Cyber Forensics

Overview
• Introduction
• What happens when a file is deleted
• Typical Cyber Forensic Investigations
• Who uses Computer Forensics
• Important things to remember
• Options to avoid
• Computer Forensic software
• EnCase Forensic
• Conclusion
What is Cyber Forensics / Computer
Forensics?
• Collection, preservation, analysis and
presentation of computer-related
evidence
• Determining the past actions that have
taken place on a computer system
using computer forensic techniques
 What is the Purpose of Computer
Forensics?
• Classic Forensics
• Computer forensics uses technology to
search for digital evidence of a crime
• Attempts to retrieve information even if it
has been altered or erased so it can be used
in the pursuit of an attacker or a criminal
• Incident Response
▫ Live System Analysis
• Computer Forensics
▫ Post-Mortem Analysis
What Happens when a File is Deleted?
• Windows Operating System
▫ File Allocation Table (FAT)
▫ Master File Table (MFT)
• FAT/MFT tells the computer where the file begins
and ends
• Deleted pointers to the file
▫ FAT/MFT space occupied by the file is mark
as available
• The actual data that was contained in the file is not
deleted
▫ Unallocated space
Typical Investigations
• Theft of Company Secrets (client, customer or
employee lists)
• Employee Sabotage
• Credit Card Fraud
• Financial Crimes
• Embezzlement (money or information)
• Economic Crimes
• Harassment
• Child Pornography
• Major Crimes
• Identity Theft
Media Devices that hold Potential Data
• Computers and laptops
• iPads
• iPods
• Smartphones and most other cell phones
• MP3 music players
• Hard Drives
• Digital Cameras
• USB Memory Devices
• PDAs (Personal Digital Assistants)
• Backup Tapes
• CD-ROMs & DVD’s
Computer Forensic Capabilities
• Recover deleted files
• Find out what external devices have been attached
and what users accessed them
• Determine what programs ran
• Recover webpages
• Recover emails and users who read them
• Recover chat logs
• Determine file servers used
• Discover document’s hidden history
• Recover phone records and SMS text messages from
mobile devices
• Find malware and data collected
Who uses Computer Forensics?
• Law Enforcement
• Private Computer Forensic Organizations
• Military
• University Programs
• Computer Security and IT Professionals
Law Enforcement
• Local, State and Federal levels
• Several detectives at local levels
▫ Inadequate funding
• State Police
• FBI’s Computer Analysis and Response Team
(CART)
• Regional Computer Forensics Laboratories
(RCFLs)
▫ Philadelphia
• Primarily use EnCase
Military
• Test, identify, and gather evidence in the field
▫ Specialized training in imaging and identifying
multiple sources of electronic evidence
• Analyze the evidence for rapid intelligence
gathering and responding to security breach
incidents
▫ Desktop and server forensic techniques
Important Factors
• Legal procedures
▫ Not compromising evidence
• Treat every piece of evidence as it will be used in
court
• Documentation*
• Chain of Custody
• Write Blocks
• Imaging
▫ Bit by bit copy of a piece of electronic media (Hard
drive)
 What Should be Avoided During an
Investigation?
• Changing data
▫ Changing time or date stamps
▫ Changing files
• Overwriting unallocated disk space
▫ This can happen when re-booting
• Verify Hash values from images
Computer Forensic Tools
• Parse through the created image
▫ Built in system parser
• Rebuilds both active and deleted files
• Open source
• Commercial sources
Common Computer Forensic Software
• ArcSight Logger
• Netwitness Investigator
• Quest Change Auditor
• Cellebrite
• Physical Analyzer
• Lantern
• Access Data’s Forensic Toolkit (FTK)
• EnCase Cybersecurity
• EnCase eDiscovery
• EnCase Portable
• EnCase Forensic*
EnCase Forensic
• Acquisition
• Reporting
• EnScript :
▫ Scripting facility
▫ Various API's for interacting with evidence
• Collect, Analyze and examine data
▫ Deleted files
▫ Unallocated space
▫ File slack
• Duplicates of original data (Imaging)
▫ Accuracy can be verified by hash and Cyclic
Redundancy Check values
EnCase Forensic
• Many operating systems
▫ Windows
▫ Linux
▫ Apple iOS
▫ Sun/Oracle Solaris
• Supported smartphones
• Recommended to run on Window 7 (64 bit)
operating system
EnCase Forensic
File Signatures
EnCase Gallery
EnCase Gallery
EnCase Document View
Perform a Search
• Raw Search
▫ A search based on keywords that search the entire
drive for a match
▫ Slow process on larger drives
• Indexed Search
▫ A search that requires the drive to be indexed
▫ Indexing can take a long time
▫ Searches are instantaneous
Bookmark Specific Evidence
• Bookmark Findings
▫ Raw Text Bookmarks
▫ Data Structure Bookmarks
▫ Notable File Bookmarks
▫ Multiple Notable File Bookmarks
▫ Note Bookmarks
▫ Table Bookmarks
▫ Transcript Bookmarks
Indexed Search
Bookmark Screen
Deleted Files
Conclusion
• Computer Forensics helps determine the WHO,
WHAT, WHEN, and WHERE related to a
computer-based crime or violation.
• Who uses Computer Forensics
• Situations to use Computer Forensics
• Computer Forensic Software
• Do and Don’ts of practicing Computer Forensics
• How to get involved in Computer Forensics
Questions?