Home >Documents >Digital Forensics Worry about data loss

Digital Forensics Worry about data loss

Date post:25-Feb-2016
View:23 times
Download:0 times
Share this document with a friend
OWASP AppSec Washington DC 2009. Digital Forensics Worry about data loss. Motashim Al Razi OWASP member [email protected] What is Digital Forensics?. Branch of forensic science – uses scientific method - PowerPoint PPT Presentation

Presentation Title

OWASP AppSecWashington DC 2009Digital ForensicsWorry about data lossMotashim Al Razi

OWASP member

[email protected]

The OWASP Foundationhttp://www.owasp.orgCopyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.2What is Digital Forensics? Branch of forensic science uses scientific methodThe preservation, recovery, analysis and reporting of digital artifacts including information stored on: Computer/laptop systems (hard drives)Storage media (USBs, CDs, DVDs, cameras, etc.)Mobile phonesElectronic documentsTypically used reactively, move toward proactiveReactive: court cases, incident responseProactive: mobile app security audits, continuous forensic monitoringStorage DevicesThere are 3 main types of storage devices used today:Hard-disk drive (HDD) Contains a spinning magnetic drive used to store non-volatile data.Solid-state drive (SSD) Contains internal microchips for the purpose of storing non-volatile data.NAND Flash memoryTypically found in smart phones, USB thumb drivers and other portable devicesNot removable like typical HDD or SSDVery unique characteristics from standard HDD (limited writes/erase)In constant state of change (FTL)

3Acquisition strategiesForensics Analysts can acquire/receive data 3 different waysBackup Files- Backup files are provided from the custodian. This could include backup software from corporations, PST file, iTunes backup, etc.Logical Acquisition A copy of the file system is created (i.e. tar.gz of / or recursive copy that preserves date/time) Physical AcquisitionCreates an exact digital replica of the storage mediumCan recover deleted dataThis process requires specialized analysis tools and techniques Drive management firmware may still affect acquisition (FTL, bad blocks, etc.)4Image VerificationHash value A calculated hex signature based on a set of data.A hash value can be used to verify forensic image integrity. One slight change in source will cause avalanche effect in hash valueIn order to prove that two data sets are identical, their hash values must match.In some instances, hash values are not stable (NAND Flash) so a hash of the data as its extracted is taken but wont necessarily match if source is imaged again. Common hash techniquesmad5 (128-bit value)Sha256 (256-bit value)md5 of Andrew Hoog = 9bdbad9aecd74fce6e6bb48ee18100b856


How to acquire a forensic imageIf possible, connect drive to a physical write blocker This prevents any writes to the driveThere are software techniques but not as effectiveGenerally, impossible with NAND Flash devices Forensically acquire device with softwareOpen source: dd, dcfldd and dc3ddFree: FTK imager and many othersCommercial: FTK, EnCase, etc.Perform verification of source and image with hash signature and record in Chain of Custody.8

Digital evidenceWhat Constitutes Digital Evidence?Any information being subject to human intervention or not, that can be extracted from a computer.Must be in human-readable format or capable of being interpreted by a person with expertise in the subject.Computer Forensics ExamplesRecovering thousands of deleted emailsPerforming investigation post employment terminationRecovering evidence post formatting hard drive Performing investigation after multiple users had taken over the system

9Reasons For EvidenceWide range of computer crimes and misusesNon-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: Theft of trade secretsFraudExtortionIndustrial espionagePosition of pornographySPAM investigationsVirus/Trojan distributionHomicide investigationsIntellectual property breachesUnauthorized use of personal informationForgeryPerjury

10Reasons For Evidence (cont)Computer related crime and violations include a range of activities including:Business Environment: Theft of or destruction of intellectual propertyUnauthorized activityTracking internet browsing habitsReconstructing EventsInferring intentionsSelling company bandwidthWrongful dismissal claimsSexual harassmentSoftware Piracy

11Who Uses Computer Forensics?Criminal ProsecutorsRely on evidence obtained from a computer to prosecute suspects and use as evidenceCivil LitigationsPersonal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination casesInsurance Companies and Banking sectorEvidence discovered on computer can be used to mollify costs (fraud, workers compensation, arson, etc)When an entity is compromised and CHD has been stolen then the entity must be investigated by an authorized forensic company. (Commonly referred to as a QIRA or QFI)Private CorporationsObtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement casesLaw Enforcement OfficialsRely on computer forensics to backup search warrants and post-seizure handlingIndividual/Private CitizensObtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

12How do computer forensics relate to Law enforcement?13Case StudyBanking Industry Executive Level Financial FraudCase Study Digital ForensicsCase Type Internal Corporate FraudEnvironment Complex Multi-Location Network andDesktop computer forensicsIndustry Banking

14Scenario:A large accounting firm was hired to audit certain activitiesrelated to loans to individuals on the Board of Directors of amedium size, publicly traded bank (the Bank). During the Audit, the auditors needed to examineseveral computer systems used by certain Bank employees as well as by certain Board Members.digital forensic examiners were immediately dispatched and sent in to arrange for the forensicanalysis of the computer systems and to search for corroborating evidence in support of the auditteams suspicions and findings. The systems analysts forensically analyzed included laptopcomputers issued to managers in the loan origination department, desktop systems used bymanagers and board members. Email (Exchange) servers as well as Voicemail Systems were examined

15Existing law for digital forensics in BangladeshThere is a specific version in ICT act-2006.8th chapter, part-2No. 68: Cyber tribunal Implementation, criminal investigation, trial, Appeal etc.Part-3, No. 82: Cyber Appeal tribunal.

16International GuidelineNational Institute of Science and Technology NISTAssociation of Chief Police Officers ACPO (UK)It is a major part of IS auditing. 17Summary & Conclusion

Popular Tags:

Click here to load reader

Embed Size (px)