KUDO - POST MORTEM FORENSIC ANALYSIS WITH FLOSS TOOLS - 2.0
Brushing bits, data mining, seeking for evidence and Artifacts course: 2 hours
Abstract: Currently computers are increasingly used for illicit activities, in this scenario, it
is necessary to respond to incidents of security to use Computer Forensics best practices,
even if a formal criminal investigation does not take place. This course is about post
mortem forensics of media, especially hard disks. Several tests and evaluations can be done
in each layer of abstraction, in order to recover data with quality to identify evidence. This
evidence can be a block of data or even a file related to the security incident being
investigated that will henceforth be treated as an artifact. It is true that to perform a
forensic analysis demands methodology and also appropriate tools. About the Methodology
Analysis in Five Layers that proposing a treatment in each layer of abstraction allowing the
identification of each data that can be relevant in the analysis of incident and to meet the
need of appropriate tools, the use of FOSS tools, is an interesting alternative, since the
number of projects developed by this community, for computer forensic, is significant and
of sufficient quality to allow the realization of all the forensic computational processes.
Synopsis: This proposal is the Hands-on Post Mortem Forensic analysis with specifics
Forensic FLOSS TOOLS. talk about the task of analysis of media such as HD, pendrive and
other devices like digital cameras is very important for a Computer Forensic Expertise,
where besides the possibility of identification of important information, cross-information
raised during the Live and Forensic Network Forensic is also necessary.
This Tutorial aims to give an overview of the whole process of a Post Mortem Analysis tools
using FOSS (Free and Open Source Software).
Keywords: forensic, postmortem, file carving, malware, linux, windows
Prerequisites: It is strongly recommended that each participant already has knowledge of
Security Systems and Operation System concepts, TCP/IP and Linux, prior to taking this
tutorial.
This talk gives a short introduction to digital forensics, and an overview of current freely
available FOSS forensics tools. The main focus is on Linux/Unix based post-mortem disk
forensic tools such as Sleuth kit, foremost, etc. Various forensic methods are explained
using these tools including:
Main topics will be:
- Post Mortem Forensic process concepts;
- Data mining and / or retrieval of
- Advanced Investigative Strategy;
metadata info;
-
- Linux Internal File Metadata;
Evidence
Acquisition/
Analysis/
Preservation;
- File System Timeline Analysis for event
- Computer Forensics Methodology
reconstruction;
- Live Forensic versus Post Mortem;
- Super Timeline;
- Kind of Image File;
- Other kinds of Timeline info;
- Tools for conversion of Images (E01,
- Files Layer
Raw, AFF);
- Data mining and / or retrieval of
- Five Layers Analysis concepts;
slackspace info from files;
- Physical Layer
- Data mining and / or retrieval of file
- Evidence Integrity;
info;
- Device info to Chain of Custody;
- File Sorting - searching and filtering
- Data Layer
-
- Data mining and / or retrieval of
databases;
partition info;
- File Carving - Essential techniques and
- Slackspace info from partition;
tools;
- File System Layer
- Data mining and / or retrieval of files
- File System Essentials;
from unallocated areas;
- Linux/Unix File System Examination;
- Methodology and tools for Image
-
mounting for analysis;
Disk layout and partition tables’
Hash
Comparisons
using
NSRL
analysis
- Artifacts Identification;
- Deleted partition recovery tools
-
- file system analysis and recovery of
Artifacts Dynamic Analysis;
unallocated blocks and deleted files
- Automated GUI Based Forensic Toolkits
- Metadata Layer
- Concepts about carving techniques
Introduction
OS
and
application
- Concepts about carving techniques for
unstructured data files
Who Should Attend?
-
Law enforcement officers, federal agents, or detectives who want to master
computer forensics and expand their investigative skillset to include data breach
investigations, intrusion cases, and tech-savvy cases
students of computation with an interest in learning the methodology of a digital
research and how to acquire, analyze and preserve evidence using forensic
techniques;
Security professionals that have Incident Response and Security.
Incident response team members who are responding to complex security
incidents/intrusions and need to utilize computer forensics to help solve their
cases;
Computer Security Professionals which aim to serve and / or create a CSIRT
(Computer Security Incident Response Teams), since knowledge of Computer
Forensics is fundamental in a CSIRT.
Computer Forensic professionals who want to solidify and expand their
understanding of file system forensic and incident response related topics;
Information security professionals with some background in hacker exploits,
penetration testing, and incident response;
Information security managers who would like to master digital forensics in order
to understand information security implications and potential litigation related
issues or manage investigative teams;
Anyone with a firm technical background who might be asked to investigate a data
breach incident, intrusion case, or who investigates individuals that are
considered technically savvy;
CLASS REQUIREMENTS for Tutorial:
Hardware Requirement:
* A working laptop (no Netbooks)
* Intel Core 2 Duo x86/x64 hardware (or superior) required
* 4GB RAM required, at a minimum, 8GB preferred
* Wireless network card
* 40 GB free Hard disk space
* Working USB port (should not be DLP disabled!)
Minimum Software to install:
* Linux / Windows / Mac OS X desktop operating systems
* Virtual Box MANDATORY
* Administrator / root access MANDATORY
About the presenter:
Sandro Melo is currently working at Bandtec College, and also with Advanced Training,
Pentest, responds to Security Incidents and Computer Forensic and student/candidate in
Doctor Program in TIDD/PUC-SP. He was born in the beautiful city of Rio de Janeiro, Brazil.
He moved to Sao Paulo where he began his professional career in System Security. Since
1996 he have worked mainly with Linux/FreeBSD and FLOSS (Free/libre and Open Source
Software), Network Administrator, he is often a guest professor at many universities all
over Brazil. Project Fedora Linux Ambassador, LPI and BSDA PROCTOR.
He takes great pride in everything he does, especially with his work in Forensics. He has
years of hands-on experience with many of the core technologies and have written many
books and articles on security and forensics. When not working or writing, he can be found
experimenting with the latest Open Source solutions, installing new versions of the same
Operation Systems like Unix, such as Linux, FreeBSD or Mac OS X.