31 July 2020 1 Jayaram P CDAC 31 July 2020 2 Plan Cyber Crime Cyber Forensics Steps Live Forensics 31 July 2020 3 31 July 2020 4 31 July 2020 5 31 July 2020 6 31 July 2020 7 ID: 933265
Download Presentation The PPT/PDF document "Cyber forensics principles" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cyber forensics principles
31 July 2020
1
Jayaram
P
CDAC
Slide231 July 20202Plan
Cyber Crime
Cyber Forensics StepsLive Forensics
Slide331 July 20203
Slide431 July 20204
Slide531 July 20205
Slide631 July 20206
Slide731 July 20207
Slide831 July 20208
Slide931 July 20209
Slide1031 July 202010
Slide1131 July 202011
Slide1231 July 202012
Slide1331 July 202013
Slide1431 July 202014
Slide1531 July 202015
Slide1631 July 202016
Slide1731 July 202017
Slide1831 July 202018
Slide1931 July 202019
Slide2031 July 202020
Slide2131 July 202021
Slide2231 July 202022
Slide2331 July 202023
Slide2431 July 202024
Slide2531 July 202025
Slide2631 July 202026
Slide2731 July 202027
Slide2831 July 202028
Slide2931 July 202029
Slide3031 July 202030
Slide3131 July 202031
Slide3231 July 202032
Live Forensics
Slide3331 July 202033
Need access to the system
Minimize impact on system.
Some tools leave footprint and hence proper audit/notes to be made.
Timely evidence acquisition and analysis.
Live Forensics - Challenges
Slide3431 July 202034
Retrieval of volatile data
Forensic imaging of live s
ystem
Analysis of evidence collected
Conducting Live
Forensics
Slide3531 July 202035
Want to catch them “in the act”
See how things change (web pages, file access times, registry, memory, etc.)
Want to understand:
How they got in
What they compromised
Where they are
Who they are
Scenario : Ongoing Crime
Slide3631 July 202036
System time
Logged-on
user(s)
Open
files
Network
information
Network
connections
Process
information
Process-to-port
mapping
Process memory
Network status
Clipboard contents
Service/driver information
Command history
Mapped drives
Shares
Live Data
Slide3731 July 202037
Event
logs
Registry
Disks
Non-volatile Data
Slide3831 July 202038
Memory Acquisition
Dump file
Dump File Analysis
Perform Ram Dump to a file
[Using
Tools like
DumpIt
,
mdd
etc]
Dump file
Analyzed using tools
(
eg.Volatility
,
Win-
LiFT
)
Report Generation
Memory Analysis
Slide3931 July 202039
Live Forensics Tools
Slide4031 July 202040
C-DAC’s Win-
LiFT
COFEE(Computer
Online Forensic Evidence Extractor
)
EnCase
Portable
Slide4131 July 202041
https://cyberforensics.in/
Slide4231 July 202042
Investigator’s Machine
Investigator’s Machine
Suspect’s Machine
Slide4331 July 202043
Slide4431 July 202044
Slide4531 July 202045
Slide4631 July 202046
Slide4731 July 202047
Live Forensic Tools - COFEE
Slide4831 July 202048
Computer Online Forensics Evidence Extractor
Easy to use
Capture important "live" computer evidence
Special forensics expertise not needed.
Slide4931 July 202049
Computer Online Forensics Evidence Extractor
Slide5031 July 202050
Easy to Use
Forensically Sound
Ultra-Portable
Stealth
Live Forensic Tools - Encase Portable
Slide5131 July 202051Forensic Tools in
Kali Linux
Slide5231 July 202052More than
200 penetration testing tools are packaged in Kali Linux.More than 20
tools for forensics packaged inside Kali Linux.
Binwalk
tool
:
searches a specified binary image for executable code and files.
Bulk extractor tool:
E
xtracts
credit card numbers, URL links, email
addresses etc..
Works
on compressed data and incomplete or damaged data
.
HashDeep
tool:
For hashing
of
files.
Magic rescue tool:
Performs
scanning operations on a blocked device
.
Recovers
files deleted or
from corrupted
partition
.
Guymager
tool:
Used
to acquire media for forensic imagery
Slide5331 July 202053Pdfid
tool:
Scans pdf files for specific keywords.
7.
Pdf
-parser
tool
:
8.
Peepdf
tool
:
9.
Autopsy tool:
An autopsy is all in one forensic utility for fast data recovery and hash filtering
.
This tool carves deleted files and media from unallocated
space.
10.
img_cat
tool
:
Slide5431 July 202054
Thank
You
jayaram@cdac.in