FORENSICSLets do some Autopsy!!

Savan Patel aka Achilli3st aka X

AUTOPSY

REALLY ?

BUT CLOSE…

NOT LITERALLY!

AGENDA▪ What is forensics

▪ Why to forensics

▪ Anti-Forensics

▪ How To Become Forensics Expert

▪ Some terms

▪ Computer Forensics▪ Memory analysis

▪ Volatile/non-volatile

▪ Encryption/stegnography

▪ N/w Analysis

ABOUT ME

Savan Patel

savan.p.755@gmail.com Follow me at @achilli3st

WHAT IS FORENSICS?▪ Forensic is Related to Court and Trials or To Answer Questions

Related to Legal System

▪ Computer Forensics Helps answering If a Digital Device is part of cyber crime or victim of cybercrime

▪ Purpose is to find evidence which can prove things done on the system in court of case

▪ Five Aspects:

▪ IF ▪ WHO ▪ WHAT ▪ HOW ▪ WHEN ▪ WHY

WHY FORENSICS?

Fraud

Drug traffick

ing

Child pornogr

aphy

Espionage

Copyright infringem

ent

Discover what was lost

Recover Deleted Data

Discover entry pointCYBER - ATTACKS

ANTI-FORENSICS▪ A set of techniques used as countermeasures to forensic analysis

▪ Ex. Full-Disk Encryption

▪ Truecrypt on Linux, Windows and OSX

▪ Filevault 2 on OSX

▪ BitLocker Windows

▪ File Eraser

▪ AbsoluteShield File Shredder ▪ Heidi Eraser

▪ Permanent Eraser

HOW TO BE FORENSICS EXPERT?

HOW TO BE FORENSICS EXPERT?

TOO DAMN EASY!!

JUST LEARN:

Operating Systems

File SystemDisk

Partitioning Networking

Memory Management

JUST LEARN:

Operating Systems

File SystemDisk

PartitioningNetworking

Memory Management

And Of Course A little of these…..

STEPS FOR INVESTIGATING COMPUTER CRIME

Collect evidence and present in the

court

Search and seize the

equipment

Conduct preliminary

assessment to search for evidence

Find and interpret the

clues left behind

Determine if an incident

had occurred

COMPUTER FORENSICS▪ Branch of digital forensic science

pertaining to legal evidence found in computers and digital storage media.

▪ The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information.

Computer ForensicsMemory

Analysis

Network Data Analysis

Document or file analysis

OS Analysis

Mobile Analysis

Database Analysis

WHAT YOU NEED?

HardwareRemovable HD enclosures or connectors with different plugsWrite blockers

External disks

Software Multiple operating systems Linux: extensive native file system support

VMs running various Windows versions (XP, Vista, 7, 8)

Forensics toolkits

E.g., SleuthKit http://www.sleuthkit.org

Winhex

Internet Evidence Finder

MEMORY ANALYSIS

Non-Volatile Memory• Stored Data Does not gets erased when

powered off• Ex. Hdd, SDD,CD,DVD, USB Sticks

Volatile Memory• requires power to maintain the stored • Ex. Ram, pagefiles, Swap, caches,

processes

DATA ‘SPOILS’ EASILY▪ It’s extremely important to understand this

▪ Trying to obtain the data may alter them

▪ Simply doing nothing is also not good▪ A running system continuously evolves

▪ The Heisenberg Uncertainty Principle of data gathering and system analysis

▪ As you capture data in one part of the computer you are changing data in another▪ use write blockers

ORDER OF VOLATILITYData type LifetimeRegisters, peripheral memory, caches, etc. nanoseconds

Main Memory nanoseconds Network state milliseconds Running processes seconds Disk minutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years

VOLATILE MEMORY▪ RAM contains the most recent data such as processes, Open Files, Network Information, recent

chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.

▪ Tools to be used:-▪ Belkasoft Live RAM Capturer

▪ Memory DD

▪ MANDIANT Memoryze

NON-VOLATILE MEMORY▪ Data is stored permanently on the disk.

▪ Shift + Delete will NOT remove it

▪ If data is deleted there ARE tools to recover it.

▪ It all based on type of file format being used▪ NTFS, FAT, ext, HFS….

DISK IMAGING▪ dd

▪ dd if = /dev/sda1 of /dev/sdb1/root.raw

▪ dcfldd▪ Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw

▪ ProDiscover

▪ EnCase

▪ FTk

▪ Seluth kit(autopsy)

▪ Winhex

HASHING▪ After a clone or an image is made it is very important to make a hash of it.

▪ After the complete analysis of the disk or an image we again calculate the hash.

▪ This is important because we need to prove in the court that the evidence has not been tampered.

▪ Currently Indian courts accept SHA-256

▪ Tools for calculating hashes: Winhex, Sleuthkit, ENCase.

RECONSTRUCTING THE FILE SYSTEM▪ The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could

take a look at the files as they were on the machine.

▪ This makes the entire task of analysis easier.

MAKING THINGS EASIER▪ With tools like Live View it is even possible

to recreate the entire scenario like the actual operating system on a Virtual Machine.

▪ Live view is only compatible until XP.

▪ The tools to really looked upon for this are:

▪ Mount Image Pro and Virtual Forensic Computing

▪ Slack Space

▪ ADS streams

▪ Stenography

▪ Hidden Partitions

▪ Unallocated space

▪ Modified file extensions

▪ META DATA

HIDDEN DATA

FILE CARVING

EXTRACTING HIDDEN DATA▪ While Imaging or cloning a disk the

exact copy is made and hence the hidden data remains as it is.

▪ There is no specific tool for the extraction of the hidden data and hence we need to perform manual analysis on the image or the disk using hex editors

▪ Eg: Winhex

ANALYZING ENCRYPTED MATERIAL▪ While performing analysis on disks and images there are very good chances that we come across

encrypted data.

▪ This creates a problem for an forensic analyst.

▪ Even though there are tools and techniques to break encryptions we sometimes fail to do so.

PASSWORD CRACKING TECHNIQUES▪ A series of attacks are carried out to break encryptions:

▪ Brute Force Attack

▪ Dictionary Attack

▪ Known Plain Text Attack

▪ Rainbow Table Attack

▪ Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files.

▪ AZPR

▪ AOPR

▪ Decryptum(Online)

▪ Passware kit

HIGH-END ENCRYPTIONS▪ If we come across any type of encryption files or data that have

been encrypted with tools like PGP, True Crypt etc., It becomes really difficult from the forensics point of view to get through.

▪ In such cases the farthest we can do is look for the keys on the machine.

▪ From a culprits point of view steganography is something that would stand beyond cryptography.

▪ This is because detecting steganography manually is a big challenge to any individual.

▪ And with not enough tools to detect steganography in the market it makes the job even more tiresome.

▪ Different tools use different algorithms for hiding data and one can easily develop a steganography algorithm. Not a big task to achieve. That makes it difficult in detection

DEALING WITH STEGANOGRAPHY

Confidential information

THE OOPS MOMENT!!▪ Speaking of the tools used for steganalysis, these tools may sometimes

give you false positives as well. ▪ StegDetect

▪ StegSecret

WHAT IS NETWORK FORENSICS?▪ Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of

computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.

▪ Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information.

▪ Why Network Forensics plays an important role?

▪ Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.

WHY NETWORK FORENSICS?

TOOLS▪ Tcp Dump

▪ Wireshark

▪ Network minner

▪ Snortc

THANK YOU

Happy Hacking!!!