and a SIM card reader. BitPim: It has some features to view data on many mobile phone models including LG, Samsung, and others. Cellebrite UFED Forensic System: It retrieves data from smartphones, GPS devices, and tablets. MOBILedit Forensic: It contains a built-in write-blocker. SIMcon: It recovers files on a GSM/4G SIM or USIM card, including stored numbers and text messages. 18 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont.) 4) Memory forensics or Memory analysis: is the recovery of evidence from the RAM (which contains volatile data) of a running computer, also called live acquisition.  Memory dumps allows experts to infer all diagnostic information during the incident since it has a process that responsible for that incident or crash. Thus, memory forensics allows experts or investigators to find buried evidence.  RAM artifacts contain all data that is being employed by the computer software or the hardware device.  The list of RAM artifacts acquired from a working computer can be entirely huge regarding the investigated forensic case.  The input/output of any computer program travels through the memory will stay in RAM. 19 Course 4: Types of Computer Forensics The procedure of memory analysis would possibly have to be recurrent persistently to limit the entries on the suspected processes list. In fact, the best analysis is the one that correlates data from both the RAM capture and artifacts from the hard drive. 20 Course 4: Types of Computer Forensics 4.2 Computer Forensics Types (Cont.) 5) Digital Image Forensics: The extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history. 6) Digital Video/Audio Forensics: The analysis and evaluation of sound and video recordings. The main objective is the establishment of authenticity as either a recording is original or it has been tampered maliciously or accidentally. 7) Cloud Forensics: Cloud Forensics is actually an application within Digital Forensics which oversees the crime committed over the cloud and investigates on it. 21 Course 4: Types of Computer Forensics 4.3 Running computer system artefacts The following section addresses a list of artifacts that can be found on a running computer system, and the importance of their existence to forensic analysis: 1- Previous and present network connections: The information of past and current network connections include remote IP address and the port number for network connections. All of this information is critical because: It helps finding the remote target in which the malware is connecting with and identifying the destination of a company's ex-filtrated data. It identifies (via port number) the traffic type which in a connection as a communication vector, for instance FTP, HTTP, SMTP or some ambiguous port recognized by the malware. 22 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics An example of a network connection information using netstat command: 23 Course 4: Types of Computer Forensics 2- The running processes upon RAM capturing: Active programs upon RAM capturing can provide investigators with key information regarding how the computer was being exploit. Visual examination of a computer system desktop or the Task Manager examination (see figure below) provides details of what is working on a system. However, a running process such as a rootkit* will not be revealed from a visual examination. *a rootkit is defined as a hidden Trojan that enables remote access, it is the keylogger that is transmitting 24 overall user data. Course 4: Types of Computer Forensics 3- User names and passwords: Users enter their credentials (user name and password) to access their internet or Internet Service Provider ISP account. Authentication is the process used to by users’ access e-mail accounts, social networks, or their home’s wireless access point. A user can investigate in the browser and other memory location where user credentials maintained permanently or temporary. The following tools can be used for password extracting: MessenPass PasswordFox Mail Passview Protected Storage PassView IE Passview 25 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 4- Loaded Dynamically Linked Libraries (DLL). Listing the running process’ DLLs allows the recognition of a malicious DLL that has added itself to a process. This method is very significant regarding the Zeus botnet. 5- Open registry keys for a process. Envision how critical it would be to be able to distinguish registry keys regarding a malicious process. By having the capacity to link open registry keys to a certain process, an expert could attach functionality to that process, for example encryption, networking capabilities, or being able to link the secure identifier (SID) to the user account who initiated the process. 26 Mohammed Seddik Ben Yahia University – Jijel SE&I Faculty Computer Science Dep. 2nd year ILM Dr. M.LABENI Course 4: Types of Computer Forensics 6- Open files for a process: Having the capacity to list open records or files related with a process would uncover any open files that are currently being used by the identified malicious process. This is useful in distinguishing a resident file that is logging keystrokes, or user names and passwords. This is also essential in recognizing a configuration file used by a malicious process, regardless of whether it is encrypted on disk. This file could then be found in memory and its contents read. 7- Unpacked/decrypted versions of a program: The capability to carve out an identified malicious process out of memory is considered as one of the most valuable contributions that memory forensics can provide to an analyst. 27 Course 4: Types of Computer Forensics Generally, it is considered as a very hard procedure for analyst to decrypt a malicious file or binary and read its contents, when that file is encrypted on the hard drive. However, all files that are read or executed must decrypt itself in order to be able run. Thus, the malicious file could be identified, carved out of memory, and examined through static analysis or by scanning it with an anti-virus tool. 8- Memory resident malware. These malware are very popular as they only reside in a system's memory with no footprints on the system's hard drive. Any gathered data could just be stored in memory before being ex-filtrated and sent to a remote system. 28

Forensics Types PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue