Forensics Analysis
Forensic Investigations, Discovery, and Analysis 
International Consultants & Investigations offers
Computer Forensics For Investigations supporting
Law Firms, Corporations, Government
Preservation and analysis of electronic
evidence using methods acceptable in courts of law
FORENSIC: Relating the application of scientific
knowledge to legal problems
SCIENTIFIC METHOD: Principles & procedures for the
systematic pursuit of knowledge involving recognition
& formulation of a problem, collection of data
through observation and experiment , and
formulation & testing of hypotheses
PRESERVATION
Documentation
Chain-of-custody
Acquisition
Goal: Preserve w/o impact
Reality: Understand impact
Write-block when possible
AVANCED PRESERVATIONS
Live systems
Networks
The “Cloud”
What about data security?
DATA SECURITY
TrueCrypt
File, device, and boot volume encryption
Lots of flexibility, extremely powerful
Open source
ANALYSYS
Data carving
Internet history
Removable storage activity
Document metadata
Evidence spoliation
Malware identification
SAMPLE TOOLS
EnCase / EnCase Enterprise
Forensic Toolkit (FTK)
ProDiscover IR
X-Ways Forensics
SANS SIFT
CelleBrite
SPY SOFTWARE
Spy software detection
Browse “Program Files”
Antivirus?
Configuration Review
Known Hash Values
Software Remnants (Post-Uninstall!)
Log entry carving
Remote access software used for spying?
Windows Remote Desktop, LogMeIn, VNC,
GoToMyPC, Screen Sharing, Back to My Mac
LOG ME IN REMNANTS
Remnants of spy and remote access software can
be exported from live files and carved from
unallocated space:
GPS
Many GPS devices have readily accessible
storage which can be forensically preserved
Others may require vendor assistance
Live data can be plotted on Google Earth
Deleted data can be plotted as well once it’s
identified and extracted properly
|
