Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

forensics-presentation

VIEWS: 73 PAGES: 45

									A talk with … Data Clinic,
            Presented by

      Russ Burrows - Director
 Ian Donovan – Forensic Technician
Section 1: Introduction
  About Data Clinic
  Technological Services
      Data Clinic Services:
• Data Clinic provide various
  technological services to public and
  private sectors, including:

  –   Data Recovery
  –   Advanced Data Recovery
  –   Data Conversion
  –   Data Destruction
  –   Online Data Backup
  –   Forensic Investigations
     Data Recovery (DR)
• Data Recovery typically can be completed
  using
   – Hardware Approach
      • Clean Rooms required
          – Without Clean Room Dust and other small particles
            would damage the platter surface
   – Software Approach
      • Commercial Recovery Software or Forensic
        Software can be used

• Tips for DR
   – Avoid attempting to recover the data yourself,
     unless you are fully aware of the procedures.
   – Avoid using Free software or Executing CheckDisk
     as this may render your data inaccessible.
   – Any noises coming from a Drive normally indicates
     a mechanical fault
  Advanced Data Recovery
          (ADR)
Example: Recovery from a Water / Flood
   damaged drive
Process:
     • Fresh flow water treatment and cleaning
     • Platter dismounting & surface treatment
     • Chemical drying in a controlled sealed environment
       for several days
     • Platter surface re-lubrication
     • Mounting and recalibration
        Data Conversion
• Data Clinic can successfully
  transfer data from outdated
  applications and redundant
  formats onto newer, more
  efficient platforms
                Online Back-Up
• Why Back-Up?
     – 80% of all businesses that
       suffer major data loss
       collapse within a few days

• My University
     – Will not accept late
       admission of course work
       because of „data loss‟ they
       wouldn‟t consider this to be
       a valid excuse!



•   http://www.dataclinic.co.uk/data-backup-strategy-
    article.htm
       Data Destruction
        Method of Data               Can the data be
          Removal                     Retrieved ?
     Deleting                      YES
     Deleting from
                                   YES
     recycle bin
     Format                        YES

     Fdisk                         YES
     Overwrite                     Sometimes
     Shredding                     NO [Example]


•   http://www.dataclinic.co.uk/data-wiping-best-practice.htm
      Section 1 Summary
• The Relationship between DR and Forensics
  is strong, why?

   – An element of Forensics is being able to Recover
     Data. From time to time a Forensic Investigation
     may involve damaged media.

• Back-Up, a source for Evidence?

   – If a „suspect‟ uses an online back-up package, a
     wealth of data may be held elsewhere
Section 2: Forensics
  Definition of Digital Forensics
  Types of Investigations
  Equipment
  Documentation and Summary
  Solutions in Recovering Evidence
 Today‟s discussion
                 DIGITAL FORENSICS

Define Digital Forensics ….



           “Digital forensics is the process of
           investigating equipment - typically a
           computer, laptop, server, or office
           workstation - to determine if the
           equipment has been used for illegal,
           unauthorized, or unusual activities.”

http://www.cybersecurityinstitute.biz/forensics.htm
  Types of Investigations
• Prosecutors use Computer Evidence
  everyday to aid in convicting criminals
  involved in:

  –   Fraud
  –   Murder
  –   Drug Trafficking
  –   Child Pornography
  –   Embezzlement
  –   Terrorism
       Types of Investigations
                  - at Data Clinic -

• Data Clinic tend to get involved with:

   –   33% Conflict of Interest
   –   22% Child Pornography
   –   22% Intellectual Property Theft
   –   11% Misuse of Equipment
   –   11% Domestic

   Statistics are based on the last 12 months
       Conflict of Interest



     Employees               Directors
Mr Jones & Mrs White   Mr Jones & Mrs White




      Work at                Work at
    B Brick LTD             W Brick LTD
      Child Pornography
Not all about Images
  – Categories of Explicit Images
    (COPINE)


                      Transaction Server Logs
                                       – MySQL Logs
                                    – Credit Card Logs



Email Logs, Chat Rooms
  – Dialogues with Minors
  – Is there Intent?
Intellectual Property Theft
Removal of Intellectual Property
   – Transferred to Pen Drive
   – Transferred to DVD or CD




           How do you Prove Data Transfer?
                               – Set up Test Machine
                      – Search for a Path String i.e E:\
                             – Research the Registry
                                  – Explore Page File
    Misuse of Equipment
Personal Internet Browsing
  – Is there a Company Policy in
    place for computer use?
  – Has the policy / contract been
    signed by both parties?




                                 Software Piracy
         – Has unauthorised software been installed?
                Domestic
Normally the Suspect Device:
  – Is a home PC or Laptop
  – PDA or Mobile Phone
  – Not always readily available

                                              Try to:
               – Be Sensitive to the Situation in Hand


The Investigation:
   – Can be frustrating
   – The suspecting partner does not always know
     all of the information – patience is a virtue!
               Equipment
• Software
  –   AccessData Forensic Toolkit
  –   Guidance Software EnCase
  –   Paraben Forensics
  –   Helix
  –   Others including X-Ways Forensics

• Hardware
  –   ImageMASSter Solo III Forensic
  –   Tableau SCSI Write Blocker
  –   RoadMASSter-II
  –   FRED, FREDDIE, FRED-SR, FREDL, FREDM &
      FREDC
            Types of Documentation
    Include Forensic
      Report with or
    without a Witness
     Document                         Document              Initial
                                                                                   Call Log /
Processes – so that
        Statement                      findings            Contact                 E-Mail Log
 a Third Party can
  reach the same
    conclusion                                                           NDA /
               Investigate under Instruction                            Forensic             Non
                                                                        Contract
                                                                                          Disclosure
                                                                                          Agreement
       Record
     Check sums                                                Secure Collection
                       Forensically duplicate
      (MD5 or                                                     or Delivery
                          „suspect‟ media
                                                                   of Items          Consignment
      CRC32)
                                                  Photograph                           Paperwork
                                                   equipment
                                                  & document
                                                                              Chain of
                                                                                     from Shipping
                                                                             Custody – Company
                                                             Record Accurate Settings
                                                                          Fax or E-Mail
                                                                            Equipment
                                                             and Layout of for Signature
         Document Summary
•   Initial Contact
     –   Communication Logs
•   NDA / Forensic Contracts
     –   Non Disclosure Agreements
     –   Signatures
•   Secure Collection & Delivery
     –   Consignment Paper Work
     –   Chain of Custody
     –   Signatures
•   Photograph Equipment & Document
     –   Record Accurate data about each device, including the computer‟s serial
         and model numbers
•   Forensically Duplicate Suspect Media
     –   Keep logs of the duplication process and its associated results
•   Investigate Under Instruction
     –   Maintain comprehensive notes, which will form part of your Forensic
         Report
•   Document Findings
     –   Forensic Report, to include the procedures you undertook.
            Solutions
• If the investigation is not as
  straight forward as expected, you
  may need to source alternative
  solutions i.e.
  – Seek advice from vendors
  – Other professionals within the field
  – Social Networking
       Solutions Contd.
• Imagine you have been instructed to
  recover all Microsoft Word Files on
  a suspect disk, within allocated and
  non allocated areas of the disk. One
  method you may use is:

  – File Header Recovery.
  File Header Recovery
• How?
 – Establish the HEX values for the
   .doc extension
   • D0 CF 11 E0 A1 B1 1A E1
 – Execute a File Recovery by Type
 – Select the Extension
   • Or Customize the File Type
 – Set the Max File Size
 – Set the Output Folder
         Section 2 Summary
•   Remember evidence can be found anywhere including the waste
    paper bin.

•   Microsoft Vista BitLocker

     –   A recent article regarding Microsoft Vista suggests upon seizing the
         suspect equipment to verify you have the USB Key that contains the
         startup key in order to boot the protected OS.

•   Documentation is a key part of Forensics.

     –   Document everything you see, say or do.

•   In addition to your Studies, we hope the demonstration of using X-
    Ways Forensics was useful. Explore FileXT for the HEX values of
    file extensions.

•   Occasionally you may have to work around the ACPO guidelines
    and use your own initiative. As long as you can prove your methods
    and demonstrate the evidence you have acquired, this should be
    valid.
Section 3: Client Perspective
  Involving the Client
  Setting Client Expectations
  Establishing a Protocol
  Applicable Costs
Involving the Client

                                Understand
             Keep them happy   the Need for
                               Investigation




Invite them to your                      Include your client
  premises and                        within the Investigation.
 demonstrate your                    Show them what progress
      progress                        you have made so far.




                 Keep them
                Informed at    Re visit the
                 every step      Need for
                 of the way    Investigation
                                                              Some details
                                                             surrounding the
                                                             case may need
                                                              to be verified
 Setting Client Expectations
• Deadlines need to be noted
• Expectations need to be realistic
• Expect complications, as most
  forensic investigations are not „a
  piece of cake‟.
• Allow time to revisit the „need for
  investigation‟.
 Setting Client Expectations Contd.

It is easy to underestimate the time
it takes to undergo a complete
Forensic Investigation. It may mean
your commitment to the job
exceeds that of your contractual
agreement with your employer.

A happy client is likely to return.
    Establishing a Protocol

                     Submit a report if      Establish
What should she do?
                  necessary                  a protocol


TYPICAL DOMESTIC SCENARIO:

        Is this Ethical – you decide?
A Wife suspects her Husband committing adultery, she notices
                                                    Advise not
access to Hotmail and Yahoo web mail andsuspicion & to raise
        Detail your findings                         he denies using
                                                                arrange
       ensuring you follow
them. Her suspicion the
        established protocol
                                                   mobile phone
                            leads her to check his to covertly duplicate and
discovers text messages of an interesting nature.media  the




                                            Investigate
                      Follow correct
                                           under instruction
                       procedures
                                             & obtain key
                                              words from
                                                client
      Applicable Costs
• Witness Statement
• Investigating Under Instruction
  – Usually charged per hour
• Forensic Imaging
  – Usually two images are created of
    each suspect item
• Consultations
  – Teleconferences or Face to Face
 Applicable Costs Contd.
Typically to Investigate Under
Instruction a client could be
expected to pay between £50 –
£250+ per hour. The range is
discretionary to the case in hand,
i.e. home user or business user.
        Section 3 Summary
•   Your client will normally be more than happy to help, invite
    them to your offices – show them your progress, the
    hospitality will help also.

•   Make sure any Expectations set are realistic and can be
    easily managed

     – Any deadlines you feel you cannot meet, let your client know at
       the earliest opportunity. They are usually working to a time
       schedule set by their legal representative.

•   Forensic Investigations are hugely laborious thus can be
    extremely lucrative

     – One Key prerequisite to become a Forensic Investigator is:
       PATIENCE
Section 4: On the Job
  Managing your Workload
  Tips
  Questions
  Working Under Instruction
Managing Your Workload
• Maintain consistent
  communications with your client.
• Have weekly reviews with your
  team to ensure investigations can
  be prioritised
• Keep comprehensive notes – this
  is absolutely critical.
• Ensure your time can be justified
     Tips for On the Job
• Keep one notepad for each
  investigation
• Keep one box file for each
  investigation
• Manage your electronic evidence on
  secure servers and organise your
  space efficiently.
• Keep copies of signed contracts in
  your Box Files and electronic copies
  on your evidence server.
        Ask Questions
• Don‟t be afraid to ask your client
  questions, i.e. How long have you
  worked here for? What is your job
  title? Why are you involved?

• Get their personal thoughts on the
  matter in hand, it might portray
  more perspective.
Working Under Instruction
• It is a better safeguard for all
  involved to work under instruction
  of a legal representative. Typically
  a solicitor will be appointed by the
  Client.
      Section 4 Summary
• It is absolutely important the work you
  complete is under instruction of a legal
  representative.

• Make a habit of asking questions to all
  involved.

• If you have any tips whilst on your placement,
  share them and make the whole process
  smoother. You will learn more this way and at
  the same time will encourage social
  networking amongst like-minded people.
Section 5:
  Summary of Today‟s Presentation
  Download the Presentation
  Recommended Texts
  Q&A Session
                 Summary
• We are able to conclude that:

   – Documentation is a key principle of Digital
     Forensics
   – Accurate accounts of what you see, say or do is
     absolutely paramount
   – You should always work under the instruction of a
     legal representative
   – You should maintain consistent communications
     with your client
   – From time to time you will have to source solutions

• Also we hope you have gained some insight
  into what Forensics is all about in a working
  environment.
               Thank You.
Thank you for Listening.

You may download this presentation from

  www.dataclinic.co.uk/forensics-presentation.ppt


Email
  ian@dataclinic.co.uk
         Recommended Texts
•   Computer forensics : computer crime scene investigation
     –   by Vacca John R
     –   ISBN/ISSN: 1584503890

•   Computer forensics jumpstart , by Michael Solomon and others
     –   by Solomon Michael G
     –   ISBN/ISSN: 078214375X

•   Incident response , by Kenneth R. van Wyk and Richard Forno
     –   by Van Wyk Kenneth R
     –   ISBN/ISSN: 0596001304

•   Investigative data mining for security and criminal detection ,
    Jesús Mena
     –   by Mena Jesus
     –   ISBN/ISSN: 0750676132

•   Software forensics : collecting evidence from the scene of a
    digital crime
     –   by Slade Robert M
     –   ISBN/ISSN: 00714280460071428046
Questions

								
To top