Date post: | 17-Dec-2014 |
Category: |
Technology |
Upload: | avinash-singh |
View: | 223 times |
Download: | 1 times |
Live and Non-live Forensics
Applied Cyber ForensicsBy- Catalyst
Digital Evidence Searching
Examining Collecting Preserving
Live Forensics What is Live Forensics ??? What Do we Need live Forensics ???
Evidence may be on the RAM [Main Memory]
File is in Unencrypted form when suspect using it.
Paging file Could be Lost.
Conducting a Live Forensic
Three Steps
Retrieval of Volatile Data
Forensic Imaging of a Live System
Evidence Retrieval Using Portable Tools
Retrieval of Volatile DataVolatile Evidence retrieval Tool.
[vertool.exe]
Portable [Run from the USB]
Creates Folder named Reports.
Reports contains 12 Text Files.
• Arp.txt
• Boot_configuration.txt
• Driver_list.txt
• Event_triggers.txt
• Exe_ports.txt
• File_associations.txt
• Gp_settings.txt
• Mac.txt
• network_config.txt
• Process_list.txt
• Stats.txt
• System_info.txt
Forensic Imaging of a Live System
WinHex tools is used.
Allows copying sectors from a disk into an uncompressed, unsplit, raw, header-less image file.
To copy Main Memory Mantech Physical Dump Utility is Used.
Evidence Retrieval Using Portable Tools
CDROM or USB For Quick Evidence Analysis Adaptor Watch
IP addressesHardware AddressWINS ServersDNS ServersMTU ValueNumber of bytes Received or SentCurrent Transfer SpeedTCP/UDP/ICMP Statistics
Adaptor Watch
• CurrPorts ,CurrProcess
• Clipboardic
• MyUnistaller, InsideClipboard
• MyLastSearch , NetResView
• MacMatch , MacAddressView
• OpenedFilesView , RecentFileView
Other Live Forensic TOols
Browser Forensic Tools ChromeCacheView ChromePass IEcacheView IEHistoryView IECookiesView IE PassView MozillaCacheView MozillaHistoryView MozillaCookiesView FavoritesView
DATA Recovery software FDRS [Free Data Recovery Software]
Disk Digger
Wireless Key View
Dialupass
MessenPass
Network Password Recovery
VNCPassView
Mail PassView
Encryption Analyzer
Non-Live Forensics
What Is Non-Live Forensics ???
Winhex is mainly Used.
Cloning and ImagingSector Wise Including Slack spaces
Image created by Winhex should be mathematically authenticated using a suitable hash function. [MD5 , SHA-256 ]
We can Also Split and Concatenate the Image for ease of Storage .
Analyzing for Digital Forensics
First Process is to boot the Evidence image Copy.
Live View The investigator should first attempt to “boot” the image using it.
Virtual Machine environment .
Analyzing for Digital Forensics
X-way Forensics
It can Automatically Create Reports.
.xfc File Extention
Modus Operandi
1. The “Disk drive “ of a computer is imaged.
2. The hash value of this image is computed.
3. This image is split into parts so that they can be stored
on CDs for easy archival.
4. The parts are later concatenated for analysis. The hash
value of the concatenated parts is also computed.
5. The image is then analyzed to recover exe files.
6. Search for Suspected file .
7. The free space is gathered.
8. The slack space is gathered.
9. The text in the slack space is recovered.
Analyzing Active Data Active Data ?? Opened data !
Active data can be password protected or Encrypted.
Methods for password recovery Dictionary AttackBrute Force Attack
Latent Data
• deleted files
• memory dumps
• slack space,
• swap files,
• temporary files,
• printer spool files,
• metadata
THANKYOU