Cyber Forensics

advertisement
CYBER FORENSICS - AGENDA
• Dealing with electronic evidence – Non
or Cyber Experts
• Forensic Imaging / Forensic Application
/ Tools
• Current Challenges we experience in the
Cyber Sphere
DEALING WITH ELECTRONIC EVIDENCE - ONSITE
Obtain the necessary Authorization in writing / Consent
Obtain an high level background of the entire IT infrastructure from your
client
• Server/s might be offsite
• Local Mail Server (make use of SP) / File Server/ Financial systems /
Backup Solution etc.
• Cloud Computing (dropbox, i-cloud etc)
• Encryption of data (e.g. local computers)
• Printer Audit trail enabled (record all printed document)
• Firewall Server
• CCTV Footage / Access Control
• PABX system
• Mobile devices / GPS devices
DEALING WITH ELECTRONIC EVIDENCE - ONSITE


Perform a thorough search at the premises / office for any types of electronic media
• Take the necessary pictures / screenshots / notes / floor plan of all media
identified
• Obtain the necessary password / pin codes of mobile devices, I-pad’s tablets /
Webmail etc.
When desktop computer is on, take pictures of all open applications then pull the plug!!
(If user is present, ask the client to save all open docs before you pull the plug);

For Laptops, perform the same procedure as with desktops then, ask user / IT
administrator to shut down the computer and record the shutdown date / time.

For servers call the experts!!!

Secure all evidence in evidence bags / or material available on site
• Ensure to record both signatories of the sealed evidence bag of the media
seized including case no, name of computer user and date/time.


Issue a Chain of evidence receipt of all item/s seized / removed from the premises
Lockup in safe location for imaging purposes
FORENSIC IMAGING – APPLICATIONS / TOOLS
Definition of a forensic Image

A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media,
generally intended for use as evidence. Copies include unallocated space, slack space, and boot
record

Each image consist of an unique “electronic fingerprint” called the MD5 Hash value which gets
created during the imaging process. This ensure file integrity, also proves no data manipulation took
place.

Ensure verification process were completed (hash values must match)

Record hash value onsite and ask someone to witness the hash value

Types of imaging
•
Physical Imaging – Entire Hard Disk Drive (HDD/ Memstick / Mobile Phone)
•
Logical Imaging – Partial file and folder imaging (used on Anton Pillar Orders) Emails / DB’s etc
•
Live Ram acquisition with Belkasoft Live Ram analysis / Encase
•
Discover Running malware/Viruses
•
Obtaining various password/ Gmail/cloud computing/ decryption keys
•
Communication via webmail and recent internet Web browsing;
•
Live server imaging (especially when PC is encrypted and no password is available) or the
server cant’s be switched off .
VARIOUS TYPES OF MEDIA FOR IMAGING
FORENSIC TOOLS / APPLICATIONS
For Forensic Imaging
•
Encase Forensics (Physical/ Logical / Live Ram)
•
FTK Imager (Physical/ Logical / Live Ram)
•
Password Recovery Kit
•
Belkasoft
•
Netanalysis
MOBILE FORENSIC DEVICES/ TOOLS
Mobile Forensics
•
Cellebright
•
Paraben
•
Blacklight (Apple / MAC)
•
Encase
•
Mobile Edit Forensics
E-DISCOVERY TOOL – INTELLA
HTTPS://WWW.VOUND-SOFTWARE.COM
CURRENT CHALLENGES IN THE CYBER SPHERE
Local PC / Media Encryption / Cell-phone Encryption
• Forgot to obtain Password / Pin / Patterns for cell phones
Bypassing pin blocked or pattern block mobile phones
 Possible but limited
 Use J-Tag Method
 Use chip-off method
Chip-off forensics is an advanced digital data extraction and analysis technique which
involves physically removing flash memory chip(s) from a subject device and then acquiring
the raw data using specialized equipment.
Virtual Servers Environment
 More and more client are using Virtual servers to save hardware cost and backup
solutions
 Cloud computing / I-pad / Table information
 Webmail communication
 Gmail investigation
 Yahoo investigation
 Anti-Forenscis
Questions
Email Address:
Jaco@Shieldtechnology.co.za
Contact Details: 0827732542
Download