Embed Size (px)
DESCRIPTION
Memory Forensics, N/W Alanlsis
Citation preview
Lets do some Autopsy!!
AUTOPSY
REALLY?
BUT CLOSE…
BUT CLOSE…
� What is forensics
� Why to forensics
� Anti-Forensics
� How To Become Forensics Expert
� Some terms
� Computer Forensics� Memory analysis
� Volatile/non-volatile� Encryption/stegnography
� N/w Analysis
� Hands on Challenges
� Forensic is Related to Court and Trials or To AnswerQuestions Related to Legal System
� Computer Forensics Helps answering If a DigitalDevice is part of cyber crime or victim of cybercrime
� purpose Is to find evidence which can prove thingsdone on the system in court of case
� Five Aspects:
� IF � WHO � WHAT � WHEN � WHY
Fraud
Drug trafficking
Child pornography
Espionage
Copyright
infringement
Discover what was
lost
Recover Deleted
Data
Discover entry point
CYBER - ATTACKS
� A set of techniques used as countermeasures to forensic analysis� Ex. Full-Disk Encryption � Truecrypt on Linux, Windows and OSX� Filevault 2 on OSX� BitLocker Windows� File Eraser � AbsoluteShield File Shredder � Heidi Eraser� Permanent Eraser
TOO DAMN EASY!!
Operating Systems File System Disk
Partitioning Networking Memory Management
Operating Systems File System Disk
Partitioning Networking Memory Management
And Of Course A little of these…..
Collect evidence
and present in the court
Search and seize the
equipment
Conduct preliminary assessment to search for
evidence
Find and interpret the
clues left behind
Determine if an incident
had occurred
� Acquisition
� e-discovery
� Chain of custody
� Expert witness
� First Responder
� Branch of digital forensicscience pertaining to legalevidence found in computersand digital storage media.
� The goal of computerforensics is to examine digitalmedia in a forensically soundmanner with the aim ofidentifying, preserving,recovering, analysing andpresenting facts and opinionsabout the digital information.
Computer ForensicsMemory
Analysis
Network Data
Analysis
Document or file
analysis
OS Analysis
Mobile Analysis
Database Analysis
HardwareRemovable HD enclosures or connectors with different plugs
Write blockers
A DVD burner
External disks
USB2, firewire, SATA and e-SATA controllers, if possible
Software Multiple operating systems Linux: extensive native file system support
VMs running various Windows versions (XP, Vista, 7, 8)
Forensics toolkits
E.g., SleuthKit http://www.sleuthkit.org
Winhex
Internet Evidence Finder
Non-Volatile Memory• Stored Data Does not gets erased
when powered off• Ex. Hdd, SDD,CD,DVD, USB Sticks
Volatile Memory• requires power to maintain the
stored• Ex. Ram, pagefiles, Swap, caches,
processes
� It’s extremely important to understand this
� Trying to obtain the data may alter them
� Simply doing nothing is also not good� A running system continuously evolves
� The Heisenberg Uncertainty Principle of data gathering and system analysis
� As you capture data in one part of the computer you are changing data in another� use write blockers
Data type Lifetime
Registers, peripheral memory, caches, etc.
nanoseconds
Main Memory nanoseconds
Network state milliseconds
Running processes seconds
Disk minutes
Floppies, backup media, etc. years
CD-ROMs, printouts, etc. tens of years
� RAM contains the most recent data such as processes, Open Files, Network Information, recent chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.
� Tools to be used:-� Belkasoft Live RAM Capturer� Memory DD� MANDIANT Memoryze
� Data is stored permanently on the disk.
� Shift + Delete will NOT remove it
� If data is deleted there ARE tools to recover it.
� It all based on type of file format being used� NTFS, FAT, ext, HFS….
� dd� dd if = /dev/sda1 of /dev/sdb1/root.raw
� dcfldd� Dcfldd if = /dev/sda1 hash=md5 of /dev/sdb1/root.raw
� ProDiscover
� EnCase
� FTk
� Seluth kit(autopsy)
� Winhex
� After a clone or an image is made it is very important to make a hash of it.
� After the complete analysis of the disk or an image we again calculate the hash.
� This is important because we need to prove in the court that the evidence has not been tampered.
� Currently Indian courts accept SHA-256
� Tools for calculating hashes: Winhex, Sleuthkit, ENCase.
� The tools like Winhex, Sleuth Kit, ENcase etc allow you to rebuilt the file system so that you could take a look at the files as they were on the machine.
� This makes the entire task of analysis easier.
� With tools like Live View it is evenpossible to recreate the entirescenario like the actual operatingsystem on a Virtual Machine.
� Live view is only compatible until XP.
� The tools to really looked upon forthis are:
� Mount Image Pro and VirtualForensic Computing
� Slack Space
� ADS streams
� Stenography
� Hidden Partitions
� Unallocated space
� Modified file extensions
� META DATA
� While Imaging or cloning a diskthe exact copy is made and hencethe hidden data remains as it is.
� There is no specific tool for theextraction of the hidden data andhence we need to perform manualanalysis on the image or the diskusing hex editors
� Eg:Winhex
� While performing analysis on disks and images there are very good chances that we come across encrypted data.
� This creates a problem for an forensic analyst.
� Even though there are tools and techniques to break encryptions we sometimes fail to do so.
� A series of attacks are carried out to break encryptions:� Brute Force Attack� Dictionary Attack� Known Plain Text Attack� Rainbow Table Attack
� Tools: A variety of stand-alone as well as online tools are available which helps us cracking the encrypted files.� AZPR� AOPR� Decryptum(Online)� Passware kit
� If we come across any type of encryption files or datathat have been encrypted with tools like PGP, TrueCrypt etc., It becomes really difficult from theforensics point of view to get through.
� In such cases the farthest we can do is look for thekeys on the machine.
� From a culprits point of view steganography issomething that would stand beyond cryptography.
� This is because detecting steganographymanually is a big challenge to any individual.
� And with not enough tools to detectsteganography in the market it makes the jobeven more tiresome.
� Different tools use different algorithms for hidingdata and one can easily develop a steganographyalgorithm. Not a big task to achieve. That makes itdifficult in detection
Confidential information
� Speaking of the tools used for steganalysis, these tools may sometimes give you false positives as well. � StegDetect� StegSecret
� Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
� Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information.
� Why Network Forensics plays an important role?
� Network Forensics can reveal if the network or a machine from which the crime has occurred was compromised or not. Which can turn out to be really handy in some cases.
� Tcp Dump
� Wireshark
� Network minner
� Snortc
�Activity:� Find as much information as you can…
Happy Hacking!!!
