CYB

ER FORENSIC

S

PR

ES

EN

TE

R:

J AC

O V

EN

TE

R

CYBER FORENSICS - AGENDA• Dealing with electronic evidence –

Non or Cyber Experts• Forensic Imaging / Forensic

Application / Tools• Current Challenges we

experience in the Cyber Sphere

DEALING WITH ELECTRONIC EVIDENCE - ONSITE

Obtain the necessary Authorization in writing / ConsentObtain an high level background of the entire IT infrastructure

from your client • Server/s might be offsite • Local Mail Server (make use of SP) / File Server/ Financial

systems / Backup Solution etc.• Cloud Computing (dropbox, i-cloud etc)• Encryption of data (e.g. local computers)• Printer Audit trail enabled (record all printed document)• Firewall Server• CCTV Footage / Access Control• PABX system• Mobile devices / GPS devices

DEALING WITH ELECTRONIC EVIDENCE - ONSITE

Perform a thorough search at the premises / office for any types of electronic media• Take the necessary pictures / screenshots / notes / floor plan of all media

identified • Obtain the necessary password / pin codes of mobile devices, I-pad’s tablets /

Webmail etc. When desktop computer is on, take pictures of all open applications then pull the

plug!! (If user is present, ask the client to save all open docs before you pull the plug);

For Laptops, perform the same procedure as with desktops then, ask user / IT administrator to shut down the computer and record the shutdown date / time.

For servers call the experts!!!

Secure all evidence in evidence bags / or material available on site• Ensure to record both signatories of the sealed evidence bag of the media

seized including case no, name of computer user and date/time.

Issue a Chain of evidence receipt of all item/s seized / removed from the premises Lockup in safe location for imaging purposes

FORENSIC IMAGING – APPLICATIONS / TOOLSDefinition of a forensic Image

A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record

Each image consist of an unique “electronic fingerprint” called the MD5 Hash value which gets created during the imaging process. This ensure file integrity, also proves no data manipulation took place.

Ensure verification process were completed (hash values must match)

Record hash value onsite and ask someone to witness the hash value

Types of imaging• Physical Imaging – Entire Hard Disk Drive (HDD/ Memstick / Mobile Phone)• Logical Imaging – Partial file and folder imaging (used on Anton Pillar Orders) Emails /

DB’s etc• Live Ram acquisition with Belkasoft Live Ram analysis / Encase

• Discover Running malware/Viruses• Obtaining various password/ Gmail/cloud computing/ decryption keys• Communication via webmail and recent internet Web browsing;

• Live server imaging (especially when PC is encrypted and no password is available) or the server cant’s be switched off .

VARIOUS TYPES OF MEDIA FOR IMAGING

FORENSIC TOOLS / APPLICATIONS

For Forensic Imaging

• Encase Forensics (Physical/ Logical / Live Ram)

• FTK Imager (Physical/ Logical / Live Ram)

• Password Recovery Kit

• Belkasoft

• Netanalysis

MOBILE FORENSIC DEVICES/ TOOLS

Mobile Forensics

• Cellebright

• Paraben

• Blacklight (Apple / MAC)

• Encase

• Mobile Edit Forensics

E-DISCOVERY TOOL – INTELLA

HTTPS://WWW.VOUND-SOFTWARE.COM

CURRENT CHALLENGES IN THE CYBER SPHERELocal PC / Media Encryption / Cell-phone Encryption• Forgot to obtain Password / Pin / Patterns for cell phonesBypassing pin blocked or pattern block mobile phones Possible but limited Use J-Tag Method Use chip-off methodChip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a subject device and then acquiring the raw data using specialized equipment.

Virtual Servers Environment More and more client are using Virtual servers to save hardware cost and backup

solutions Cloud computing / I-pad / Table information Webmail communication

Gmail investigation Yahoo investigation

Anti-Forenscis

CYB

ER FORENSIC

S

PR

ES

EN

TE

R:

J AC

O V

EN

TE

R

Questions

Email Address: Jaco@Shieldtechnology.co.zaContact Details: 0827732542