Midterms - Cyberforensics.pdf

Full Transcript

Prof. Mark Joseph J. Solidarios DIGITAL FORENSICS The art of recovering and analyzing contents found on digital devices such as desktops, notebooks, tablets, smartphones, etc. CYBER FORENSICS Specializes in the detection of cybercrimes exclusively gathering...

Prof. Mark Joseph J. Solidarios DIGITAL FORENSICS The art of recovering and analyzing contents found on digital devices such as desktops, notebooks, tablets, smartphones, etc. CYBER FORENSICS Specializes in the detection of cybercrimes exclusively gathering and solving clues and threats in the cyberspace 1984 beginning of Computer forensics. CYBER CRIME Detection and Prevention TWO FORMS 1. COMPUTER BASED CRIME This is criminal activity that is conducted purely on computers, for example cyber-bullying or spam. As well as crimes newly defined by the computing age it also includes traditional crime conducted purely on computers (for example, child pornography, misuse of AI Technology, training data that are illegal). 1. COMPUTER FACILITATED CRIME Crime conducted in the "real world" but facilitated by the use of computers. A classic example of this sort of crime is fraud: computers are commonly used to communicate with other fraudsters, to record/plan activities or to create fraudulent documents. FORENSICS EVOLUTION 1835 Scotland Yard's Henry Goddard became the first person to use physical analysis to connect a bullet to the murder weapon. 1836 Scottish chemist named James Marsh developed a chemical test to detect arsenic, which was used during a murder trial. 1930 scientist Karl Landsteiner won the Nobel Prize for classifying human blood into its various groups. 1892 Sir Francis Galton established the first system for classifying fingerprints. 1984 (Beginning of Computer Forensics) FBI Magnetic Media Program renamed as Computer Analysis and Response Team (CART) FBI Magnetic Media program, which was later renamed to Computer Analysis and Response Team (CART), was created and it is believed to be the beginning of computer forensic. 1988 (IACIS professional dedicated to training practitioners was formed) The International Association of Computer Investigative Specialists (IACIS), an international non-profit corporation composed of volunteer computer forensic professionals dedicated to training and certifying practitioners in the field of forensic computer science was formed. 1995 (IOCE was formed) International Organization on Computer Evidence (IOCE) was formed. 1997 G8 nations declared that "Law enforcement personnel must be trained and equipped to address high-tech crimes". 1998 (First INTERPOL Forensic Science Symposium) G8 appointed IICE to create international principles, guidelines and procedures relating to digital evidence. First INTERPOL Forensic Science Symposium was held 2000 (First FBU Regional Computer Forensic Laboratory established) First FBI Regional Computer Forensic Laboratory established. CYBERFORENSICS - STAGES (AAEP) ACQUIRE: Identifying and Preserving ANALYZE: Technical Analysis EVALUATE: What the lawyers Do **PRESENT: **Present digital evidence in a manner that is legally acceptable in any legal proceedings. OSSTMM (Open-Source Security Testing Methodology Manual) is peer-reviewed and maintained by the Institute for Security and Open Methodologies (ISECOM). ****It has been primarily developed as a security auditing methodology assessing against regulatory and industry requirements. complete methodology for penetration and security testing, security analysis and the measurement of operational security towards building the best possible security defenses for your organization CYBERFORENSICS - USAGE Intellectual Property Theft Industrial Espionage (identify spy) Employment Disputes Fraud Investigations Forgeries Bankruptcy Investigations Inappropriate email and internet use in the workplace Regulatory compliance AUTOPSY An open-source forensics platform used by professionals in law enforcement, national security, litigation support, and corporate investigation (runs in Linux, Windows and Mac File Carving recovering hard drive data or deleted files using test disk PS. The presentation is made of HTML 5 G8 means Group of Eight Industrialized Nations - Canada, France, Germany, Italy, Japan, Russia, the USA and the UK. LEARNING PYTHON FOR CYBERFORENSICS WHAT IS PYTHON? A programming language with strong similarities to PERL, but with powerful typing and object-oriented features commonly used for producing HTML content on websites. Great for text files. Useful built-in types (lists, dictionaries) Clean syntax, powerful extensions. WHY PYTHON? Popular for Machine Learning Productivity and readable code “Life’s better without braces” - Bruce Eckel Natural Language Toolkit Ease of use; interpreter AI PROCESSING: SYMBOLIC Python’s built-in datatypes for strings, lists, and more Java or C++ require the use of special classes for this AI PROCESSING: STATISTICAL Python has strong numeric processing capabilities: matrix operations etc. Suitable for probability and machine learning code THE BASICS WHITESPACE is meaningful in Python: especially indentation and placement of newlines Use a newline to end a line of code. (Not a semicolon like in C++ or Java.) (Use \ when must go to next line prematurely.) No braces { } to mark blocks of code in Python... Use consistent indentation instead. The first line with a new indentation is considered outside of the block. Often a colon appears at the start of a new block. (We'll see this later for function and class definitions.) COMMENTS Start comments with # – the rest of line is ignored. Can include a "documentation string" as the first line of any new function or class that you define. The development environment, debugger, and other tools use it: it"s good style to include one. PYTHON AND TYPES Python determines the data types in a program automatically. "Dynamic Typing” So, for example, you can't just append an integer to a string. You must first convert the integer to a string itself. But Python's not casual about types, it enforces them after it figures them out. "Strong Typing” NAMING RULES Names are case sensitive and cannot start with a number. They can contain letters, numbers, and underscores. bob Bob _bob 2_bob bob_2 BoB INTERACTIVE SHELL Great for learning the language Great for experimenting with the library Great for testing your own modules Two variations: IDLE (GUI), python (command line) USING PYTHON AS A CALCULATOR Instant Calculator! The interpreter acts as a simple calculator: you can type an expression at it and it will write the value. Expression syntax is straightforward: the operators +, -, * and / work just like in most other languages LISTS Python knows a number of compound data types, used to group together other values. The most versatile is the list, which can be written as a list of comma-separated values (items) between square brackets. PYTHON CHALLENGES FOR CYBERFORENSICS TASK AUTOMATION Using Python, file analysis, comparison, creation and other tasks related to Cyber forensics can be automated. SCRIPT FILES Cyberforensic personnel can write scripts which can accept arguments and execute tasks ARGUMENT PARSING Task automation starts with user-friendly command-line interfaces. This can be done using the argparse module in Python The argparase arguments The ArgumentParser.add_argument() method attaches individual argument specifications to the parser. It supports positional arguments, options that accept values, and on/off flags FORENSIC CARVING File carving is like piecing together a puzzle by recognizing and collecting specific patterns in a vast sea of data. It’s a valuable technique for situations where traditional recovery methods fall short. Forensic Carving MAGICRESCUE scans a block device for file types it knows how to recover and calls an external program to extract them. looks like a “magic byte” (file patterns) in file contents, so it can be used as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it. uses files called “recipes”, these files have strings and commands to identify and extract data from devices or forensic images. SCALPEL is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. complete rewrite of the Foremost 0.69 file carver and is useful for both digital forensics investigations and file recovery SCROUNGE-NTFS data recovery program for NTFS filesystems. It reads each block of the hard disk and try to rebuild the original filesystem tree into a directory FORENSIC IMAGING process of making an exact copy of digital storage media for the purposes of preserving its contents and structure for later analysis Forensic Imaging GUYMAGER forensic imager contained in this package, guymager, was designed to support different image file formats, to be most user-friendly and to run really fast. has high speed multi-threaded engine using parallel compression for best performance on multi-processor and hyper-threading machines PDF FORENSICS aimed at analyzing PDF documents and extract deep information which is typically not visible to common users PDF Forensics PDFID this tool is not a PDF parser, but will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain ex. javascript or execute an action when opened. PDFiD will also handle name obfuscation PDF-PARSER this tool will parse a PDF document to identify the fundamental elements used in the analyzed file will not render a PDF document SLEUTH KIT is a library and collection of Unix and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems Sleuth Kit AUTOPSY FORENSIC BROWSER graphical interface to the command line digital forensic analysis tools in the Sleuth Kit. Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for analysis of Windows and UNIX file systems

Use Quizgecko on...
Browser
Browser