cyber forensics presenter: jaco venter. cyber forensics - agenda dealing with electronic evidence...
TRANSCRIPT
![Page 1: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/1.jpg)
CYB
ER FORENSIC
S
PR
ES
EN
TE
R:
J AC
O V
EN
TE
R
![Page 2: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/2.jpg)
CYBER FORENSICS - AGENDA• Dealing with electronic evidence –
Non or Cyber Experts• Forensic Imaging / Forensic
Application / Tools• Current Challenges we
experience in the Cyber Sphere
![Page 3: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/3.jpg)
DEALING WITH ELECTRONIC EVIDENCE - ONSITE
Obtain the necessary Authorization in writing / ConsentObtain an high level background of the entire IT infrastructure
from your client • Server/s might be offsite • Local Mail Server (make use of SP) / File Server/ Financial
systems / Backup Solution etc.• Cloud Computing (dropbox, i-cloud etc)• Encryption of data (e.g. local computers)• Printer Audit trail enabled (record all printed document)• Firewall Server• CCTV Footage / Access Control• PABX system• Mobile devices / GPS devices
![Page 4: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/4.jpg)
DEALING WITH ELECTRONIC EVIDENCE - ONSITE
Perform a thorough search at the premises / office for any types of electronic media• Take the necessary pictures / screenshots / notes / floor plan of all media
identified • Obtain the necessary password / pin codes of mobile devices, I-pad’s tablets /
Webmail etc. When desktop computer is on, take pictures of all open applications then pull the
plug!! (If user is present, ask the client to save all open docs before you pull the plug);
For Laptops, perform the same procedure as with desktops then, ask user / IT administrator to shut down the computer and record the shutdown date / time.
For servers call the experts!!!
Secure all evidence in evidence bags / or material available on site• Ensure to record both signatories of the sealed evidence bag of the media
seized including case no, name of computer user and date/time.
Issue a Chain of evidence receipt of all item/s seized / removed from the premises Lockup in safe location for imaging purposes
![Page 5: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/5.jpg)
FORENSIC IMAGING – APPLICATIONS / TOOLSDefinition of a forensic Image
A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record
Each image consist of an unique “electronic fingerprint” called the MD5 Hash value which gets created during the imaging process. This ensure file integrity, also proves no data manipulation took place.
Ensure verification process were completed (hash values must match)
Record hash value onsite and ask someone to witness the hash value
Types of imaging• Physical Imaging – Entire Hard Disk Drive (HDD/ Memstick / Mobile Phone)• Logical Imaging – Partial file and folder imaging (used on Anton Pillar Orders) Emails /
DB’s etc• Live Ram acquisition with Belkasoft Live Ram analysis / Encase
• Discover Running malware/Viruses• Obtaining various password/ Gmail/cloud computing/ decryption keys• Communication via webmail and recent internet Web browsing;
• Live server imaging (especially when PC is encrypted and no password is available) or the server cant’s be switched off .
![Page 6: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/6.jpg)
VARIOUS TYPES OF MEDIA FOR IMAGING
![Page 7: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/7.jpg)
FORENSIC TOOLS / APPLICATIONS
For Forensic Imaging
• Encase Forensics (Physical/ Logical / Live Ram)
• FTK Imager (Physical/ Logical / Live Ram)
• Password Recovery Kit
• Belkasoft
• Netanalysis
![Page 8: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/8.jpg)
MOBILE FORENSIC DEVICES/ TOOLS
Mobile Forensics
• Cellebright
• Paraben
• Blacklight (Apple / MAC)
• Encase
• Mobile Edit Forensics
![Page 9: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/9.jpg)
E-DISCOVERY TOOL – INTELLA
HTTPS://WWW.VOUND-SOFTWARE.COM
![Page 10: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/10.jpg)
CURRENT CHALLENGES IN THE CYBER SPHERELocal PC / Media Encryption / Cell-phone Encryption• Forgot to obtain Password / Pin / Patterns for cell phonesBypassing pin blocked or pattern block mobile phones Possible but limited Use J-Tag Method Use chip-off methodChip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a subject device and then acquiring the raw data using specialized equipment.
Virtual Servers Environment More and more client are using Virtual servers to save hardware cost and backup
solutions Cloud computing / I-pad / Table information Webmail communication
Gmail investigation Yahoo investigation
Anti-Forenscis
![Page 11: CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application](https://reader035.vdocuments.mx/reader035/viewer/2022062304/56649dd45503460f94acbd72/html5/thumbnails/11.jpg)
CYB
ER FORENSIC
S
PR
ES
EN
TE
R:
J AC
O V
EN
TE
R
Questions
Email Address: [email protected] Details: 0827732542