Digital Forensics I (part 4)
4 des. 2012Repetition
- Forensics Science: Legal and scientific.
- Digital evidence: digital data that can refute or support a hypothesis on an incident.
- Evidence dynamics: what operations can change data (read, write, modify, metadata)
- Evidence integrity
- Chain of custody
- Forensics soundness: Using methods and tools of best practice and legal requirements. A practical term.
- Internet investigations: Detecting crimes, how to secure integrity, tracing/attribution, passive vs active methods.
- Examine collected data: Hashing, undelete, uncrypt, unzip, known good/bad files.
- Cyber crime: 4 types (child pornography, fraud, hacking/violate network security and piracy): Criminal law, prosecution law, co-operation.
- Order of volatility
- Media analysis: seized evidence, abstraction levels, anomaly detection, "archaeology vs geology". RAID, different media, file systems, HPA, LBA vs CHS, block and clusters (on windows, mac and linux). File tables.
- Live forensics: OoV, store evidence remotely, "trusted" tools (kernel, library and binaries). Get running processes, network connections, keys.
- Memory analysis
Future work
- ISO/IEC credible digital evidence (ISO 27037)
- Handling big data
- Internet and network forensics
- Embedded systems accusation and analysis
- Using the "cloud" in terms of finding evidence and to process evidence. Using the latest technology.
Presentation of 7 groups
- "Trojan did it" defense: Tree cases where this defense has been used, find malware, disprove malware, prove user did it.
- Mobile forensics (ours): iOS versus Android, boot level access, protection bypassing and initial analysis (undelete of files)
- Windows 8 forensics: IE10, mail, messenger, people, skype. Registry and changing of file names.
- Social networks visualization(?): Relations and information flow between nodes, cyber forensics timeline, CFTL vs FTK, A device only has a snapshot of the activity. Timelines concluded to be very important in future forensics work.
- MoonSols: Windows memory dump. Difficult to calculate actual footprint.
- Splunk: Post mortem analysis. Import logs and csv files in this web interface, fast search and easy scripting. Easy to find data across many sources.
- Supertimeline with infographics: Comparison of software performing generation of timelines based on disk images, and how a common standard is missing for import to these kind of software. More reliable if automated tools can do the same job now performed by a human (extract interesting findings).
Snarveier
Flere fra skole