முதன்மை உள்ளடக்கத்திற்குச் செல்

4n6 guide

-
Digital Forensics Life Cycle

Evidence Acquisition



Forensically sound disk images are files containing the structure and contents of a disk storage device or a volume from sources such as solid state disks, optical disc or USB flash drive. A court admissible forensic physical disk image is a sector-by-sector copy of a medium where a digital fingerprint (aka “hash value”) was calculated during the acquisition process, and the imaging process did not alter the source medium. With the hash value in hand, copies of the images can be provided for litigation purposes and the integrity can be verified by rerunning the digital fingerprint and comparing hash values.

Evidence Analysis



This function involves the interpretation of the collected information in order to find artifacts supporting the case particulars. The analysis may be centered on file and application access times; identification of destroyed documents, and misappropriation of intellectual property such as document copying to USB devices, e-mail accounts or Cloud storage.

Documentation & Reporting



Defensible documentation demands disciplined event recording at the outset and generally begins with a chain of custody form. Documentation continues on throughout the life cycle of the engagement to log details regarding the evidence acquisition and analysis phases. Comprehensive case reports will encompass a scope, executive summary, chain of custody information, evidence acquisition details, detailed findings and supporting exhibits.http://www.4n6hub.com/cyber-forensics/

Applying Forensic Science to Computers:

Contents

Computer Forensics in Criminal Investigations:-

https://www.us-cert.gov/sites/default/files/publications/forensics.pdf


Figure 1: Computer system hacking. Computer forensics has been essential in convicting many well known criminals, including terrorists, sexual predators, and murderers. Courtesy of Wikimedia.
Computer forensics integrates the fields of computer science and law to investigate crime. For digital evidence to be legally admissible in court, investigators must follow proper legal procedures when recovering and analyzing data from computer systems. Unfortunately, laws written before the era of computer forensics are often outdated and cannot adequately assess the techniques used in a computer system search. The inability of the law to keep pace with technological advancements may ultimately limit the use of computer forensics evidence in court. Privacy advocates are growing especially concerned that computer searches may be a breach of a suspect’s human rights. Furthermore, as methods for encryption and anonymity grow more advanced, technology may be abused by helping criminals hide their actions. Ultimately, the role of technology in computer forensics may not reach its full potential due to legal boundaries and potential malicious intentions.
Computer forensics has been indispensable in the conviction of many well-known criminals, including terrorists, sexual predators, and murderers. Terrorist organizations may use the Internet to recruit members, and sexual predators may use social networking sites to stalk potential victims. However, most criminals fail to cover their tracks when using technology to implement their crimes. They fail to realize that computer files and data remain on their hard drive even when deleted, allowing investigators to track their criminal activity. Even if criminals delete their incriminating files, the data remains in a binary format due to “data remanence” or the residual representation of data (1). File deletion merely renames the file and hides it from the user; the original file can still be recovered (2).
Eventually, data may be overwritten and lost due to the volatile nature of memory, a storage area for used data. A random access memory chip (RAM) retrieves data from memory to help programs to run more efficiently. However, each time a computer is switched on, the RAM loses some of its stored data. Therefore, RAM is referred to as volatile memory, while data preserved in a hard drive is known as persistent memory. The RAM is constantly swapping seldom used data to the hard drive to open up space in memory for newer data. Over time, though, the contents in the swap file may also be overwritten. Thus, investigators may lose more evidence the longer they wait since computer data does not persist indefinitely. Fortunately, computer scientists have engineered equipment that can copy the computer’s contents without turning on the machine. The contents can then be safely used by lawyers and detectives for analysis (2).
Global Position System (GPS) software embedded in smartphones and satellite navigation (satnav) systems can also aid prosecutors by tracking the whereabouts of a suspect. Since companies that develop software for computer forensics also develop products for satellite navigators, they are well-equipped with the tools and technology necessary for acquiring GPS evidence.
However, the evidence that can be recovered from GPS software is limited to only a list of addresses. Current GPS software does not record the time when the address was archived, whether the address was inputted by a person or automatically recorded, or whether the owner’s intent for entering the address was associated with the crime. Despite these limitations, GPS evidence has still been crucial to the success of many prosecutions. In one famous example, four armed suspects accused of robbing a bank in the United Kingdom were convicted because each suspect owned a vehicle whose satnav held incriminating evidence, including the bank’s address and the addresses of the other three suspects. The Scottish National High-Tech Crime Unit searched a suspect’s TomTom, a GPS device, to obtain thousands of addresses that the vehicle passed by. Many of the addresses turned out to be the scenes of criminal offenses (3). In 2011, U.S. forces successfully found the Pakistani compound where Osama bin Laden was killed by tracking satellite phone calls made by his bodyguard (4).
While GPS evidence on its own may not be enough to establish a motive, GPS evidence can still provide invaluable leads or confirm a hunch. For example, contact lists, language preferences, and settings all may be used to establish a suspect’s identity or identify accomplices. Evidence from GPS software and mobile devices can be a valuable supplement to other forms of evidence (3).
Some criminals have grown more cautious by hiding incriminating data through encryption techniques. However, according to Andy Spruill, senior director of risk management for Guidance Software, most criminals “don’t have the knowledge or patience to implement [encryption software] on a continued-use basis.” The minority of criminals who do encrypt their files may only use partial encryption. If only a few files on a hard drive are encrypted, investigators can analyze unencrypted copies found elsewhere on the device to find the information they are seeking. Furthermore, since most computer users tend to reuse passwords, investigators can locate passwords in more easily decipherable formats to gain access to protected files. Computer data are also oftentimes redundant – Microsoft Word makes copies each time a document is modified so that deleting the document may not permanently remove it from the hard drive. With so many forms of back-up, it is difficult for criminals to completely delete incriminating computer evidence (5).
While investigators can exploit computer system glitches to obtain evidence, technological limitations can often compromise a computer search. A common protocol for handling a mobile device found at a crime scene is to turn the power off. Investigators want to preserve the battery and prevent an outside source from using the remote wipe feature on the phone’s contents. When the phone is turned off, the phone cannot receive text messages and other data that may overwrite the evidence currently stored in the device. However, turning off the device has its own consequences, potentially causing data to be lost and downloaded files to be corrupted (1).
To solve such problems, computer engineers have developed technology for shielding a device from connecting to a cellular carrier’s network. Computer forensic scientists no longer need to turn off the device to isolate it. For example, radio frequency (RF) shielded test enclosure boxes help keep signals from entering or leaving the device. A Faraday bag, used in conjunction with conductive mesh, can also isolate a mobile device. Using these techniques, investigators can safely transport mobile devices to the lab while the device is turned on (1).
However, GPS software and Faraday bags are not foolproof. A cell phone isolated in a Faraday bag may adamantly search for a signal, depleting the phone’s battery power. When searching for a network, cell phones are also losing data (1).

Figure 2: Radio frequency bag with iPhone inside for reducing data loss. These bags keep radio signals from entering or leaving the device. Courtesy of Wikimedia.
According to Professor David Last of University of Bangor, Wales, errors in locating signals may range up to 300 meters when obstructions are present. While “95 percent of [GPS] measurements fall within 5 metres of the true position” in clear and open areas, large geographical barriers and skyscrapers may severely block and reflect satellite signals. Interference from solar weather may also disrupt signals. Criminals even purposely use jammers to disrupt tracking systems. Investigators must carefully audit communications channels and monitoring systems used in tracking systems. In doing so, they can better avoid skepticism from the jury by being able to give a clearer and more precise estimate of the amount of error afflicting GPS measurements. Otherwise, the defense can suppress the GPS evidence if the measurements are significantly faulty and unreliable (3).
While the Fourth and Fifth Amendments were written long before the era of computers, both concepts still apply to the practice of computer forensics. The amendments serve to protect basic human rights by preventing unreasonable search and seizure and self-incrimination. In the case of United States v. Finley, the defendant claimed that ”a cell phone was analogous to a closed container,” suggesting that investigators should exercise the same restraint and caution in searching cell phones as they would in a bag or a private home. Generally, investigators must first obtain a search warrant, which is typically given by the court in order to obtain and preserve evidence that can be easily destroyed (1). However, exceptions to the rule have been observed in United States v. Ortiz; investigators legally retrieved telephone numbers of “finite memory” from a suspect’s pager without a warrant because the contents of the pager can be easily altered when incoming messages overwrite currently stored data. Searches without a warrant “incident to arrest” are permissible because they help to prevent fragile data of evidentiary value from being lost (6). They consist mostly of scanning the device’s contents using the keyboard and menu options. More advanced searches incident to arrest may include the use of a mobile lab, which allows for the immediate download of cellular phone data (7). However, according to United States v. Curry, searches “incident to arrest” can only be conducted “substantially contemporaneous with the arrest” (1). If investigators want to conduct further post-arrest forensic analysis, proper legal authorization must first be obtained (7).
Proper legal procedures are often vague and burdensome for investigators, especially since laws may vary from state to state. Some states may have a stricter policy regarding warrantless searches. In United States v. Park, the court ruled that since cell phones can hold a greater quantity of data than pagers, its contents are less likely to be lost; a warrantless cell phone search is thus unnecessary and unjustified. Similarly, in United States v. Wall, the court decided that “searching through information stored on a cell phone is analogous to a search of a sealed letter” (6). Even if investigators manage to obtain a search warrant, the evidence they find may still be suppressed if their forensic procedures fail to follow legal procedures. For example, looking through unopened mail and unread texts or not carefully documenting the chain of custody may constitute an improper search (1). With so many boundaries and inconsistencies in the legal system, it is often difficult for investigators to successfully perform their jobs.
Different state and national legal systems plague computer forensics as well. When an Estonian was charged with computer crimes in 2007, Russia refused to provide legal cooperation because it had not criminalized computer crimes yet. Russia received severe Distributed Denial of Service attacks for its lack of cooperation (8).
In addition to a faulty legal system, the accessibility of advanced technology may be afflicting computer forensics. The North Atlantic Treaty Organization (NATO) defines cyber terrorism as “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or to intimidate a society into an ideological goal” (8) As computer systems grow more powerful, criminals may also abuse computer systems to commit crimes such as software theft, terrorism, and sexual harassment (9). For example, stalkers can abuse the Tor Project, an anonymizing tool for victims of cybercrimes to safely report abuses, to instead hide their identities when they commit crimes of harassment. The technology is too advanced for the digital trail of cybercrimes to be tracked. As encryption programs grow stronger and more popular, forensic investigators may no longer be able to decode the hidden digital evidence.
Conclusion
For computer forensics to progress, the law must keep pace with technological advancements. Clear and consistent legal procedures regarding computer system searches must be developed so that police and investigators can be properly trained. An International Code of Ethics for Cyber Crime and Cyber Terrorism should also be established to develop protocols for “obtaining and preserving evidence, maintaining the chain of custody of that evidence across borders,” and “clear[ing] up any difference in language issues.” Following these measures may be the first steps to resolving the technological and legal limitations afflicting computer forensics. Interpol, the International Criminal Police Organization, has developed a Computer Crime Manual with “training courses” and “a rapid information exchange system” that serves as a foundation for international cooperation (8). Lastly, the criminal abuse of technology can be limited by equipping the police department with state-of-the-art training and equipment for forensic analysis. Only then is the world safely prepared to face the future of technology. As one author predicts, “the next world war will be fought with bits and bytes, not bullets and bombs” (8).


FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge of Microsoft Windows operating systems. You can't protect what you don't know about, and understanding forensic capabilities and artifacts is a core component of information security. You will learn how to recover, analyze, and authenticate forensic data on Windows systems, track particular user activity on your network, and organize findings for use in incident response, internal investigations, and civil/criminal litigation. You will be able to use your new skills to validate security tools, enhance vulnerability assessments, identify insider threats, track hackers, and improve security policies. Whether you know it or not, Windows is silently recording an unbelievable amount of data about you and your users. FOR500 teaches you how to mine this mountain of data.
Proper analysis requires real data for students to examine. The completely updated FOR500 course trains digital forensic analysts through a series of new hands-on laboratory exercises that incorporate evidence found on the latest Microsoft technologies (Windows 7, Windows 8/8.1, Windows 10, Office and Office365, cloud storage, SharePoint, Exchange, Outlook). Students leave the course armed with the latest tools and techniques and prepared to investigate even the most complicated systems they might encounter. Nothing is left out - attendees learn to analyze everything from legacy Windows 7 systems to just-discovered Windows 10 artifacts.
  1. FOR500: Windows Forensic Analysis will teach you to:
  2. Conduct in-depth forensic analysis of Windows operating systems and media exploitation focusing on Windows 7, Windows 8/8.1, Windows 10, and Windows Server 2008/2012/2016
  3. Identify artifact and evidence locations to answer critical questions, including application execution, file access, data theft, external device usage, cloud services, geolocation, file download, anti-forensics, and detailed system usage
  4. Focus your capabilities on analysis instead of on how to use a particular tool
  5. Extract critical answers and build an in-house forensic capability via a variety of free, open-source, and commercial tools provided within the SANS Windows SIFT Workstation
FOR500 is continually updated. The course uses an intellectual property theft and corporate espionage case that took over six months to create. You work in the real world, so your training should include real-world practice data. Our instructor development team used incidents from their own investigations and experiences to create an incredibly rich and detailed scenario designed to immerse students in an actual investigation. The case demonstrates the latest artifacts and technologies an investigator might encounter while analyzing Windows systems. The detailed workbook shows step-by-step the tools and techniques that each investigator should employ to solve a forensic case.
Windows Forensics Course Topics:
  • Windows Operating Systems Focus (Win7, Win8/8.1, Windows 10, Server 2008/2012/2016)
  • Windows File Systems (NTFS, FAT, exFAT)
  • Advanced Evidence Acquisition Tools and Techniques
  • Registry Forensics
  • Shell Item Forensics
    • Shortcut Files (LNK) - Evidence of File Opening
    • Shellbags - Evidence of Folder Opening
    • JumpLists - Evidence of File Opening/Program Exec
  • Windows Artifact Analysis
    • Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
    • E-Mail Forensics (Host, Server, Web)
    • Microsoft Office Document Analysis
    • Windows Recycle Bin Analysis
    • File and Picture Metadata Tracking and Examination
    • Prefetch Analysis
  • Event Log File Analysis
  • Firefox, Chrome, and Internet Explorer Browser Forensics
  • Deleted Registry Key and File Recovery
  • String Searching and File Carving
  • Examination of Cases Involving Windows 7, Windows 8/8.1, and Windows 10
  • Media Analysis and Exploitation involving:
    • Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
    • Identifying if and how the suspect downloaded a specific file to the PC
    • Determining the exact time and number of times a suspect executed a program
    • Showing when any file was first and last opened by a suspect
    • Determining if a suspect had knowledge of a specific file
    • Showing the exact physical location of the system
    • Tracking and analysis of external and USB devices
    • Showing how the suspect logged on to the machine via the console, RDP, or network
    • Recovering and examining browser artifacts, even those used in a private browsing mode
    • Discovering utilization of anti-forensics, including file wiping, time manipulation, and program removal
  • The Course Is Fully Updated to Include Latest Windows 7, 8, 8.1, 10 and Server 2008/2012/2016 Techniques.
  FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
Overview
Our journey continues with the Windows Registry, where the digital forensic investigator will learn how to discover critical user and system information pertinent to almost any investigation. Each examiner will learn how to navigate and examine the Registry to obtain user profile data and system data. The course teaches forensic investigators how to prove that a specific user performed keyword searches, ran specific programs, opened and saved files, perused folders, and used removable devices.
Throughout the section, investigators will use their skills in a real hands-on case, exploring the evidence and analyzing evidence.
Exercises
  • Profile a computer system using evidence found in the Registry
  • Profile a user's activities using evidence found in the Registry
  • Examine which programs a user recently executed by examining the UserAssist key in the registry
  • Determine which files a user recently opened via the RecentDocs keys in the registry
  • Examine recently opened Office 365 files and determine first/last open times
  • Find folders recently accessed by a user via the Open/Save keys in the registry
CPE/CMU Credits: 6
Topics
  • Registry Forensics In-Depth
    • Registry Core
      • Hives, Keys, and Values
      • Registry Last Write Time
      • MRU Lists
      • Deleted Registry Key Recovery
    • Profile Users and Groups
      • Discover Usernames and the SID Mapped to Them
      • Last Login
      • Last Failed Login
      • Login Count
      • Password Policy
    • Core System Information
      • Identify Current Control Set
      • System Name and Version
      • Timezone
      • Local IP Address Information
      • Wireless/Wired/3G Networks
      • Geolocation of PC Network History
      • Network Shares and Offline Caching
      • Last Shutdown Time
    • User Forensic Data
      • Evidence of Program Execution
      • Evidence of File Downloads
      • Evidence of File and Folder Access (Shellbag)
      • Office and Office 365 File History Analysis
      • Windows 7, Windows 8 - Windows 10 Search History
      • Typed Paths and Directories
      • Recent Documents (RecentDocs)
      • Open-> Save/Run Dialog Boxes Evidence
      • Application Execution History via UserAssist Keys
    • Tools Used
      • Registry Explorer
      • TZWork's CAFAE and YARU (Yet Another Registry Utility).



               

கருத்துகள்

கருத்துரையிடுக

இந்த வலைப்பதிவில் உள்ள பிரபலமான இடுகைகள்

SIPVicious using kali linux

-
படம்
SIPVicious February 18, 2014 Sniffing/Spoofing SIPVicious Package Description SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:. svmap – this is a sip scanner. Lists SIP devices found on an IP range svwar – identifies active extensions on a PBX svcrack – an online password cracker for SIP PBX svreport – manages sessions and exports reports to various formats svcrash – attempts to stop unauthorized svwar and svcrack scans. Source: https://code.google.com/p/sipvicious/ SIPVicious Homepage  |  Kali SIPVicious Repo Author: Sandro Gauci License: GPLv2 Tools included in the sipvicious package svcrack – Online password cracker for SIP PBX root@kali:~# svcrack -h Usage: svcrack -u username [options] target examples: svcrack -u100 -d dictionary.txt 10.0.0.1 svcrack -u100 -r1-9999 -z4 10.0.0.1 Options:   --version             show program's ver...
மேலும் படிக்கவும்
-
படம்
Acoustic Attack Against HDDs Can Cause Permanent Damage CCTV DVR, PCs, ATMs Hard disks play a vital role in numerous computing systems including, personal computers, closed-circuit television (CCTV) systems, medical bedside monitors, and automated teller machines (ATMs). Security researchers from Purdue University show that an attacker can use acoustic sound to cause significant vibrations in HDDs internal components.They show even if a small displacement in the head leads to malfunction with HDD operation and can cause permanent damage. HDD Acoustic Attack An HDD consists of two components the platters and the read-write heads. The data will be stored in platters and the read/write operations performed by heads. If the attacker can create the acoustic signals nearer to victim device in audible frequencies by using an external speaker or any other device may result in remote software exploitation which allows an attacker to deceive the user to play a malicious sound attach...
மேலும் படிக்கவும்

Three Major Categories of Telecom Fraud

-
படம்
A Guide to Detecting and Preventing Telecom Fraud According to the Federal Trade Commission, telecom fraud continues to account for more and more fraud complaints each year. The numbers continue to grow and new technology has led to an onslaught of new telecom fraud tactics. The latest schemes are difficult to track and investigate because of their frequency, their layers of anonymity, and their global nature. This guide will help you learn about the different types of telecom fraud and industry best practices for detection and prevention. Three Major Categories of Telecom Fraud We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are: Schemes to Defraud Telecom Service Providers These schemes are the most complicated, and exploit telecom service providers using stimulated traffic, SIP trunking, regulatory loopholes, and more. Schemes to Defraud Subscribers This is simply any scheme that...
மேலும் படிக்கவும்