Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 9 New

    Uploaded by

    Mr. Omesh Wadhwani
    53 views16 pages
    The document discusses various techniques for analyzing digital evidence, including capturing memory and hard drive images using forensic imaging tools. It also describes analyzing RAM and hard drives using tools like Volatility and WinHex, investigating file systems and artifacts using Autopsy, and tracing emails. The role of the forensic analyst is to acquire evidence, perform analysis following standard procedures, and prepare a report of their examination and conclusions.

    Original Description:

    Original Title

    Chapter_9_new

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses various techniques for analyzing digital evidence, including capturing memory and hard drive images using forensic imaging tools. It also describes analyzing RAM and hard drives using tools like Volatility and WinHex, investigating file systems and artifacts using Autopsy, and tracing emails. The role of the forensic analyst is to acquire evidence, perform analysis following standard procedures, and prepare a report of their examination and conclusions.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    53 views16 pages

    Chapter 9 New

    Uploaded by

    Mr. Omesh Wadhwani
    The document discusses various techniques for analyzing digital evidence, including capturing memory and hard drive images using forensic imaging tools. It also describes analyzing RAM and hard drives using tools like Volatility and WinHex, investigating file systems and artifacts using Autopsy, and tracing emails. The role of the forensic analyst is to acquire evidence, perform analysis following standard procedures, and prepare a report of their examination and conclusions.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 16

    Cyber Forensics

    Dejey| Murugan

    © Oxford University Press 2018. All rights reserved.


    Chapter 9
    Analysis of Digital Evidence

    © Oxford University Press 2018. All rights reserved.


    Outline
    • Introduction to Analysis of Digital Evidence
    • Capturing of Forensic Copy of Memory and Hard
    Drive with Toolkit Forensic Imager
    • RAM Analysis with Volatility
    • Analysing Hard Drive with WinHex
    • Working with Autopsy
    • Email Tracking and Tracing
    • Role of Forensic Analyst in Analysis

    © Oxford University Press 2018. All rights reserved.


    Introduction to Analysis of Digital
    Evidence
    • Analysis of Digital Evidence: Identifying, preserving,
    interpreting, and documenting the evidence
    recovered for presentation in a civil or criminal court.

    © Oxford University Press 2018. All rights reserved.


    Capturing of Forensic Copy of Memory
    and Hard Drive with Toolkit Forensic
    Imager
    • Capturing Main Memory using FTK Imager
    • Capturing Hard Drive
    • Acquiring memory dump
    • Acquiring memdump.mem in D:
    • Acquiring pagefile.sys in D:
    • Acquiring memory in D:
    • Image Summary
    • Acquiring forensic copy of hard drive in E:
    • Image summary shown by FTK Imager as directory listing

    © Oxford University Press 2018. All rights reserved.


    RAM Analysis with Volatility
    • imageinfo
    • pslist
    • pstree
    • malfind
    • malfind plugin
    • cmdscan
    • netscan

    © Oxford University Press 2018. All rights reserved.


    Analysing Hard Drive with
    WinHex
    Acquiring Forensic Copy of Drive
    • Open disk from Tools menu
    • Selecting drive to obtain forensic copy
    • Choosing Create Disk Image from File menu
    • Specifying file format of forensic copy and
    destination
    Computing Hash
    • Selecting Compute Hash
    • Computing hash value for the drive

    © Oxford University Press 2018. All rights reserved.


    Analysing Hard Drive with
    WinHex (Cont…)
    Analysing Hard Disk
    • Selecting Open Disk
    • Choosing drive to be analysed
    Analysing Slack Space and Free Space
    • Selecting the Slack Space location
    • Selecting the Gather Free Space
    File Carving
    • Selecting the Tools menu
    • Choosing Disk Tools and then File Recovery by Type
    from the pop-up menu.
    • Files types that can be carved will be listed.
    © Oxford University Press 2018. All rights reserved.
    Working with Autopsy
    • Adding a data source (image, local disk, logical files)
    • Creating a case
    • Adding a data source
    • Ingest modules
    • Analysis basics
    • Ingest inbox
    • Timeline (beta)
    • Reporting

    © Oxford University Press 2018. All rights reserved.


    Working with Autopsy (Cont…)
    Example Use Cases
    • Web artifacts
    • Known bad hash files
    • Media – images and videos
    Analysis of Deleted Files with Autopsy
    • Creating new case
    • Entering new case information
    • Entering additional information
    • Selecting type of data source to add
    © Oxford University Press 2018. All rights reserved.
    Working with Autopsy (Cont…)
    • Selecting data source
    • Configuring ingest modules
    • Adding data source
    • Display of logical disk in table
    • Status of add data source
    • Listing of deleted files

    © Oxford University Press 2018. All rights reserved.


    Email Tracking and Tracing
    Email Tracking
    • Adding Mail Tracker to Gmail account
    • Composing email for recipient
    • Tracking Status
    • Sent email status
    • Number of times mail read
    Email Tracing
    • Selecting Show Original to acquire email header

    © Oxford University Press 2018. All rights reserved.


    Email Tracking and Tracing
    (Cont…)
    • Email Tracking with emailTracker Pro
    • Clicking the Trace Headers option.
    • The radio button Trace an Email I have Received is chosen.
    • The email header is copy–pasted.
    • Then the Trace button is clicked. The result of Trace
    Header is shown.
    • If the radio button Look Up Network Responsible for an
    Email Address is chosen, an email address is given and the
    resultant network addresses are displayed.

    © Oxford University Press 2018. All rights reserved.


    Email Tracking and Tracing
    (Cont…)
    • Email Tracing with Online EMailTracer
    • Email header of the recipient is copied and pasted.
    • Clicking the Start Tracing button.

    © Oxford University Press 2018. All rights reserved.


    Role of Forensic Analyst in
    Analysis
    Format of requisition sent to forensic lab for analysis

    © Oxford University Press 2018. All rights reserved.


    Role of Forensic Analyst in
    Analysis (Cont…)
    Role of Forensic Analyst
    • Acquire a forensic copy of the suspected storage media.
    • Compute hash.
    • Perform live forensics.
    • Examine slack space/free space.
    • Check for deleted files.
    • Look for artifacts.
    • Trace email.
    • Prepare the report of the forensic examination.
    • Represents opinions.
    • Draws a conclusion of the case.
    © Oxford University Press 2018. All rights reserved.

    You might also like