Scribd
Upload
27 views13 pages

Lecture 1 - Digital Forensics and Artifacts

Uploaded by

jumba.rebecca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views13 pages

Lecture 1 - Digital Forensics and Artifacts

Uploaded by

jumba.rebecca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

CDT507 - Computer Forensics

and Cyber Security

DIGITAL FORENSICS AND


ARTIFACTS

Joram Kinuthia
University of Nairobi

Lecture 1
Outline
2

 Course resources
 Intro to digital forensics
 Digital forensic analysis goals
 Digital forensic process
 Open source tools
 Artifacts
 Lab work

10 September 2020
Resources
3

 Course books –
 Digital Forensics with Open Source Tools by Cory Altheide & Harlan Carvey
 Computer Forensics - Investigating Network Intrusions and Cyber Crime - EC-Council
 Digital Forensics for Network Internet and Cloud Computing by Lillard, Garrison, Schiller
and Steele
 Syngress Malware Forensics Field Guide for Linux Systems by Malin, Case and Aquilina.
 Hands on course, basic knowledge of windows and linux
 Dual boot laptop – Ubuntu and Windows
 Important online resources
 http://www.sans.org/score/checklists
 https://www.owasp.org/
 https://forensiccontrol.com/resources/beginners-guide-computer-forensics/
 http://www.ke-cirt.go.ke/
 http://wiki.sleuthkit.org/
 http://www.ke-cirt.go.ke/
 http://cak.go.ke

10 September 2020
Digital forensics
4

 The use of scientifically derived and proven methods


towards the preservation, collection, validation,
identification, analysis, interpretation,
documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events
found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned
operations - Digital Forensics Research Workshop
(DFRWS) in 2001

*Often summarized into 3 broad processes; acquisition,


analysis, and presentation

10 September 2020
Goals of Forensic Analysis
5

 The goal of any given forensic examination is to find


facts, and via these facts to recreate the truth of an event.
 The examiner reveals the truth of an event by discovering
and exposing the remnants of the event that have been
left on the system.
 These remnants are known as artifacts.
 These remnants are sometimes referred to as *evidence
*prefer to avoid overusing the term evidence due to
the loaded legal connotations. Evidence is something to
be used during a legal proceeding, and using this term
loosely may get an examiner into trouble
 Artifacts are traces left behind due to activities and
events, which can be innocent, or not

10 September 2020
Goals of Forensic Analysis…
6

 The job of the examiner is to determine truth.


 Every examination should begin with a hypothesis.
Examples include “this computer was hacked into,”
“my spouse has been having an affair,” or “this
computer was used to steal the garbage file.”
 The examiner’s task is not to prove these assertions.
 The examiner’s task is to uncover artifacts that
indicate the hypothesis to be either valid or not valid.

10 September 2020
Goals of Forensic Analysis…
7

 Complexity introduced due to the ease with which


items in the digital realm can be manipulated (or
fabricated entirely).
 In many investigations, the examiner must
determine whether or not the digital evidence is
consistent with the processes and systems that were
purported to have generated it.
 In some cases, determining the consistency of the
digital evidence is the sole purpose of an
examination.

10 September 2020
The Digital Forensics Process
8

 Acquisition refers to the collection of digital media


to be examined.
 Depending on the type of examination, these can be
physical hard drives, optical media, storage cards
from digital cameras, mobile phones, chips from
embedded devices, or even single document files.
 Media to be examined should be treated delicately.
 At a minimum the acquisition process should consist
of creating a duplicate of the original media (the
working copy) as well as maintaining good records
of all actions taken with any original media.

10 September 2020
The Digital Forensics Process…
9

 Analysis refers to the actual media examination—


the “identification, analysis, and interpretation”
 Identification consists of locating items present in
the media in question and then further reducing this
set to artifacts of interest.
 The artifacts are then subjected to appropriate
analysis e.g.
 file system analysis,
 file content examination,
 Log analysis,
 Statistical analysis

10 September 2020
The Digital Forensics Process…
10

 Presentation refers to the process by which the


examiner shares results of the analysis phase with the
interested party or parties.
 This consists of
 generating a report of actions taken by the examiner,
 artifacts uncovered,
 and the meaning of those artifacts.
 The presentation phase can also include the examiner
defending these findings under challenge.
 NB: findings from the analysis phase can drive
additional acquisitions, each of which will generate
additional analyses, etc

10 September 2020
Open Source Tools
11

 We will use open source tools in this course


 Generically, “open source” means just that: the source code is open
and available for review.
 However, just because you can view the source code doesn’t mean
you have license to do anything else with it.
 To do:
 Read about the Open Source Initiative and their definition of open source
 Write short notes on different types of open source licences e.g. GPL, BSD
 Benefits of open source tools
 Social media – dark web, tweeter, TOR etc. Discover!
 To be considered open source, a piece of software must be freely
redistributable, must provide access to the source code, must allow
the end user to modify the source code at will, and must not restrict
the end use of the software.

10 September 2020
Artifacts
12

 Windows systems and artifacts


 Linux systems and artifacts
 Internet artifacts (web browsers and mail)
 *Mac OS X systems and artifacts

 *Not covered in this course

10 September 2020
Lab work
13

 Install Ubuntu Desktop on your laptops


 Atleast 10GB harddisk, Swap to be 2x size of RAM
e.g. atleast 4GB
 Should be a dual boot machine to allow labs on both
the windows and linux
 Alternative is to run Oracle VM Virtual Box. Run the
linux as a VM
 Log into the dark web!

10 September 2020

You might also like