Embed Size (px)
Citation preview
TOTAL POLICING TOTAL POLICING
Computer Forensics
Securing and Analysing Digital Information
TOTAL POLICING
What is a computer?
Where is the evidence?
Why is digital forensics important?
Seizing evidence
Encryption
Hidden files and folders
Live acquisitions
Dead box acquisitions
Forensic image, processing analysis and results
Forensic tools – how they work
File Structure, metadata, exif data
Bookmarks and reports
Lab costs
Aims
What is a computer?
Date Arial 14pt TOTAL POLICING
Desktops Laptops
Tablets Phones
Storage
Where is the evidence?
TOTAL POLICING
Properties
People
Companies
Internet
Cloud
International
Jurisdictions
Corporate
Networks
TOTAL POLICING TOTAL POLICING
Why is digital forensics important?
What can we recover?
Word
Pictures
Internet
Contacts
Calendar
Location data
Time and date
Illegal content
Associates
Excel
PowerPoint
Adobe PDF
TOTAL POLICING TOTAL POLICING
Seizing evidence
Switched on? Call an expert!
Switched off? Bag it!
TOTAL POLICING TOTAL POLICING
Encryption
• Where is the password?
• Encryption may prevent data recovery
• Specialist techniques and training is required
• If the computer is switched on, call an expert
• Specialist software and hardware is required
• This is why live acquisition is important!
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
Keyspace Demonstration
TOTAL POLICING TOTAL POLICING
Hidden Files and Folders
• Hidden files are difficult to find
• Specialist software is required
• What software is being used?
• If the computer is switched on, call an expert
• This is why live acquisition is important!
TOTAL POLICING
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
Hidden Picture Demonstration
TOTAL POLICING TOTAL POLICING
Live Acquisition
Evidence
Triage the
evidence
Allows us to recover
volatile data
RAM (Random
Access Memory)
Which can
contain
Why not turn it
off and bag it?
Recent
activity
Passwords
Programs
Decryption
Hidden Files
How?
Specialist
forensic
tools
TOTAL POLICING TOTAL POLICING
Live Acquisition
Specialist Forensic Tools
TOTAL POLICING
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
EnCase Portable Demonstration
TOTAL POLICING TOTAL POLICING
Deadbox Acquisition
Switched
off? Bag it!
What do we
do with it?
Create
forensic
Image
How?
Remove the
Hard drive What if you
can’t
remove
Image using
forensic
imagers
Image using
forensic
software
Computer may
have special boot
mode
TOTAL POLICING TOTAL POLICING
Deadbox Acquisition
Forensic Imagers
• Provides a bridge between media
• Provides write protection for the evidence
TOTAL POLICING
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
Memory Card Acquisition Demonstration
TOTAL POLICING TOTAL POLICING
Forensic Image
What is a
forensic image?
Protected data
container Given a unique
identifier (Hash)
Hash important
for exhibit
continuity
Image file types
.EO1 .E01. L01
.Lx01 .Ex01 .AD1
Consists off:
• File Name
• Text File
• Case Info
• Notes
• Data Blocks
• Hash
TOTAL POLICING TOTAL POLICING
Processing Analysis and Results
Forensic Tools
EnCase
Examiner
TOTAL POLICING TOTAL POLICING
Processing Analysis and Results
Forensic Tools
Forensic
Tool Kit
(FTK)
TOTAL POLICING TOTAL POLICING
Processing Analysis and Results
Forensic Tools
Internet
Evidence
Finder
(IEF)
TOTAL POLICING TOTAL POLICING
Forensic Tools – How they work
Examining file structures
All file types have a formal data structure
Headers Footers
Information
inside the file
File Identifiers
TOTAL POLICING TOTAL POLICING
Forensic Tools – How they work
Examining the Master File Table
Record of all the files stored on a drive
Size
File Name
File Type
Location
Created
Accessed
Modified
Deleted
TOTAL POLICING
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
FTK Memory Card Demonstration
TOTAL POLICING TOTAL POLICING
Metadata and Exif Data
Information within a Picture file
Times Author
Dates
GPS
Location
Camera, Make,
Model
What do we
get?
TOTAL POLICING
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
Exif Data Demonstration
TOTAL POLICING TOTAL POLICING
Processing Analysis and Results
Bookmark and Reports
Highlights Files
Add Comments
Attach files
Export to Reports
TOTAL POLICING TOTAL POLICING
Lab Costs
• Staff
• Equipment
• Training
Versus • Contractors
TOTAL POLICING TOTAL POLICING
What is a computer?
Where is the evidence?
Why is digital forensics important?
Seizing evidence
Encryption
Hidden files and folders
Live acquisitions
Dead box acquisitions
Forensic image, processing analysis and results
Forensic tools – how they work
File Structure, metadata, exif data
Bookmarks and reports
Lab costs
Summary
TOTAL POLICING
Freedom of Information Act
Protective Marking Publication Scheme Y/N:
Title:
Summary:
Branch / OCU:
Date created: Review date: Version:
Author:
TOTAL POLICING
