Digital Forensics - Bitly

→Stored in live RAM (DIMM and SIMM chips). – Can extract ... by a hardware+software combination, such as .... →7-Zip (free open source), WinZip, or WinRAR ...
1MB Sizes 1 Downloads 132 Views
Ediscovery and Digital Forensics in Litigation Presentation by: Marc Yu Chief Forensic Examiner

You can also follow along at:

Ediscovery is exciting! • High demand and high growth area - this is a science-based field Even attorneys are giving up their law practices to start a career in electronic discovery

• There are many changes recently made in government to make the ediscovery process more efficient, such as the Electronically Stored Information (ESI) discovery conference:

Data, Data Everywhere! • 95% of all documents are created and stored digitally either through a spreadsheet, word processor, email, text messages, photos, and so on

• All civil court documents now must be served by e-mail under Administrative Policies and Procedures for Electronic Filing in the Civil Divisions of the Alabama Unified Judicial System as of October 1, 2012 for state courts*

Types of Data • Two Kinds of Memory can be captured for analysis and examination: Persistent memory →Includes electromechanical SATA/PATA/IDE hard drives (both internal and external), Secure Digital cards (cameras and phones), USB flash drives, Solid State Drives (no moving parts), internal flash memory (such as that in cell phones)

Volatile memory →Stored in live RAM (DIMM and SIMM chips) – Can extract keys for encrypted data and passwords for files

This includes Phones! • Logical data can be extracted and analyzed by software-only solutions, such as Katana or Oxygen Forensics • Physical data must be extracted and analyzed by a hardware+software combination, such as Cellebrite or XRY • All regular cell phones and smartphones are included, such as: Android iPhones

This even includes GPS devices! • It can be as simple as connecting the GPS via USB to a computer and copying out some files The extrapolated data can use Google Earth to track the routes used and even create animation tracks

• Information about GPS systems: 

• Commercial software options: Blackthorn2 Cellebrite

Acquisition • Hardware: Write Blockers for SATA, PATA/IDE, & USB devices →Tableau and Wiebetech

• Commercial Software: EnCase, Forensic Tool Kit (FTK), X-Ways / WinHex

• Open Source Software: dd, dcfldd, dd_rescue (Linux command line tools) Guymager imager (in Deft & Paladin suites)

Creating a Forensic Image • A forensic image is a bit-for-bit exact copy of electronically stored information (ESI) from: Hard Drives, RAM chips, USB Flash Drives, Secure Digital cards, GPS devices, smartphones, NAND, etc. →ESI from some devices, both older and newer, cannot be forensically imaged due to lack of software, hardware, and/or encryption keys

• This forensic image is created on a sterilized piece of media, such as an external hard drive A forensic image is validated using hash values (MD5)

• Creating a forensic image in this manner is the most defensible method of collecting ESI

Chain of Custody Forms • This is a chronological documentation form that must be kept with the digital evidence or the media containing the forensic image created from the digital evidence • There are several samples available on the Internet Should always be used if there is any chance the findings from media will be used in a criminal case

Anti-encryption Tools • Software: Passware & Elcomsoft (COTS dictionary/brute force) Ophcrack (open source rainbow tables) John the Ripper (open source dictionary/brute force)

• Hardware: Password accelerators (TACC1441) Graphic cards (NVIDIA CUDA, OpenCL), Cubix

• Software as a Service  Amazon Elastic Compute Cloud

Automated Forensic Analysis • Commercial Software: EnCase Forensic Tool Kit (FTK) X-Ways / WinHex