SlideShare a Scribd company logo

Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011

John Bambenek
John Bambenek

The document outlines topics related to computer forensics including types of computer crimes, incident response versus computer forensics, laws related to the field, challenges with prosecution, key aspects of digital evidence like chain of custody and integrity, methods of data acquisition from networks, memory, hard drives and logs, and considerations for courtroom presentation.

Technology
1 of 28
jcb@bambenekconsulting.com
Agenda  Types of “actionable” computer crime  Incident response vs computer forensics  Laws related to computer crime or forensics  Obstacles to computer crime prosecution  2 key elements of digital evidence  Data acquisition  Forensics: Network, Memory, Hard Drive, Logs  CourtroomUsage
Types of “actionable” computer crime  IdentityTheft  Electronic Fraud (ACH or Credit Card)  Trade Secret / IPTheft  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling / Unauthorized Sexting / Etc.  Child Pornography  National Security Issues
Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
When to do forensics?  When it’s a criminal matter…  When a civil case will likely be prosecuted…  When insurance requires it…  As litigation prevention…  When there is a large $ loss involved…
Laws related to computer crime and/or forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
Obstacles to Computer Crime Prosecution  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Physical Access to Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted  International Law
2 Key Elements of Digital Evidence  Chain of Custody  Similar to “physical” evidence  If chain is broken, could end your case  Integrity of Evidence  Digital evidence is much more volatile  Often examining copies… are they “real”?  Suspect could destroy evidence if they are on to you
Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
Integrity of Evidence  Prevention of evidence contamination  Analyze only copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”  Use cryptographic “hashing” to prove evidence isn’t contaminated
Cryptographic hashing  Hashing uses an encryption algorithm to generate a pseudo- random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Illinois State Bar Association.” vs “Illinois State Bar Association!”  MD5:  Acaf1670a9acc228a40f02fe034aea6e vs cb0149671f638b3b7d3e0abd4e40f010  SHA1:  Ee9e70de1206ff87cc2d87d7d660c5cc0ac299cf vs 66d00acfc4ee228443317f1cf19cfb3d69b3ef13  Hash Collisions  Use multiple algorithms to avoid doubt
Data Acquisition  In all cases, physical access is required by someone  In “old days” we’d rip power out of computer and take the system.  Evidence collection now is most “volatile” to least “volatile  Network traffic  Memory  Hard drives  System logs (assuming configured right)  May capture volatile data multiple times
Network Forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
Network Forensics example
Memory Forensics  Must be done on a “live” machine, memory disappears without power  Hibernation / Sleep mode in laptops  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
Hard Drive Forensics  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
Hard Drive Forensics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
Hard Drive Forensics  So you have a drive image, now what?  Index drive for evidence.  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
Hard Drive Forensics  MAC times stand for “modified”, “accessed”, “created” and may also include a deletion time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm on Jan 11th, you’d look for any file with a MAC time near that same time).
Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
Log Forensics  Over 90% of all computer crime incidents where recorded in system logs  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
Log Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IPAddress of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
E-mail Headers Example Return-path:dbernardi@frontier.com Envelope-to: jcb@bambenekconsulting.com Delivery-date: Wed, 03 Aug 2011 12:06:16 -0500 Received: from out01.dlls.pa.frontiernet.net ([199.224.80.228]) by chicago.bambenekconsulting.com with esmtp (Exim 4.69) (envelope-from <dbernardi@frontier.com>) id 1Qoetc-0001aE-01 for jcb@bambenekconsulting.com; Wed, 03 Aug 2011 12:06:16 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAB1/OU4yLK7Y/2dsb2JhbAA/Aw6CP5cljW6COAEFCCACAz4ODQMCDQoBNwIXPgEBBAEdyQ2DPoMEBIdam05V X-IronPort-AV: E=Sophos;i="4.67,311,1309737600"; d="xml'?rels'?docx'72,48?scan'72,48,208,217,72,48";a="146462351" Received: from relay01.dlls.pa.frontiernet.net ([199.224.80.244]) by out01.dlls.pa.frontiernet.net with ESMTP; 03 Aug 2011 17:06:14 +0000 X-Previous-IP: 50.44.174.216 Received: from BernardiHome (unknown[50.44.174.216]) by relay01.dlls.pa.frontiernet.net (Postfix) with ESMTPA id B4A0930C095; Wed, 3 Aug 2011 17:06:12 +0000 (UTC) From: "don bernardi" <dbernardi@frontier.com> To: "'Stephanie Beine'" <sbeine@genetictechnologies.com>, "'Rich Kaplan'" <kapla111@umn.edu>, <experts@forensicDJS.com>, <jharman@genetictechnologies.com>, <jcb@bambenekconsulting.com > Cc: "'Jeremy Karlin'" <jkarlin@alcornkarlin.com>, "'Stephen M Komie'" <stephen_m_komie@komie-and- associates.com>, "'John J. Rekowski'" <jjrekowski@co.madison.il.us>, <rja@dupageco.org>, "'Tiffany Bordenkircher'" <tbordenkircher@isba.org>, <jheaton@isba.org> References: <4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com> In-Reply-To:<4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com> Subject: nov 18,2011 ISBA seminar Date: Wed, 3 Aug 2011 12:06:07 -0500 Message-ID: <005c01cc51ff$a43b93e0$ecb2bba0$@com> MIME-Version:1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005D_01CC51D5.BB658BE0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcwOY1oNT74/g+iGTFi9Z6maxNsonhDmfBEw Content-Language: en-us
File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
File Metadata example
Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files and location data  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google
Courtroom Usage  How to make the technically complex very simple  Preserve chain of custody and evidence of integrity!  Forensic report  Usually very long, includes boiler plate examples  Executive summary to make it accessible  Either dissuade cross-examination or poke holes in other side
Questions? John Bambenek jcb@bambenekconsulting.com http://www.bambenekconsulting.com 312 – 725 – HACK (4225)

Recommended

Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Forensic Toolkit Analysis Of A Windows 98 Virtual
Forensic Toolkit Analysis Of A Windows 98 VirtualForensic Toolkit Analysis Of A Windows 98 Virtual
Forensic Toolkit Analysis Of A Windows 98 VirtualBrjco
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityAung Thu Rha Hein
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101Catherine A. Casey (CEDS)
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435Manuel Garza
 
E discovery mallareddy 20160213
E discovery mallareddy 20160213E discovery mallareddy 20160213
E discovery mallareddy 20160213nullowaspmumbai
 

Recommended

Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Forensic Toolkit Analysis Of A Windows 98 Virtual
Forensic Toolkit Analysis Of A Windows 98 VirtualForensic Toolkit Analysis Of A Windows 98 Virtual
Forensic Toolkit Analysis Of A Windows 98 VirtualBrjco
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityAung Thu Rha Hein
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101Catherine A. Casey (CEDS)
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435Manuel Garza
 
E discovery mallareddy 20160213
E discovery mallareddy 20160213E discovery mallareddy 20160213
E discovery mallareddy 20160213nullowaspmumbai
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
AAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceAAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceJohn Jablonski
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi Cn|u - The Open Security Community
 
E Discovery General E Discovery Presentation
E Discovery General E Discovery PresentationE Discovery General E Discovery Presentation
E Discovery General E Discovery Presentationjvanacour
 
The Concise Guide to E-Discovery
The Concise Guide to E-DiscoveryThe Concise Guide to E-Discovery
The Concise Guide to E-DiscoveryOsterman Research, Inc.
 
Ict lecture11b,12,13
Ict lecture11b,12,13 Ict lecture11b,12,13
Ict lecture11b,12,13 AttaullahRahimoon
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
 
Electronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMElectronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMRob Robinson
 
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding kadalisrikanth
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And DiscoveryRonald Coleman
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceUpekha Vandebona
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 

More Related Content

What's hot

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
AAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceAAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceJohn Jablonski
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi Cn|u - The Open Security Community
 
E Discovery General E Discovery Presentation
E Discovery General E Discovery PresentationE Discovery General E Discovery Presentation
E Discovery General E Discovery Presentationjvanacour
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi
 
Electronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMElectronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMRob Robinson
 
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding kadalisrikanth
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And DiscoveryRonald Coleman
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
 

What's hot (16)

Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
AAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceAAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic Evidence
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
 
E Discovery General E Discovery Presentation
E Discovery General E Discovery PresentationE Discovery General E Discovery Presentation
E Discovery General E Discovery Presentation
 
The Concise Guide to E-Discovery
The Concise Guide to E-DiscoveryThe Concise Guide to E-Discovery
The Concise Guide to E-Discovery
 
Ict lecture11b,12,13
Ict lecture11b,12,13 Ict lecture11b,12,13
Ict lecture11b,12,13
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
 
Electronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMElectronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRM
 
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
Secureerasurecodebasedcloudstoragesystemwithsecuredataforwarding
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And Discovery
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
 

Viewers also liked

The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceUpekha Vandebona
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Master of Ceremony Script
Master of Ceremony ScriptMaster of Ceremony Script
Master of Ceremony ScriptBella Meraki
 

Viewers also liked (8)

The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next Frontier
 
Sri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic CommerceSri Lankan Context for Electronic Commerce
Sri Lankan Context for Electronic Commerce
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Master of Ceremony Script
Master of Ceremony ScriptMaster of Ceremony Script
Master of Ceremony Script
 
Emcee Script
Emcee ScriptEmcee Script
Emcee Script
 

Similar to Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011

Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoAnton Chuvakin
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008guestc0c304
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Anton Chuvakin
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensicsalrawes
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]Phil Huggins FBCS CITP
 
Digital evidence and the information security manager
Digital evidence and the information security managerDigital evidence and the information security manager
Digital evidence and the information security managerBradley Schatz
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]Phil Huggins FBCS CITP
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnMaximaSheffield592
 

Similar to Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011 (20)

Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER Preso
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
 
Digital evidence and the information security manager
Digital evidence and the information security managerDigital evidence and the information security manager
Digital evidence and the information security manager
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Razorback slides-1.1
Razorback slides-1.1Razorback slides-1.1
Razorback slides-1.1
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
 

More from John Bambenek

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligenceJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...John Bambenek
 

More from John Bambenek (18)

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Recently uploaded

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 

Recently uploaded (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 

Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011

  • 2. Agenda  Types of “actionable” computer crime  Incident response vs computer forensics  Laws related to computer crime or forensics  Obstacles to computer crime prosecution  2 key elements of digital evidence  Data acquisition  Forensics: Network, Memory, Hard Drive, Logs  CourtroomUsage
  • 3. Types of “actionable” computer crime  IdentityTheft  Electronic Fraud (ACH or Credit Card)  Trade Secret / IPTheft  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling / Unauthorized Sexting / Etc.  Child Pornography  National Security Issues
  • 4. Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
  • 5. When to do forensics?  When it’s a criminal matter…  When a civil case will likely be prosecuted…  When insurance requires it…  As litigation prevention…  When there is a large $ loss involved…
  • 6. Laws related to computer crime and/or forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
  • 7. Obstacles to Computer Crime Prosecution  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Physical Access to Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted  International Law
  • 8. 2 Key Elements of Digital Evidence  Chain of Custody  Similar to “physical” evidence  If chain is broken, could end your case  Integrity of Evidence  Digital evidence is much more volatile  Often examining copies… are they “real”?  Suspect could destroy evidence if they are on to you
  • 9. Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
  • 10. Integrity of Evidence  Prevention of evidence contamination  Analyze only copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”  Use cryptographic “hashing” to prove evidence isn’t contaminated
  • 11. Cryptographic hashing  Hashing uses an encryption algorithm to generate a pseudo- random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Illinois State Bar Association.” vs “Illinois State Bar Association!”  MD5:  Acaf1670a9acc228a40f02fe034aea6e vs cb0149671f638b3b7d3e0abd4e40f010  SHA1:  Ee9e70de1206ff87cc2d87d7d660c5cc0ac299cf vs 66d00acfc4ee228443317f1cf19cfb3d69b3ef13  Hash Collisions  Use multiple algorithms to avoid doubt
  • 12. Data Acquisition  In all cases, physical access is required by someone  In “old days” we’d rip power out of computer and take the system.  Evidence collection now is most “volatile” to least “volatile  Network traffic  Memory  Hard drives  System logs (assuming configured right)  May capture volatile data multiple times
  • 13. Network Forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
  • 15. Memory Forensics  Must be done on a “live” machine, memory disappears without power  Hibernation / Sleep mode in laptops  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
  • 16. Hard Drive Forensics  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
  • 17. Hard Drive Forensics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
  • 18. Hard Drive Forensics  So you have a drive image, now what?  Index drive for evidence.  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
  • 19. Hard Drive Forensics  MAC times stand for “modified”, “accessed”, “created” and may also include a deletion time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm on Jan 11th, you’d look for any file with a MAC time near that same time).
  • 20. Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
  • 21. Log Forensics  Over 90% of all computer crime incidents where recorded in system logs  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
  • 22. Log Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IPAddress of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
  • 23. E-mail Headers Example Return-path:dbernardi@frontier.com Envelope-to: jcb@bambenekconsulting.com Delivery-date: Wed, 03 Aug 2011 12:06:16 -0500 Received: from out01.dlls.pa.frontiernet.net ([199.224.80.228]) by chicago.bambenekconsulting.com with esmtp (Exim 4.69) (envelope-from <dbernardi@frontier.com>) id 1Qoetc-0001aE-01 for jcb@bambenekconsulting.com; Wed, 03 Aug 2011 12:06:16 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAB1/OU4yLK7Y/2dsb2JhbAA/Aw6CP5cljW6COAEFCCACAz4ODQMCDQoBNwIXPgEBBAEdyQ2DPoMEBIdam05V X-IronPort-AV: E=Sophos;i="4.67,311,1309737600"; d="xml'?rels'?docx'72,48?scan'72,48,208,217,72,48";a="146462351" Received: from relay01.dlls.pa.frontiernet.net ([199.224.80.244]) by out01.dlls.pa.frontiernet.net with ESMTP; 03 Aug 2011 17:06:14 +0000 X-Previous-IP: 50.44.174.216 Received: from BernardiHome (unknown[50.44.174.216]) by relay01.dlls.pa.frontiernet.net (Postfix) with ESMTPA id B4A0930C095; Wed, 3 Aug 2011 17:06:12 +0000 (UTC) From: "don bernardi" <dbernardi@frontier.com> To: "'Stephanie Beine'" <sbeine@genetictechnologies.com>, "'Rich Kaplan'" <kapla111@umn.edu>, <experts@forensicDJS.com>, <jharman@genetictechnologies.com>, <jcb@bambenekconsulting.com > Cc: "'Jeremy Karlin'" <jkarlin@alcornkarlin.com>, "'Stephen M Komie'" <stephen_m_komie@komie-and- associates.com>, "'John J. Rekowski'" <jjrekowski@co.madison.il.us>, <rja@dupageco.org>, "'Tiffany Bordenkircher'" <tbordenkircher@isba.org>, <jheaton@isba.org> References: <4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com> In-Reply-To:<4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com> Subject: nov 18,2011 ISBA seminar Date: Wed, 3 Aug 2011 12:06:07 -0500 Message-ID: <005c01cc51ff$a43b93e0$ecb2bba0$@com> MIME-Version:1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005D_01CC51D5.BB658BE0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcwOY1oNT74/g+iGTFi9Z6maxNsonhDmfBEw Content-Language: en-us
  • 24. File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
  • 26. Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files and location data  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google
  • 27. Courtroom Usage  How to make the technically complex very simple  Preserve chain of custody and evidence of integrity!  Forensic report  Usually very long, includes boiler plate examples  Executive summary to make it accessible  Either dissuade cross-examination or poke holes in other side