Digital Forensics on today s digital world

Transcription

1 Digital Forensics on today s digital world D a v i d M a r q u e s E - m a i l : D M a r q u e D R C. p t Morada: Rua Alexandre Herculano, Edifício Central Park, 1 - Piso 7, Linda-a-Velha Coordenadas GPS: 38o 43' 02.17'' N, 09o 14' 16.50'' O Telefone: Telefone: (+351) Serviço de urgência: (+351) Fax: (+351)

2 Agenda Digital Forensics Definitions History Portuguese Law Branches & Methodologies Tools & Training Future? 6-Apr-16 2

3 Definition Digital Forensics (Computer Forensics) Definition(Wikipédia): Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data..: 3 :. 6-Apr-16 3

4 Definition Digital Forensics (Computer Forensics) Applications: Support or refute a hypothesis before criminal or civil court. Internal corporate investigations or intrusion investigation.: 4 :. 6-Apr-16 4

5 History Forensics Derived from the Latin forum and the requirement to present both sides of a case before the judges (or jury) appointed by the praetor. 6-Apr-16 5

6 History 1248 A Chinese treatise describes features allowing to destinguish between drowning and strangulation drawing on medical knowledge 1609 F. Demelle (France) publishes a treatise on systematic document examination 1686 M. Malpighi (Italy) noted fingerprint characteristics 6-Apr-16 6

7 History 1810 First documented case of document analysis based on ink dyes M. Orfile (Spain) publishes a toxicology guide 1823 J. Purkinje (Poland) publishes first systematic classification of fingerprints 1835 H. Goddard (UK) uses bullet comparison to identify a murder weapon based on irregularities in a bullet mould 6-Apr-16 7

8 History 1870 Albert Bertillon First technician at La Surete Nacionale (Paris) Recorded criminals by photographs and body measurements Took photographs of victims, measured footprints, stains and tool marks Said that no two human bodies were exactly alike 6-Apr-16 8

9 History 1910 Edmond Locard Founded first Forensic Crime Laboratory in Lyon Locard s Exchange Principle: Every contact between individuals & objects results in a transfer of material between them 6-Apr

10 History 1970s First cases of crimes envolving computer systems. On the first documented cases using magnetic media and computers as evidence, they attempted to transfer the document analogy to the digital representations. The US FBI Laboratory started a formal programme to examine computer based evidence (CART Computer Analysis and Response Team) 6-Apr-16 10

11 History 1989 Aids Diskette Case diskettes (supposed to contain medical research) contained a trojan used for blackmail, where shipped to medical clinics in 30 countries Evidence was collected, and shipped to New Scotland Yard (using Interpol HQ (Lyon)) Jim Bates, a programmer was asked to write a imaging tool (DIBS Data Image Backup System) 6-Apr-16 11

12 n Types of Law Portuguese Law Civil Law Criminal Law Commercial Law Copyright Intellectual Property Right 6-Apr-16 12

13 n Types of Law Portuguese Law Civil Law: Each one of the parties can present evidence Criminal Law: State has to investigate and present the evidence (Ministério Público) 6-Apr-16 13

14 Portuguese Law 6-Apr-16 14

15 Portuguese Law Jurisprudence: Previous decisions of courts on certain interpretations of laws. 6-Apr-16 15

16 Legal Mindset Legal (Circumstances) vs Technical (0 or 1) 6-Apr-16 16

17 Legal Judge It will not decide if IP is good or not to prove an identity It will not decide if a port scan can leak information He will decide if any law has been violated He will decide if someone is responsible for the action he s accused 6-Apr-16 17

18 - Computer - Mobile - Network - Software - Video - Audio - Etc. Branches (Areas) 6-Apr-16 18

19 Perspectives What is your perspective of Digital Forensics? Depends on which side you are! 6-Apr-16 19

20 Legal and General 6-Apr-16 20

21 Technical 6-Apr-16 21

22 Digital Forensics 6-Apr-16 22

23 Why?.: 23 :. 6-Apr-16 23

24 Why?.: 24 :. 6-Apr-16 24

25 Why? Exponential growth in security incidents and cybercrime. 6-Apr-16 25

26 Why? Digital evidence can be unique and determinant for the resolution of a dispute. Unique use of digital evidence without compromising the integrity of it. 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

27 Digital Evidence 6-Apr-16 27

28 Digital Evidence 6-Apr-16 28

29 Digital Evidence Physical Logical Logs Backups 6-Apr-16 29

30 Digital Evidence Hashing 6-Apr-16 30

31 Digital Evidence Hashing Text: A1 MD5: 96a3be3cf272e017046d1b2674a52bd3 SHA-1: ddfe163345d338193ac2bdc183f8e9dcff904b43 Text: A2 MD5: a2ef406e2c2351e0b9e80029c909242d SHA-1: bcac9d1d8eab3713ae489224d0130c9468e7a0e3 6-Apr-16 31

32 Methodology 6-Apr-16 32

33 Tools Open Source Helix DEFT Sleuth Kit Autopsy Tons of others 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

34 Tools Closed Source Encase FTK X-Ways Paraben s Some others 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

35 Tools Closed Source (Mobile) XRY Cellebrite UFED Oxygen Forensics Some others 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

36 Tools Open Source vs Closed Source Cost Command Line vs GUI Support quality and model Training plans Documentation (Manuals, etc ) Source code is available Acceptance in courts 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

37 Training Product Specific vs General 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

38 Training Product Specific Encase FTK Paraben Cellebrite Other 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

39 Training General SANS (FOR408; FOR508; FOR526; FOR610) EC Council (CHFI; CIH) (ISC) 2 (CCFP Certified Cyber Forensics Professional) 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

40 Future Cloud Storage Legal SSD Encryption Anti-Forensics Standards and Procedures Accreditation 6-Apr David Marques Todos David os Marques direitos 2012 reservados. Todos os direitos reservados.

41 Q & A Thanks! David Marques dmarques@drc.pt 6-Apr-16 41