Digital Forensics

Digital Forensics 2

Digital Forensics

Forward Defense’s team is composed of highly skilled experts in training, digital investigations, computer forensics, information security and risk assessments. The frontline team is supported by a staff of leading subject matter experts and a proven team of corporate partners.

Forward Defense’s executives are professionals with extensive background in the government and commercial sectors, including:

We have conducted international cyber forensics engagements in many countries, including:• Canada• USA• Mexico• Barbados• Colombia• Trinidad• Brazil• Senegal• UK• Switzerland• Poland

• Germany• Greece• Libya• Kazakhstan• Turkey• Jordan• Egypt• KSA• UAE• Japan• Bangladesh

• Thailand• Malaysia• Indonesia• Philippines• Australia

Digital Forensics 3

CertificationsOur personnel hold numerous industry certifications, including:

Certified Information Systems Professional

(CISSP)

Microsoft Certified System Engineer

(MCSE)

IACIS Certified Forensic Computer Examiner

(CFCE)

Guidance Software Encase Certification

(EnCE)

PublicationsOur team has authored leading textbooks that are used by security

practitioners around the globe.

Digital Forensics 4

PartnersForward Defense has teamed with key partners, and our strong working relationship with these companies helps ensure state-of-the-

art training and services

Digital Forensics 5

Digital Forensics Services

We offer forensics and incident response training:• Windows Computer Forensics• Unix/Linux Forensics• Large Device and Server Forensics• Network Forensics• Mobile Phone Forensics• Apple Macintosh Forensics

In addition to training we also offer:• Forensics Lab Development• CERT Program Development• Incident Response • Direct Forensics Services• Forensics Readiness Audits• Security Gap Analysis

Digital Forensics 6

Computer Forensics

This is the process of collecting and analyzing digital data in a manner that preserves the original data to the greatest extent possible. It is imperative that the results of this process are reproducible and quantifiable.

Static Data - Traditional, offline analysis of mediaMemory - Acquisition and Analysis of Random Access MemoryNetwork - Analysis of remote systemsBinary - Reverse Engineering malware behavior

Digital Forensics 7

Static Data Forensics

Traditional approach“Dead box” analysisUtilize write blockers to protect original evidenceIntegrity verified through hash analysis

• SECURE the media• PROTECT from alteration• IMAGE the media• VERIFY integrity of image• ANALYZE the image

Digital Forensics 8

Memory Forensics

Sophisticated attacks may not write to non-volatile media and therefore it is necessary to seek out information stored in volatile memory.

• Active network connections• Running processes• Clipboard data• Unsaved data• User IDs and passwords

Investigators must be aware that the act of collecting data from a running system’s memory will alter data and must weigh up the trade-off between preserving data and collecting data

Digital Forensics 9

Network Forensics

In network environments, relevant data may be contained on more than one computer system. To add to this complexity some critical servers cannot be shut down to be imaged. Therefore digital forensics teams must log data, connection data, security appliance data and others to seek out clues to additional systems of interest.

• Live Acquisition - Acquiring non-volatile data from running systems• Log Analysis - Using transaction logs to determine systems of interest• Live Analysis - Performing analysis or scans of systems before imaging• Traffic Analysis - Forensic Analysis of data in motion across the network

Digital Forensics 10

Binary Forensics

• Static Analysis of binary files, performed by examining strings, associated libraries or DLL’s, and other indicators of behavior

• Dynamic Analysis of binary files, where the executable code is run in a virtual or sandboxed environment to record network and disk activity to determine behavior

• Reverse engineering of the binary through a debugger and similar software tools

Digital Forensics 11

Binary Forensics Analysis• Internet Activity• Active Files• Deleted Files• Accessed Files• Timelines

• Remote Connections• Malicious Binaries• Attack Vectors• Infection Signatures

ApplicationsThe digital forensics process can be applied to a wide range of problems. Media of all types can be analyzed and the data examined for a variety of applications. These investigations can be split into three sections:

User Investigation• Employee misconduct investigations• Criminal investigations• Mobile phone content• Computer-based communication

Incident Response• Determining scope of a compromise• Developing signatures• Mitigating damage• Detecting attack vector

Data Discovery• Compliance with Court Orders to produce documents• Internal Security Audits and Compliance