Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

PPT Slides - The Oliver Group

advertisement 
Data Acquisition & Forensics
DAF 101
The Oliver Group
October 2012
Agenda
2 l
•
About The Oliver Group
•
The Data Acquisition Process
•
Data Recovery
•
Forensic Analysis
•
The Cloud and Social Media
•
Summary
•
Q&A
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Company Overview and Highlights
The Oliver Group provides focused expertise in helping clients navigate
through the early stages of the electronic discovery process.
For more than a decade, we have provided expert services in support
of many high profile litigation and compliance related matters. Our
clients include leading litigation support providers, law firms
and corporations. With facilities in Connecticut (US) and London (UK)
we offer the following services on a global basis:
3 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Acquisition & Forensics Agenda
• Data Acquisition
– Philosophy On-Site
– The Interview Process
– Scoping Process
– Identifying Sources
– On-Site or in conjunction with Remote Collections
– Compliance with local/state/federal law (Safe Harbor certified)
• Tools , Data Recovery
– Where does evidence reside?
– Options
• Forensic Analysis
– Tools
– Options
• Cloud and Social Media
• Q&A
4 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
TOG Data Acquisition & Forensics
Data Acquisition & Forensics
– Performed globally in a forensic and defensible
manner.
– Typically this means deploying a team of experts
on-site at the clients facility to collect data deemed
discoverable.
– Over the years we have performed some of the
largest and most complex data acquisitions
involving 100s of custodians in multiple locations
5 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Philosophy On-site
– Adhere to strict chain of custody
– Minimally disruptive to the end user
– Acquisition Documentation
•
•
•
•
•
•
6 l
Drives, folders and files that have been acquired
The date, time, and location of the collection
Full path names
Where data has been transferred from & to
Quantity of data
Notes about the collection
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Acquisition - Scoping
• Preliminary Questions:
–
–
–
–
–
Where does data reside?
Number of custodians?
Timeframe(s)?
Policies?
Imaging v. copying?
• IT Questionnaires
• Scoping Calls with TOG Subject Matter Experts
• Custodian Interview and Scheduling
• Collection Options
–
–
–
–
7 l
On-site
Remote
Supervisory
Combination
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Acquisition – Identifying Sources
•Custodian PCs/MACs/Laptops
• Office – Home – Mobile
•Server data collection
• Email Servers
• Network drive – home shares, departmental shares,
project folders
• Other – proprietary systems, SharePoint, Tracking
systems, etc.
•Tablets/Smart Phones/Cell Phones
• Physical and Logical images
•Other Data sources
•
•
•
•
8 l
Backup tapes
Anything with a hard drive
Flash/thumb drives
CD/DVD
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Acquisition - The Basics
•Forensic Capture
– Utilize tools that maintain metadata
– Consider scope and size of matter
•Forensic imaging
– Bit level copy
– Never have to go back to the custodian’s PC
– Logical, Deleted, Fragment Data
– 2 copies: Preservation & Working
– Required for forensic analysis
•Chain of custody
– Detailed documentation
– Custodian interviews
– IT interviews
•Preservation
– Critical for data as part of a Legal, Preservation hold
that has a risk of spoliation or deletion
9 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Acquisition Terminology
EVIDENCE DRIVE - Simply, the destination media, usually an internal or external hard drive that
will contain a “forensic copy” of the suspect’s media. This drive will be used to process data based
on the specifics of the case.
SUSPECT DRIVE - The “original” source media or the custodian’s media.
BIOS - Basic Input / Output System (Date / Time) – Forensic engineers always QC the BIOS before
capture to ensure that it is set to the real date and time, and to rule out time zone issues.
HASH VALUE - Signature generator is used to verify data integrated by generating a 32-bit (CRC)
and one of the following: 128-bit (MD5) 160-bit (SHA-1) or 256-bit (SHA-2) signature “finger print” of
the seized and copied data.
FORENSIC IMAGE - A single container file with the complete contents and structure representing a
data storage medium or device, such as a hard drive. A disk image file is usually created by making
a sector-by-sector copy of the source media, ignoring its file system, and thereby perfectly replicating
the structure and contents of a storage device.
PRESERVATION - According to the EDRM ensuring that ESI is protected against inappropriate
alteration or destruction
IMAGE EXTRACTION - The process by which files are retrieved/extracted from a forensic image
and copied to desired location whilst maintaining original metadata. Image extraction puts all logical
and full recoverable deleted files into a format where they can be accessed, viewed, and processed
without the use of forensic analysis software (FTK, enCase, etc.)
10 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Acquisition Tools
• EnCase Forensic/FTK/Etc.
– Both working and preservation copies created
– Software based solutions
– PC is used as “medium” for data transfer
• Image MASSter Solo & Logicube Talon
– Captures working and preservation copies simultaneously
– Hardware based solutions
– Creates DD or E01 images – can be extracted/read by
forensic software tools
• Forensic Write-Block hardware
– Write protects suspect drive/original source data
• Dozens of other utilities – Media/Matter dependent
11 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Recovery
Where does evidence reside?
• The logical file system
• The event logs
• The Windows Registry
• Application logs not managed by the Windows Event
Log Service
• The swap files, which harbor information that was recently located in
RAM
• Special application-level files, such as Internet
• Prefetch files
• Unallocated space, slack space
12 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Recovery
Where else does evidence reside?
• Temporary files created by many applications
• The Recycle Bin (a hidden, logical file structure where recently
deleted items can be found)
• The Printer Spool
• Sent or received email, such as the .PST files for Outlook Mail
• Slack space, where you can obtain information from previously
deleted files that are unrecoverable
• Free or unallocated space, where you can obtain previously
deleted files, including damaged or inaccessible clusters.
13 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Recovery Options
•Active Files
– Commonly referred to as Active/Logical Files (files not deleted)
•Deleted Files
– Never over-written – seen in the file system as unallocated
space, seen in forensic tools as deleted
– Can either be “restored” to original location OR delivered
separately from the logical files
•Deleted & Partially Overwritten files
– Rarely delivered to client – may be a small piece or a large
portion of a file
– Findings are reported
– Requires forensic analysis to recover
14 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Data Recovery/Forensic Analysis Tools
• Most common tools utilized – industry standard
• Guidance Software’s EnCase Forensic
– Acquisition
– Data Recovery
– Data Carving
– Data Culling / Methods to filter results - Searches “on the fly”
or “on-demand”
– Analysis
• AccessData’s FTK
– Acquisition
– Data Recovery
– Data Carving
– Data Culling / Methods to filter results - Data is indexed prior
to searching
– Analysis
Similar capabilities - is really the consultant’s choice to determine which tools
would work best for the job at hand.
15 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Forensic Analysis Options
• Examine
–
–
–
–
–
–
–
Deleted Files
E-Mail
Internet Access / History
Search Terms
Search HASH Values
Header analysis
Specific software – i.e. Wiping programs
• Custodian behavior & trends
• Reporting
–
–
–
–
Chain of custody
Methodology
Findings
File Listings – USB attachments – etc
• Affidavits/Testimony
16 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Cell phones/Blackberries/iPhones/PDAs/Tablets
•Dozens of Manufacturers:
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Acer
Alcatel
Apple
ASUS
Audiovox
BenQ Siemens
Blackberry
Dell
Garmin
HP
HTC
Hyundai
i-mate
Kyocera
LG
Macintosh
MIO
Motorola
NEC
Nokia
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
O2
Orange
Palm
Panasonic
Pantech
Philips
POZ
Qtek
Sagem
Samsung
Sanyo
Sharp
Siemens
Sony Clie
Sony Ericsson
Telit
T-Mobile
Toshiba
UBiQUiO
VK Mobile
•Thousands of Models
17 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Cell phones/Blackberries/iPhones/PDAs/Tablets
•Acquisition Options
–
–
Logical acquisition (full files)
Physical acquisition (bit by bit)
•
–
–
Can perform forensic analysis and image extraction
Both (custom – hybrid)
Neither
•Data Options
–
Simply, everything you can view when the antenna/signal is off
•
•
•
•
•
•
•
Call Logs
Text Messages
Emails
Pictures
Contacts
Memos/Notes
Other (Office files, application files, etc.)
•Manufacturer/Model dependent
–
–
–
–
18 l
Dependent on the Operating System of the device
Some devices have their own tools for logical collection
Some providers lock down items such as text messages
Passwords/Encryption
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
Cloud and Social Media Based Collections
The Oliver Group has extensive experience acquiring data
from internet based applications such as;
19 l
Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the
presentation.
In Summary
20 l
•
Need qualified EXPERTS
•
Administrative Collection Process JUST AS IMPORTANT as
Technical
•
Testify to end-to-end process
•
Established, Defensible and Generally Accepted
•
Objective View Point (Supervisory or Deployed Team)
Q&A
Please email any questions, requests or information to
DAF101@theolivergroup.com before, during or after the presentation.
21 l
Dean M. Felicetti
Partner
Corporate Headquarters
595 Greenhaven Road
Pawcatuck, CT 06379 US
European Office
London, United Kingdom
P: 860.599.9760 I F: 860.599.9768
info@the-olivergroup.com I www.the-olivergroup.com
Related documents
Advanced Placement Biology - Montville Township School District
Advanced Placement Biology - Montville Township School District
Forensic Science
Forensic Science
Application Form
Application Form
forensic outline
forensic outline
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
History of Forensic Science Presentation
History of Forensic Science Presentation
Forensic Science Parent Letter
Forensic Science Parent Letter
Download
advertisement