forensics - hcongroupsgroups.hcon.in/uploads/1/8/1/9/1819392/cyber_forensic… · · 2014-10-28of...
TRANSCRIPT
FORENSICSLets do some Autopsy!!
Savan Patel aka Achilli3st aka X
AUTOPSY
REALLY ?
BUT CLOSE…
NOT LITERALLY!
AGENDA▪ What is forensics
▪ Why to forensics
▪ Anti-Forensics
▪ How To Become Forensics Expert
▪ Some terms
▪ Computer Forensics▪ Memory analysis
▪ Volatile/non-volatile
▪ Encryption/stegnography
▪ N/w Analysis
WHAT IS FORENSICS?▪ Forensic is Related to Court and Trials or To Answer Questions
Related to Legal System
▪ Computer Forensics Helps answering If a Digital Device is part of cyber crime or victim of cybercrime
▪ Purpose is to find evidence which can prove things done on the system in court of case
▪ Five Aspects:
▪ IF ▪ WHO ▪ WHAT ▪ HOW ▪ WHEN ▪ WHY
WHY FORENSICS?
Fraud
Drug traffick
ing
Child pornogr
aphy
Espionage
Copyright infringem
ent
Discover what was lost
Recover Deleted Data
Discover entry pointCYBER - ATTACKS
ANTI-FORENSICS▪ A set of techniques used as countermeasures to forensic analysis
▪ Ex. Full-Disk Encryption
▪ Truecrypt on Linux, Windows and OSX
▪ Filevault 2 on OSX
▪ BitLocker Windows
▪ File Eraser
▪ AbsoluteShield File Shredder ▪ Heidi Eraser
▪ Permanent Eraser
HOW TO BE FORENSICS EXPERT?
HOW TO BE FORENSICS EXPERT?
TOO DAMN EASY!!
JUST LEARN:
Operating Systems
File SystemDisk
Partitioning Networking
Memory Management
JUST LEARN:
Operating Systems
File SystemDisk
PartitioningNetworking
Memory Management
And Of Course A little of these…..
STEPS FOR INVESTIGATING COMPUTER CRIME
Collect evidence and present in the
court
Search and seize the
equipment
Conduct preliminary
assessment to search for evidence
Find and interpret the
clues left behind
Determine if an incident
had occurred
COMPUTER FORENSICS▪ Branch of digital forensic science
pertaining to legal evidence found in computers and digital storage media.
▪ The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information.
Computer ForensicsMemory
Analysis
Network Data Analysis
Document or file analysis
OS Analysis
Mobile Analysis
Database Analysis
WHAT YOU NEED?
HardwareRemovable HD enclosures or connectors with different plugsWrite blockers
External disks
Software Multiple operating systems Linux: extensive native file system support
VMs running various Windows versions (XP, Vista, 7, 8)
Forensics toolkits
E.g., SleuthKit http://www.sleuthkit.org
Winhex
Internet Evidence Finder
MEMORY ANALYSIS
Non-Volatile Memory• Stored Data Does not gets erased when
powered off• Ex. Hdd, SDD,CD,DVD, USB Sticks
Volatile Memory• requires power to maintain the stored • Ex. Ram, pagefiles, Swap, caches,
processes
DATA ‘SPOILS’ EASILY▪ It’s extremely important to understand this
▪ Trying to obtain the data may alter them
▪ Simply doing nothing is also not good▪ A running system continuously evolves
▪ The Heisenberg Uncertainty Principle of data gathering and system analysis
▪ As you capture data in one part of the computer you are changing data in another▪ use write blockers
ORDER OF VOLATILITYData type LifetimeRegisters, peripheral memory, caches, etc. nanoseconds
Main Memory nanoseconds Network state milliseconds Running processes seconds Disk minutes Floppies, backup media, etc. years CD-ROMs, printouts, etc. tens of years
VOLATILE MEMORY▪ RAM contains the most recent data such as processes, Open Files, Network Information, recent
chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.
▪ Tools to be used:-▪ Belkasoft Live RAM Capturer
▪ Memory DD
▪ MANDIANT Memoryze
NON-VOLATILE MEMORY▪ Data is stored permanently on the disk.
▪ Shift + Delete will NOT remove it
▪ If data is deleted there ARE tools to recover it.
▪ It all based on type of file format being used▪ NTFS, FAT, ext, HFS….
DISK IMAGING▪ dd
▪ dd if = /dev/sda1 of /dev/sdb1/root.raw
▪ dcfldd▪ Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
▪ ProDiscover
▪ EnCase
▪ FTk
▪ Seluth kit(autopsy)
▪ Winhex
HASHING▪ After a clone or an image is made it is very important to make a hash of it.
▪ After the complete analysis of the disk or an image we again calculate the hash.
▪ This is important because we need to prove in the court that the evidence has not been tampered.
▪ Currently Indian courts accept SHA-256
▪ Tools for calculating hashes: Winhex, Sleuthkit, ENCase.
RECONSTRUCTING THE FILE SYSTEM▪ The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could
take a look at the files as they were on the machine.
▪ This makes the entire task of analysis easier.
MAKING THINGS EASIER▪ With tools like Live View it is even possible
to recreate the entire scenario like the actual operating system on a Virtual Machine.
▪ Live view is only compatible until XP.
▪ The tools to really looked upon for this are:
▪ Mount Image Pro and Virtual Forensic Computing
▪ Slack Space
▪ ADS streams
▪ Stenography
▪ Hidden Partitions
▪ Unallocated space
▪ Modified file extensions
▪ META DATA
HIDDEN DATA
FILE CARVING
EXTRACTING HIDDEN DATA▪ While Imaging or cloning a disk the
exact copy is made and hence the hidden data remains as it is.
▪ There is no specific tool for the extraction of the hidden data and hence we need to perform manual analysis on the image or the disk using hex editors
▪ Eg: Winhex
ANALYZING ENCRYPTED MATERIAL▪ While performing analysis on disks and images there are very good chances that we come across
encrypted data.
▪ This creates a problem for an forensic analyst.
▪ Even though there are tools and techniques to break encryptions we sometimes fail to do so.
PASSWORD CRACKING TECHNIQUES▪ A series of attacks are carried out to break encryptions:
▪ Brute Force Attack
▪ Dictionary Attack
▪ Known Plain Text Attack
▪ Rainbow Table Attack
▪ Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files.
▪ AZPR
▪ AOPR
▪ Decryptum(Online)
▪ Passware kit
HIGH-END ENCRYPTIONS▪ If we come across any type of encryption files or data that have
been encrypted with tools like PGP, True Crypt etc., It becomes really difficult from the forensics point of view to get through.
▪ In such cases the farthest we can do is look for the keys on the machine.
▪ From a culprits point of view steganography is something that would stand beyond cryptography.
▪ This is because detecting steganography manually is a big challenge to any individual.
▪ And with not enough tools to detect steganography in the market it makes the job even more tiresome.
▪ Different tools use different algorithms for hiding data and one can easily develop a steganography algorithm. Not a big task to achieve. That makes it difficult in detection
DEALING WITH STEGANOGRAPHY
Confidential information
THE OOPS MOMENT!!▪ Speaking of the tools used for steganalysis, these tools may sometimes
give you false positives as well. ▪ StegDetect
▪ StegSecret
WHAT IS NETWORK FORENSICS?▪ Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of
computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
▪ Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information.
▪ Why Network Forensics plays an important role?
▪ Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
WHY NETWORK FORENSICS?
TOOLS▪ Tcp Dump
▪ Wireshark
▪ Network minner
▪ Snortc
THANK YOU
Happy Hacking!!!