CYBER FORENSIC K. B. JENA ASSTT. DIRECTOR & SCIENTIST ‘C’

1 CYBER FORENSIC K. B. JENA ASSTT. DIRECTOR & SCIENTIST ‘...

Author: Josephine Gibbs

0 downloads 4 Views

1 CYBER FORENSIC K. B. JENA ASSTT. DIRECTOR & SCIENTIST ‘C’CFSL, KOLKATA 1 1

2 DOCUMENT FORENSIC TO DIGITAL DOCUMENT FORENSICPRESENCE OF SCANNED AND PRINTED DOCUMENTS DURING EXAMINATION OF FORENSIC DOCUMENTS. EXAMINATION OF COMPUTERS CONTAINING DIGITAL COPY THOUGHT TO BE A WAY TO FIX RESPONSIBILITY. *first case of computer forensic was taken up in the year 2

3 TYPE OF CASES EXAMINED – INITIAL YEARS-2004-07REPRODUCTION OF CURRENCY NOTES REPRODUCTION OF CHEQUES DRIVING LICENCE CERTIFICATE PASSWORD CRACKNG *4-5 CASES A YEAR 3

4 TYPE OF CASES EXAMINED AROUND 2008-10THEFT OF DESIGNS AND CUSTORMES LIST BY PARTNERS/ EMPOYESS WHILE LEAVING COMPANY AND OFFERING LOW PRICE TO EXISTING CUSTOMERS FROM OLD COMPANY . THREATNING . CUSTOMERS DUPED BY TRAVELLING AGENCY FOR FOREIGN TOUR. FLIGHT/ RAIL TICKETS PURCHASED ONLINE BY CREDIT CARD DETAILS OF OTHERS *20-25 cases in year 4

5 CHANGE IN NATURE OF CASES IN 2011-2013Cases related to fake account in social site(orkut, facebook, skype, twitter) Terrorist communications by internet Computers used for transaction of fictitious companies online/ offline. Data of national interest leaked vide internet. Online circulation Of defamatory material. Mobile communication by sms/ mms/voice recording/ still and video recording * 150 cases per year 5

6 Elaborate planning, more details and diverse tools requirement for examination.*210 cases received 6

7 mobile used as communication for all social network and activities. Laptop replaced desktops. Laptop size grew smaller Request for CCTV footages increased. New applications/ apps on mobile for social networking (whatsapp, viber, line) Apps for financial transaction/ banking /billing. Server examination requirements 7

8 Seizure of digital evidenceWhy they are called best practices. Practices differ(depends on working environment). Need to adopt a Guideline. Stringent or Diverse. Need to Document. 8

9 CHAIN OF CUSTODY of computer evidencePhysical(sl. No, IMEI) Digital(Hash value) 9

10 SCENE OF CRIME WHEN DESKTOP COMPUTER IS OFFWHEN DESKTOP COMPUTER IS ON ANY HARD DISK INSIDE? WHEN LAPTOP COMPUTER IS ON? WHEN LAPTOP COMPUTER IS OFF? WHTHER ACCUSED SHOULD BE ALLOWED TO BACKUP DATA? 10

11 HOW DAMAGING FOR INVESTIGATION READ LABELS(os, hard disk capacity, repairs in between) 11

12 SEIZURE OF MOBILE/ SIM / MEMORY CARDONE SIM vs DUAL SIM REMOVE BATTERY FLIGHT MODE/ BLOCK SIM SIM LOST MEMORY CARD. PATTERN LOCK/ PASSWORD ON SCREEN MEMORY CARD LOCKED. SEIZE POWER CABLE/ CONNECTORS 12

13 CCTV SEIZURE TIME / DATE CHECK BEFORE SWITCHING OFF.CHECK CAPACITY OF THE HARD DISK INSIDE. DVR BOX IS REQUIRED ALONGWITH POWERCORD . BACKED UP FOOTAGE ACUIRED AT THE CRIME SCENE. 13

14 NETWORKED COMPUTER DELEGATE EXPERTS TO ACUIRE DATAADVICE OF THE NETWORK ADMINISTRATOR / SERVICE PROVIDER NEEDED. POWERING ON AT ORIGINAL SITE IS REQUIRED. 14

15 ONLY HARD DISK/ WHOLE COMPUTERONLY HARD DISK IF DATA IS QUESTINED DESKTOP/LAPTOP CONCERNED IF FUNCTIONS OF COMPUTER IS QUESTIONED/ SPECIAL. 15

16 TOOLS REQUIRED FOR PREVIEW/DUPLICATIONWRITE BLOCKERS IDENTIFICATION OF DIFFERENT OS NEW HARD DISK/ PROPERLY WIPED HARD DISK VALIDATION OF HARDWARES/ SOFTWARES HASH VALUE 16

17 CLONING VS BIT STREAM IMAGECLONING FOR REBOOT BIT STREAM IMAGE FOR RESTORE. HASH VALUE 17

18 WHAT MAY ESCAPE DURING PURVIEWSLACK SPACE WEB MAIL INTERNET ACTIVITY HIDDEN FILES FILES NOT SUPPORTED BY SOFTWARE. HOST PROTECTED AREA DEVICE CONFIGURATION OVERLAY BACK UP OF DEVICES (COMPRESSED FILES, IMAGE OF CD/DVD, BACK OF MOBILE, BACK UP OF CHAT HISTORY 18

19 DIFFERENT APPROACH REGISTRY FORENSIC BROWSER FORENSICSYSTEM RESTORE POINT FORENSIC VIRTUAL MACHINE FORENSIC CLOUD FORENSIC NETWORK FORENSIC 19

20 MATERIAL FOR SEARCH TEXT SEARCH IMAGE SEARCH VIDEO SEARCH EMAIL SEARCH20

21 EXAMINATION INTERNET ARTIFACTS ARCHIVED/ WEBMAIL UNALLOCATED CLUSTERFILE SLACK 21

22 DATA HIDING PASSWORD ENCRYPTION CHANGING EXTENSION DELETE PARTITIONREINSTALL OS TEXT AS IMAGE 22

23 SYNCHRONISE/ BACK UP/ CREATE SYSTEM RESTORE REMOVABLE DRIVE23

24 24

25 EXHIBITS CPU HARD DISK CD/DVD/FLOPPY PENDRIVE/ EXTERNAL HARD DISKMOBILE PHONE/SIM CARD/MEMORY CARD DIGITAL VIDEO RECOREDER STILL/VIDEO CAMERA/MEMORY CARD SPY CAM 25 25

26 ANALYSIS EXPECTED INCRIMINATING VIDEO/IMAGE/AUDIOTEXT DOCUMENTS/FINANCIAL DETAILS/ PROGRAMS RELATED TO CREATING VOUCHERS/ EDITING VIDEO/AUDIO/IMAGE FILES. S COLLECTED BY CLIENT(MS OUTLOOK) WEBMAIL 26 26

27 FILES DOWNLODED/UPLOADED FROM INTERNET COOKIES WEBMAIL INTERNET HISTORY FILES DOWNLODED/UPLOADED FROM INTERNET COOKIES WEBMAIL SOCIAL NETWORK ARTIFACTS CHAT HISTORY FILES FROM PRIVATE NETWORK(BLUETOOTH, WIFI) 27 27

28 FILES DOWNLODED/UPLOADED FROM INTERNET COOKIES WEBMAIL INTERNET HISTORY FILES DOWNLODED/UPLOADED FROM INTERNET COOKIES WEBMAIL SOCIAL NETWORK ARTIFACTS CHAT HISTORY FILES FROM PRIVATE NETWORK(BLUETOOTH, WIFI) 28 28

29 IT MUST BE PROVED THAT CHAIN OF CUSTODY IS PROPERLY FOLLOWED DIFFRENCE BETWEEN DATA EXTRACTION AND COMPUTER FORENSIC IT MUST BE PROVED THAT CHAIN OF CUSTODY IS PROPERLY FOLLOWED NOTHING HAS BEEN DELETED, ADDED OR CHANGED DURING EXAMINATION. THE PROCESS OF SUCH ASSURANCE STARTS FROM CRIME SCENE. BEST PRACTICES FOR SEIZURE OF DIGITAL EVIDENCE HASH VALUE 29 29

30 NON FORENSIC PRACTICESOPENING ORIGINAL MEDIA TROUGH OPREATING SYSTEM CHANGES DATE OF ACCESS REMOVES TEMPORARY FILES CHANGES LOGS CHANGES MANY FILES RELATED TO OPREATION OF COMPUTER UNALLOCATED SPACE CAN NOT BE ACCESSED. 30 30

31 On the scene collectionFINDING OUT INTERNET TRACKS ON SCENE. SEARCHING/ VIEWING FILES BACKING UP DATA . 31 31

32 UNCOMMON CASES PICTURES IN EXCEL SHEETIMAGE OF HANDWRITTEN NOTES AS MESSAGES FORMATTED HARD DISK VOICE RECORDING AS SUICIDE NOTE 32 32

33 MOBILE PHONE EXAMINATIONSIM INTERNAL MEMORY MEMORY CARD 33 33

34 DATA IN SIM LOCATION ICCID(INTEGRATED CIRCUIT CARD IDENTIFIER)IMSI(INTERNATIONAL MOBILE SUBSCRIBER IDENTITY) SERVICE PROVIDER CONTACT SMS LAST CALL DETAILS 34 34

35 INTERNAL MOBILE MEMORYIMEI CONTACTS SMS MOBILE SETTINGS TO DO LIST NOTES /CHAT/SOCIAL NETWORK SITE DETAILS INTERNET HISTORY 35 35

36 MEMORY CARD IMAGE/ VIDEO/ AUDIO ARCHIVED DATA/ SMS BACK UP/ WHATSAPPINTERNET DATA HISTORY OF USE IN OTHER DEVICES DELETED DATA 36 36

37 CHALLENGES PASSWORD PROTECTION LOST SIM NOT SUPPORTED BY TOOLSPROBLEM IN SWITCHING ON THE MOBILE.(broken/ blast cases) 37 37

38 CCTV CASES PROPRIETORY OPREATING SYSTEMREQUIRES OWN HARDWARE FOR EXAMINATION. INHERENT CLOCK SETTINGS CAN NOT BE CROSS CHECKED DELETED FILES CAN NOT BE RECOVERED 38 38

39 REQUIREMENTS WHILE SUBMITTING CASEPROPER FORMAT PROPER SEALING AND LABELLING OF EXHIBITS SIGNATURE AND SEAL OF AUTHORITY ATTESTED COPY OF FIR REQUIREMENT OF HARD DISK 39

40 PROPER DESCRIPTION OF EXHIBITS IN FORWARDING LETTERCPU / LAPTOP HARD DISK MOBILE PHONE CCTV 40

41 QUERY FORMAT OF QUERY SUPPORTING MATERIAL 41

42 WHEN QUERY IS EMAIL RELATEDINFORMATION WHAT BELONGS TO WHOM ADDRESS SUBJECT LINE CONTENTS PRINTOUT/ SOFT COPY WITH FULL HEADER 42

43 WHEN QUERY IS SOCIAL NETWORK SITE RELATEDRELATED ADDRESS PROFILE NAME SCREENSHOT OF ALLEGED PAGE ALLEGED IMAGE VIDEO CHAT ROOM CHAT HISTORY 43

44 QUERY REGARDING ACTIVITY OF A COMPANYDOCUMENT RELATED TO ALLEGED ACTIVITIES. 44

45 WHEN QUERY IS IMAGE/ VIDEO RELATEDCOPY OF ALLEGED IMAGE /VIDEO 45

46 WHEN QUERIES DO NOT SERVE PURPOSE.MISSING NAME OF THE COMPANY. ASKING RANDOM SYSTEM RELATED QUERIES. ALL S/ CREDIT CARDS/ IP ADDREESS ALL USERS MISSING INTERNET HISTORY AND KEYWORDS 46

47 JUDICIOUS DISTRIBUTION/ SEIZURE OF EXHIBITCAMERA WITH DVR MONITOR WITH CPU MODEM WITH LAPTOP DETACHED HARD DISKS OF SERVER BUNDLING 10 BRANCHES OF A COMPANY IN 01 BIG CASE 47

48 REQUIREMENT OF HARD DISK COPYCLONE/ MIRROR IMAGE WHAT ARE CHANCES OF MISSING EVIDENCE WHEN INVESTIGATING AGENCY DECIDES TO SEE EVIDENCE THEMSELVE. 48

49 Multiple queries What is ip address used in this computerWhat is mac address used in this computer What are programs installed in this computer Who are users of this computer Whether this computer was used for . Which modem was used for connecting to internet 49

50 Traslate to single queryWHETHER THE MAILS AT ANNEXURE- A WAS SENT RECEIVED FROM THIS COMPUTER. 50

51 Multiple queries What are the accounting packages installedHow many xls files are there How many word files are there What is opreating system of the computer Are there any password or encrypted files What are different types of data avillable in the system any deleted files are there. 51

52 Translate to single queryPlease provide all the data related to company and any simmilar document related to documents at annexure a b c 52

53 What areas change when a FILE is written?Writing a file What areas change when a FILE is written? MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Root C Root C Root C 53 53 53

54 What areas change when a FILE is written? Directory entry is createdWriting a file What areas change when a FILE is written? MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Directory entry is created Root C Filename Start Cluster Size FILE Unused Directory Entry Root C Root C 54 54 54

55 What areas change when a FILE is written? Directory entry is createdWriting a file What areas change when a FILE is written? FATs are updated MBR BR FILE 2 E 6 10 3 7 11 4 8 12 5 9 13 FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Directory entry is created Root C Filename Start Cluster Size FILE Unused Directory Entry Root C Root C 55 55 55

56 Writing a file What areas change when a FILE is written? Reserved AreaFILE contents written to data area What areas change when a FILE is written? FATs are updated MBR BR FILE 2 E 6 10 3 7 11 4 8 12 5 9 13 FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Directory entry is created Root C Filename Start Cluster Size FILE Unused Directory Entry Root C Root C 56 56 56

57 What areas change when a FILE is deleted?Deleting a file What areas change when a FILE is deleted? MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Root C Root C Root C 57 57 57

58 First character of the Directory entry is changed to Deleting a file MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 First character of the Directory entry is changed to  Reserved Area FAT2 Root C Root C Filename Start Cluster Size  ILE Unused Directory Entry RootC Root C 58 58 58

59 First character of the Directory entry is changed to Deleting a file FAT entries are ed 6 10 3 7 11 4 8 12 5 9 13 2 MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 First character of the Directory entry is changed to  Root C Root C Filename Start Cluster Size  ILE Unused Directory Entry Root C Root C 59 59 59

60 Deleting a file Reserved Area Data area is not changed !  ILE 2 1024FAT entries are ed 6 10 3 7 11 4 8 12 5 9 13 2 MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 First character of the Directory entry is changed to  Root D Root D Filename Start Cluster Size  ILE Unused Directory Entry Root D Root D 60 60 60

61 What areas change when a partition is reformatted?Reformatting What areas change when a partition is reformatted? MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Root C Root C Root C Root C 61 61 61

62 Three areas change when a partition is reformattedReformatting Three areas change when a partition is reformatted MBR BR FILE FAT1 FILE FAT1 FILE FAT1 FILE FAT2 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C 62 62 62

63 Three areas change when a partition is reformattedReformatting Three areas change when a partition is reformatted FAT entries are ed MBR BR FILE FAT1 FILE 2 3 4 5 FAT1 FILE 6 7 8 9 FAT1 FILE FAT2 10 11 12 13 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C 63 63 63

64 Three areas change when a partition is reformattedFAT entries are ed Boot Record is written MBR BR FILE FAT1 FILE 2 3 4 5 FAT1 FILE 6 7 8 9 FAT1 FILE FAT2 10 11 12 13 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C 64 64 64

65 Data area is not changedThree areas change when a partition is reformatted FAT entries are ed Boot Record is written MBR BR FILE FAT1 FILE 2 3 4 5 FAT1 FILE 6 7 8 9 FAT1 FILE Data area is not changed FAT2 10 11 12 13 FAT2 Reserved Area FAT2 Filename Start Cluster Size Unused Directory Entry Root Directory entries are ed Root C Root C Root C Root C 65 65 65

66 What are the two types of slack?Slack Space RAM Slack is the area from the end of the file to the end of that sector. - Comes from RAM Cluster 2 File What are the two types of slack? RAM Slack 66 66 66

67 Slack Space Cluster 2 File Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before. RAM Slack Residual Slack 67 67 67

68 THANK YOU. 68 68

CYBER FORENSIC K. B. JENA ASSTT. DIRECTOR & SCIENTIST ‘C’

Recommend Documents