csi georgia introduction to computer forensics l.
Skip this Video
Loading SlideShow in 5 Seconds..
CSI Georgia: Introduction to Computer Forensics PowerPoint Presentation
Download Presentation
CSI Georgia: Introduction to Computer Forensics

Loading in 2 Seconds...

play fullscreen
1 / 54

CSI Georgia: Introduction to Computer Forensics - PowerPoint PPT Presentation

  • Uploaded on

CSI Georgia: Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ brent@speakwisdom.com KSU ETTC http://edtech.kennesaw.edu Objectives Gain Basic Knowledge What is Computer Forensics? What are Concepts? What are Procedures? What Not to do?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'CSI Georgia: Introduction to Computer Forensics' - Gabriel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
csi georgia introduction to computer forensics

CSI Georgia: Introduction toComputer Forensics

Brent Williams





  • Gain Basic Knowledge
    • What is Computer Forensics?
    • What are Concepts?
    • What are Procedures?
    • What Not to do?
  • Learn Some Basic Techniques
  • Raise Level of Awareness
  • This workshop is not dispensing legal advice
  • Use what you hear, read, and do in this class at your risk
  • Consider this class a starting point
  • There is much more to learn about computer forensics
be a professional
Be a Professional
  • Cell Phones and Pagers on Silent
  • Take Notes – Treat this like a College Level Course
  • Ask Questions – Take full advantage of this opportunity
  • Help your neighbor
  • High Technology Crime Investigation Association
    • www.htcia.org
  • Atlanta HTCIA
    • www.atlhtcia.org
  • Southeast Cybercrime Summit
    • March 19-23, 2007
    • www.southeastcybercrimesummit.com
places products
Places & Products
  • Access Data (FTK)
    • www.accessdata.com
  • X-Ways Forensics (winhex)
    • www.x-ways.com
  • ProDiscover
    • www.techpathways.com
  • Helix
    • www.e-fense.com
  • Certified Computer Examiner
    • http://www.certified-computer-examiner.com/index.html
  • More
  • Books
the need for computer forensics
The Need for Computer Forensics
  • High-Tech Crimes are Increasing
  • Computer Forensics Has Come Into Its Time
  • Computer Crimes Happen in All Environments
    • Business
    • Home
    • Schools
  • Pornography
    • Child Pornography
  • Emails
  • Instant Messages
  • Web-sites (MySpace)
  • Bullying
  • Emotionally Troubled
flash memory
Flash Memory

What role will it play in your school?

pda s and cell phones
PDA’s and Cell Phones
  • Palm
    • Fading?
    • Lots of aps and storage (flash)
    • Infrared and BlueTooth beaming
  • Windows Mobile
    • Catching on
    • Lots of storage (flash)
    • Familiar interface
    • Easily networked
  • Feature
    • WiFi, Bluetooth, EVDO (CDMA)
    • VGA display
ideal forensics background
Ideal Forensics Background
  • Legal, Technical and Law Enforcement
  • Missing Skills? Build a Team!
    • Attorney or Legal Advisor
    • Strong “geek”
      • Vast knowledge required
    • School Law Enforcement Person
    • Others?
main forensics emphasis
Main Forensics Emphasis
  • Identify the Evidence
  • Determine how to preserve the evidence
  • Extract, process, and interpret the evidence
  • Ensure that the evidence is acceptable in a court of law
  • Computer evidence is fragile
  • Evidence is easily planted
  • Journaling is critical
  • Must be able to show chain
  • See www.cybercrime.gov
  • Law enforcement works under more restrictive rules
  • More latitude in schools/businesses
  • Follow “Best Practices”
  • You lose control when authorities are brought in
  • Discover child porn? Call police.
what to prosecute
What to Prosecute
  • Decision Factors
    • Amount of Harm Inflicted is decision factor
    • Need to discourage future activity
    • Successful Investigation?
    • Evidence collected correctly
    • Chain preserved
  • Can include electronic data
  • Can include devices
    • Computers
    • CD-ROMs
    • Floppies
    • Cellular Telephones
    • Pagers
    • Digital Cameras
get training
Get Training
  • Multiple levels of expertise
  • Learn basic procedures
  • Gain expertise in technical areas
  • Get certified
  • Get degree
forensics in school systems
Forensics in School Systems
  • Security and Forensics projects don’t generate revenue
    • Or FTEs
  • Hard to get “higher up” to understand need
  • Shoestring budget
  • Money for training
  • Consider forensics/data recovery
end user training
End User Training
  • Users need to be aware
    • School system policies
      • Expectation of privacy
      • Consequences for surfing/storing bad stuff
    • Social Engineering
    • Spyware
    • Laws
    • Requirements to guard information
    • Illegal Activities
a computer forensics technician is a combination of private eye and computer scientist
“A computer Forensics Technician is a combination of private eye and computer scientist.”
know your hardware
Know your hardware
  • Servers
  • Workstations
  • PDAs
  • CD-ROM, CD/DVD, Zip
  • Webcams
  • Modems
  • Key Loggers
  • USB Devices
  • Firewire/Bluetooth
  • Wireless
know your operating system
Know your operating system
  • Windows
    • 9x, 2000, 2003, XP
  • Unix/Linux
  • OS X
  • DOS
know the file system
Know the File System
  • FAT
  • NTFS
  • EXT2/EXT3
auditing and logging in an os
Auditing and Logging in an OS
  • Event viewer
  • Auditing
will this end up in court
Will this End Up in Court
  • Assume your case will!
  • Courts require ample unaltered evidence
  • Evidence must be processed properly
  • Specially trained teams should conduct investigation
types of evidence
Types of Evidence
  • Real Evidence
  • Documentary evidence
  • Testimonial evidence
  • Demonstrative evidence
evidence gathering
Evidence Gathering
  • Photograph scene
  • Record details in notebook
    • PC model and serial
    • Hard-drive model and serial
    • Note conditions around PC
    • Get BIOS date and time
  • Power-off or Shut-down?
  • Remove Hard Drive
    • Image on scene or at lab
evidence gathering29
Evidence Gathering
  • Have secure-erased drives ready
  • Get Suspect Drive Image
    • Attach a write-blocker
    • Get two or more images of the drive
  • Seal original drive
    • Place a copy of the drive back in the PC
  • Original drive should be locked away
preparing an evidence drive
Preparing an Evidence Drive
  • Use USB drive case
preparing an evidence drive31
Preparing an Evidence Drive
  • Use large drives
  • Have several
  • Secure erase all drives
    • Record date, time, and method
  • Store in locked area
  • Software?
    • Winhex (free)
    • www.x-ways.net
lab 1a


Install WinHex

Connect Evidence Drive to Analysis PC

WinHex Pro

Select Physical Media (not Logical Drive)

Edit / Fill Sectors / hex 00

Will take several minutes

(25 min for 40Gb)

image options
Image Options


Image Options

1. Remove HD from Suspect, place as Slave in Analysis PC

IDE or SATA connection

Use Write Blocker, Winhex

2. Remove HD from PC, Attach Write Blocker

Connect to analysis PC, Winhex

3. Boot from CD, Image to USB drive


Certified not to write to suspect drive

sources for write blockers
Sources for Write Blockers
  • www.digitalintelligence.com
  • www.blackbagtech.com
  • www.forensicpc.com
the best approach
The Best Approach
  • Remove Drive, write block, attach to analysis PC
  • Get image
    • Multiple copies
  • Image Type
    • Drive to Drive
    • Drive to Image File (DD)
  • Boot suspect PC with Helix
    • Easiest for laptops
  • Attach USB evidence drive
  • Use AIR or similar tool to image drive
lab 1b image to drive
Lab 1B: Image to Drive

Put WinHex on Analysis PC

Mount HD0 (Drive)

Image to USB Evidence Drive

Boot PC with Helix CD

Open terminal window

Dcfldd if=/dev/hda of=/dev/sda

Speed: 4 min per GB


Boot from Helix CD

(Turn off evidence drive for next step)

lab 1c image to file
Lab 1C: Image to File
  • Use flash key as suspect drive
  • Mount flash key in WinHex
  • Get image (file) and hash
  • Verify hash of image file
what is the hash md5
What is the Hash (MD5)
  • Used to verify that image is accurate
  • MD5 suspect drive or partition
  • MD5 image
  • Should match
  • Record!
  • While booted in Windows
    • Examine Helix
    • Install and use ExifPro
    • Windows Search
    • Show Hidden Files
  • While booted in Helix
    • Find Files
    • Show Images
  • Prodiscover
lab 3a examine image with windows
LAB 3A – Examine Image with Windows
  • MyComputer
  • Search
  • Wrong Extension?
  • Encrypted?
  • Helix Utilities
lab 3b inspect image file
LAB 3B – Inspect Image File
    • Open Image File in WinHex
    • Tools / Disk Tools / File Recover By Type
    • Pick JPG, other?
    • Write results to folder on C:
email outlook express
Email - Outlook Express
  • Local Settings\Application Data\Identities\…\Microsoft\Outlook Express
  • OE Reader (free)
  • Mail stored in .dbx files
lab 4 examine pc with helix
LAB 4 – Examine PC with Helix
  • Examine PC with Helix Windows
    • System Information
      • Drive letter discrepancy?
    • Incident Response
      • Windows Forensics Toolchest
      • Security Reports
      • (others want NetCat)
    • Scan for Images
      • (no path information)
    • Windows Search (for files)
    • Disk Management (for drives, partitions)
lab 5 examine while booted with helix
Lab 5 – Examine while Booted with Helix
  • Look for files
  • Look for images
passwords and encryption
Passwords and Encryption
  • NTPassword
    • http://home.eunet.no/pnordahl/ntpasswd/
  • Password Tools
    • http://www.passwordportal.net/
    • http://www.brothersoft.com/downloads/crack-password.html
    • http://www.elcomsoft.com/index.html
    • http://www.accessdata.com/
lab 6 prodiscover
  • Create Case
    • View Report progress
  • Add Image of C: Partition
    • View Report progress
  • Content View
    • Examine Deleted Files
      • Click check box on interesting file
      • Make comment
    • View Report progress
    • Look in badpics2 folder
      • Gallery view
  • Examine Cluster View
lab 6a prodiscover
  • Content Search
    • Search for pattern
      • Drugs, sex, etc.
    • Click Search Results
      • Note docs and email!
      • Check and interesting file and comment
    • Review Report
    • Search for Files Named…
      • Search for *.jpg
lab 6b prodiscover
  • What about files with wrong ext?
    • Pick Folder on Left Side
    • Tools – Signature Matching
      • Sig file is Headersig.txt
      • Match recursively
      • Highlight and add to report
        • View Report
        • Drill into folder with mismatch – note highlight
  • Export Report
stego keystroke logging
Stego & Keystroke Logging
  • Steganography
  • Keystroke logging
introduction to computer forensics

Introduction to Computer Forensics

Brent Williams

See: http://edtech.kennesaw.edu and


notes for brent
Notes for Brent
  • Prep
    • Have class surf web on laptop to build up temp files
    • DVD
      • Dd file of 4GB image
      • Software is on DVD
    • Install Winhex and Prodiscover
  • Laptop Pairs
    • One suspect, one analysis
  • Actvities
    • Secure Erase USB drive (cancel part way through)
    • MD5 Hash Flash Key
    • Image flash key to File and hash
    • Image Laptop to USB Drive (boot Helix – cancel part way through)
    • Show dd file and get hash
notes for brent54
Notes for Brent
  • Analysis
    • Use Helix on all laptops
    • Use Prodiscover on all laptops
    • Use Steganography tool
    • Use image display tool