際際滷

際際滷Share a Scribd company logo

Module 3 continuation of computer forensic

Download as PPTX, PDF
S
ssuserec53e73

Computer forensics

1 of 13
Download to read offline
Module 3
Securing a Digital Incident or Crime Scene When investigating a digital incident or crime scene, securing the environment is critical to preserving evidence, maintaining its integrity, and ensuring proper chain of custody. Below are the key steps and best practices to follow:
1. Initial Assessment Identify the Incident: Understand the nature of the digital crime or incident. Is it a data breach, unauthorized access, malware attack, or insider threat? Preserve Volatile Data: Certain data (like information in RAM, network traffic, or running processes) can be lost quickly. Use specialized tools to capture this information before shutting down systems. Document the Scene: Take detailed notes, photographs, and screenshots of what you observe in real-time. Record system states, open programs, and logged-in users. 2. Isolate the Affected Systems Prevent Further Damage: Disconnect affected systems from the network to prevent data exfiltration, remote access, or malware spreading. However, avoid turning off devices unless absolutely necessary, as valuable evidence may be lost. Secure Physical Access: Ensure that only authorized personnel can access the crime scene. Lock down rooms, servers, or computers involved in the incident.
3. Maintain Chain of Custody Document Everything: Every interaction with the digital evidence must be thoroughly documented, including who accessed the systems, what actions were taken, and when. Use Tamper-Evident Methods: Seal and tag storage media (e.g., hard drives, USBs) and log their transfers to maintain the integrity of the evidence. Custody Logs: Keep a log of who has handled the evidence from the time of discovery to its presentation in court, ensuring that it has been properly secured and is unaltered. 4. Preserve Evidence Forensic Imaging: Create exact copies (forensic images) of storage devices to analyze them while keeping the original evidence intact. Use write-blocking devices to ensure that no changes are made to the original media. Verify the integrity of forensic images using cryptographic hashes (e.g., MD5, SHA256). Data Types: Preserve all types of evidence, including logs, emails, IP addresses, user credentials, encrypted files, network traffic, and system configuration data. Document Metadata: Note timestamps, file permissions, and access details to avoid tampering or deletion concerns.
5.Protecting Network Evidence Network Logs: Capture network logs (e.g., firewall, router, VPN) as soon as possible to understand traffic patterns and potential external connections during the incident. Traffic Analysis: Use packet sniffers or intrusion detection systems (IDS) to capture and analyze live network traffic for suspicious behavior, such as exfiltration attempts or malware communication. 6. Securing Cloud-Based Evidence Collaborate with Cloud Providers: Work with cloud service providers to capture logs, access records, and other cloud-based evidence. Understand that cloud data can be volatile and may require legal action (e.g., subpoenas) for retrieval. Audit Logs: Retrieve audit logs from the cloud environment showing user activities, such as logins, file access, or modifications. Snapshots and Backups: Secure cloud snapshots and backups as potential sources of evidence.
7. Ensure Legal Compliance Privacy Laws: Ensure compliance with local laws and regulations, such as GDPR, HIPAA, or CCPA, when handling digital evidence containing personal information. Warrants and Permissions: Obtain proper legal authorization (e.g., search warrants) when accessing sensitive or personal data. Unauthorized access could lead to evidence being inadmissible in court. Third-Party Involvement: If third parties, such as contractors or employees of service providers, are involved, their actions should also be documented and justified. 8. Collaboration with Law Enforcement and Forensics Experts Involve Forensic Experts: Digital forensics experts should be called in to handle evidence properly, analyze systems, and produce reports that will hold up in court. Coordinate with Law Enforcement: If the incident is a criminal matter, law enforcement agencies need to be contacted. Ensure smooth coordination by following proper procedures and maintaining a clear chain of custody.
9. Post-Incident Analysis and Reporting Post-Incident Documentation: After securing evidence, provide a thorough report that includes: Timeline of the incident. Methods used to secure and collect evidence. Analysis of the compromised systems and suspected causes. Lessons Learned: Document and communicate the findings to improve the organizations security posture and reduce the likelihood of future incidents. Forensic Tools Used: Clearly document the forensic tools (e.g., EnCase, FTK, Wireshark) used during the investigation to establish the authenticity of the findings. 10. Final Considerations Avoid Contamination: Be cautious when interacting with digital evidence. Any alterations can compromise its admissibility in court. Use Authorized Tools: Only use certified forensic tools that are accepted by courts and industry standards to collect and analyze data.
Module 3 continuation of computer forensic
Obtaining digital hash Obtaining a digital hash is an essential process in digital forensics, ensuring the integrity and authenticity of digital evidence. A digital hash is a cryptographic value generated from a file, drive, or set of data that uniquely identifies its contents. This value serves as a "digital fingerprint," making it possible to verify that the data has not been altered. Heres how you can obtain a digital hash: Steps for Obtaining a Digital Hash 1.Select a Hashing Algorithm The choice of the hashing algorithm is crucial. Common algorithms include: MD5 (Message Digest Algorithm 5): Produces a 128-bit hash value. It is fast but vulnerable to collision attacks (where two different files produce the same hash). SHA-1 (Secure Hash Algorithm 1): Generates a 160-bit hash. Stronger than MD5 but still susceptible to certain attacks. SHA-256: Part of the SHA-2 family, it generates a 256-bit hash value and is highly secure, making it widely recommended for forensic purposes.
2. Prepare the Environment Ensure that your forensic workstation or tool is ready for hashing. When obtaining a hash from a physical storage device (like a hard drive), its critical to use a write-blocker to prevent any changes to the original data. Isolation: Make sure the evidence is disconnected from networks or external influences to avoid unintentional modifications. 3. Select the Appropriate Tool You can use various tools to generate a hash: Forensic Tools: FTK Imager: A powerful tool for creating forensic images and generating hashes. EnCase: A well-known commercial tool used for forensic imaging and analysis. Autopsy: An open-source digital forensics tool that supports hashing and other analysis features. Command-Line Utilities: Linux/Unix: Use md5sum, sha1sum, or sha256sum to generate the hash of a file or device. Windows: Use certutil or PowerShell cmdlets such as Get-FileHash.
4. Obtain the Hash Hashing a File: Using FTK Imager: 1. Open FTK Imager and load the file or drive to be hashed. 2. Right-click on the file or drive and choose "Create Disk Image." 3. FTK Imager will calculate the hash value (MD5 and SHA-1 are usually calculated by default). 4. Document the hash values provided. Using Command Line: Open the terminal or command prompt and run the appropriate command: For MD5: md5sum /path/to/file For SHA-1: sha1sum /path/to/file For SHA-256: sha256sum /path/to/file The output will display the hash value followed by the file name. Hashing a Hard Drive: Using FTK Imager: 1. Select the entire hard drive or partition as the source. 2. Choose "Create Image" and specify the destination where you want the image saved. 3. FTK Imager will calculate the hash for the entire drive and display the values (MD5, SHA-1, or SHA-256). Using Command Line: For Linux-based systems, you can generate a hash for the entire drive: sha256sum /dev/sdX Replace /dev/sdX with the appropriate device identifier.
5. Document the Hash Record Hash Values: Make sure to write down the hash values generated by the tool, including the algorithm used (MD5, SHA-1, or SHA-256). Additional Information: File or drive name. Date and time the hash was created. Tool or software used to generate the hash. Operating system and version used in the process. 6. Verify the Hash Verification: After copying or imaging the file or drive, generate a new hash of the copied data and compare it to the original hash value. Consistency Check: If the two hash values match, it means that the data is intact and has not been altered.
7. Store the Hash Securely Store the hash values in a secure place, such as a digital evidence log or chain-of- custody document. This ensures that the integrity of the data can be verified at any point in the investigation. 8. Using Hashes in Legal and Investigative Contexts Present the hash as part of the forensic report, demonstrating that the evidence has remained unchanged since it was collected. Hash values can also be used to identify duplicate files, detect malware, and verify file integrity across different systems

Recommended

Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
Cyber Security Hacking and Attack Tree Analysis
Cyber Security Hacking and Attack Tree AnalysisCyber Security Hacking and Attack Tree Analysis
Cyber Security Hacking and Attack Tree Analysis
AvinashAvuthu2
Cyber Security Penetration Testing Tools
Cyber Security Penetration Testing ToolsCyber Security Penetration Testing Tools
Cyber Security Penetration Testing Tools
AvinashAvuthu2
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
gagan deep
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
digital forensics-9 of cyber security.pdf
digital forensics-9 of cyber security.pdfdigital forensics-9 of cyber security.pdf
digital forensics-9 of cyber security.pdf
AdyakantaSahoo
Computer Forensic Tools.pptx
Computer Forensic Tools.pptxComputer Forensic Tools.pptx
Computer Forensic Tools.pptx
KomalNagre4
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
Muzzammil Wani
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
Conferencias FIST
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptxdigitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
Lec_11_Introduction to Cyber Security.pdf
Lec_11_Introduction to Cyber Security.pdfLec_11_Introduction to Cyber Security.pdf
Lec_11_Introduction to Cyber Security.pdf
MohammedAdel426426
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
BSidesQuebec2013
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
Digital forensics
Digital forensicsDigital forensics
Digital forensics
yash sawarkar
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar
Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..
ssuserec53e73
Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..
ssuserec53e73

More Related Content

Similar to Module 3 continuation of computer forensic (20)

Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
digital forensics-9 of cyber security.pdf
digital forensics-9 of cyber security.pdfdigital forensics-9 of cyber security.pdf
digital forensics-9 of cyber security.pdf
AdyakantaSahoo
Computer Forensic Tools.pptx
Computer Forensic Tools.pptxComputer Forensic Tools.pptx
Computer Forensic Tools.pptx
KomalNagre4
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
Muzzammil Wani
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
Conferencias FIST
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptxdigitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
Lec_11_Introduction to Cyber Security.pdf
Lec_11_Introduction to Cyber Security.pdfLec_11_Introduction to Cyber Security.pdf
Lec_11_Introduction to Cyber Security.pdf
MohammedAdel426426
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
BSidesQuebec2013
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
Digital forensics
Digital forensicsDigital forensics
Digital forensics
yash sawarkar
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
GarethKnight
digital forensics-9 of cyber security.pdf
digital forensics-9 of cyber security.pdfdigital forensics-9 of cyber security.pdf
digital forensics-9 of cyber security.pdf
AdyakantaSahoo
Computer Forensic Tools.pptx
Computer Forensic Tools.pptxComputer Forensic Tools.pptx
Computer Forensic Tools.pptx
KomalNagre4
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
Muzzammil Wani
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
Conferencias FIST
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptxdigitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
Cyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pmCyber threat-hunting---part-2-25062021-095909pm
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
Lec_11_Introduction to Cyber Security.pdf
Lec_11_Introduction to Cyber Security.pdfLec_11_Introduction to Cyber Security.pdf
Lec_11_Introduction to Cyber Security.pdf
MohammedAdel426426
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
BSidesQuebec2013
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
Digital forensics
Digital forensicsDigital forensics
Digital forensics
yash sawarkar
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar

More from ssuserec53e73 (7)

Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..
ssuserec53e73
Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..
ssuserec53e73
Computer Forensics and investigation module 3
Computer Forensics and investigation module 3Computer Forensics and investigation module 3
Computer Forensics and investigation module 3
ssuserec53e73
data acquisition in computer forensics and
data acquisition in computer forensics anddata acquisition in computer forensics and
data acquisition in computer forensics and
ssuserec53e73
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessorDLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
ssuserec53e73
Computer Forensics -Introduction and the details
Computer Forensics -Introduction and the detailsComputer Forensics -Introduction and the details
Computer Forensics -Introduction and the details
ssuserec53e73
COMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.pptCOMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73
Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..Health care Analytics-Module 3-CADX150..
Health care Analytics-Module 3-CADX150..
ssuserec53e73
Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..Health care Analytics-Module 1-CADX150..
Health care Analytics-Module 1-CADX150..
ssuserec53e73
Computer Forensics and investigation module 3
Computer Forensics and investigation module 3Computer Forensics and investigation module 3
Computer Forensics and investigation module 3
ssuserec53e73
data acquisition in computer forensics and
data acquisition in computer forensics anddata acquisition in computer forensics and
data acquisition in computer forensics and
ssuserec53e73
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessorDLF-Microprocessor_02_2017-18 SAE2B microprocessor
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
ssuserec53e73
Computer Forensics -Introduction and the details
Computer Forensics -Introduction and the detailsComputer Forensics -Introduction and the details
Computer Forensics -Introduction and the details
ssuserec53e73
COMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.pptCOMPUTER FORENSICS MODULE III of unit 3.ppt
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73

Recently uploaded (20)

How to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 EmployeeHow to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 Employee
Celine George
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Ajaz Hussain
Useful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷sUseful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷s
Celine George
QuickBooks Desktop to QuickBooks Online How to Make the Move
QuickBooks Desktop to QuickBooks Online How to Make the MoveQuickBooks Desktop to QuickBooks Online How to Make the Move
QuickBooks Desktop to QuickBooks Online How to Make the Move
TechSoup
Blind spots in AI and Formulation Science, IFPAC 2025.pdf
Blind spots in AI and Formulation Science, IFPAC 2025.pdfBlind spots in AI and Formulation Science, IFPAC 2025.pdf
Blind spots in AI and Formulation Science, IFPAC 2025.pdf
Ajaz Hussain
DUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAM
DUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAMDUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAM
DUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAM
vlckovar
Kaun TALHA quiz Finals -- El Dorado 2025
Kaun TALHA quiz Finals -- El Dorado 2025Kaun TALHA quiz Finals -- El Dorado 2025
Kaun TALHA quiz Finals -- El Dorado 2025
Conquiztadors- the Quiz Society of Sri Venkateswara College
FESTIVAL: SINULOG & THINGYAN-LESSON 4.pptx
FESTIVAL: SINULOG & THINGYAN-LESSON 4.pptxFESTIVAL: SINULOG & THINGYAN-LESSON 4.pptx
FESTIVAL: SINULOG & THINGYAN-LESSON 4.pptx
DanmarieMuli1
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
Association for Project Management
Database population in Odoo 18 - Odoo slides
Database population in Odoo 18 - Odoo slidesDatabase population in Odoo 18 - Odoo slides
Database population in Odoo 18 - Odoo slides
Celine George
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
Modeling-Simple-Equation-Using-Bar-Models.pptx
Modeling-Simple-Equation-Using-Bar-Models.pptxModeling-Simple-Equation-Using-Bar-Models.pptx
Modeling-Simple-Equation-Using-Bar-Models.pptx
maribethlacno2
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
Association for Project Management
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷sHow to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
Celine George
Kaun TALHA quiz Prelims - El Dorado 2025
Kaun TALHA quiz Prelims - El Dorado 2025Kaun TALHA quiz Prelims - El Dorado 2025
Kaun TALHA quiz Prelims - El Dorado 2025
Conquiztadors- the Quiz Society of Sri Venkateswara College
CRITICAL THINKING AND NURSING JUDGEMENT.pptx
CRITICAL THINKING AND NURSING JUDGEMENT.pptxCRITICAL THINKING AND NURSING JUDGEMENT.pptx
CRITICAL THINKING AND NURSING JUDGEMENT.pptx
PoojaSen20
How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18
Celine George
Essentials of a Good PMO, presented by Aalok Sonawala
Essentials of a Good PMO, presented by Aalok SonawalaEssentials of a Good PMO, presented by Aalok Sonawala
Essentials of a Good PMO, presented by Aalok Sonawala
Association for Project Management
N.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity BriefingN.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity Briefing
Mebane Rash
Adventure Activities Final By H R Gohil Sir
Adventure Activities Final By H R Gohil SirAdventure Activities Final By H R Gohil Sir
Adventure Activities Final By H R Gohil Sir
GUJARATCOMMERCECOLLE
How to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 EmployeeHow to Configure Flexible Working Schedule in Odoo 18 Employee
How to Configure Flexible Working Schedule in Odoo 18 Employee
Celine George
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Blind Spots in AI and Formulation Science Knowledge Pyramid (Updated Perspect...
Ajaz Hussain
Useful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷sUseful environment methods in Odoo 18 - Odoo 際際滷s
Useful environment methods in Odoo 18 - Odoo 際際滷s
Celine George
QuickBooks Desktop to QuickBooks Online How to Make the Move
QuickBooks Desktop to QuickBooks Online How to Make the MoveQuickBooks Desktop to QuickBooks Online How to Make the Move
QuickBooks Desktop to QuickBooks Online How to Make the Move
TechSoup
Blind spots in AI and Formulation Science, IFPAC 2025.pdf
Blind spots in AI and Formulation Science, IFPAC 2025.pdfBlind spots in AI and Formulation Science, IFPAC 2025.pdf
Blind spots in AI and Formulation Science, IFPAC 2025.pdf
Ajaz Hussain
DUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAM
DUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAMDUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAM
DUBLIN PROGRAM DUBLIN PROGRAM DUBLIN PROGRAM
vlckovar
Kaun TALHA quiz Finals -- El Dorado 2025
Kaun TALHA quiz Finals -- El Dorado 2025Kaun TALHA quiz Finals -- El Dorado 2025
Kaun TALHA quiz Finals -- El Dorado 2025
Conquiztadors- the Quiz Society of Sri Venkateswara College
FESTIVAL: SINULOG & THINGYAN-LESSON 4.pptx
FESTIVAL: SINULOG & THINGYAN-LESSON 4.pptxFESTIVAL: SINULOG & THINGYAN-LESSON 4.pptx
FESTIVAL: SINULOG & THINGYAN-LESSON 4.pptx
DanmarieMuli1
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...APM People Interest Network Conference - Tim Lyons - The neurological levels ...
APM People Interest Network Conference - Tim Lyons - The neurological levels ...
Association for Project Management
Database population in Odoo 18 - Odoo slides
Database population in Odoo 18 - Odoo slidesDatabase population in Odoo 18 - Odoo slides
Database population in Odoo 18 - Odoo slides
Celine George
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
Modeling-Simple-Equation-Using-Bar-Models.pptx
Modeling-Simple-Equation-Using-Bar-Models.pptxModeling-Simple-Equation-Using-Bar-Models.pptx
Modeling-Simple-Equation-Using-Bar-Models.pptx
maribethlacno2
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
APM People Interest Network Conference - Oliver Randall & David Bovis - Own Y...
Association for Project Management
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷sHow to use Init Hooks in Odoo 18 - Odoo 際際滷s
How to use Init Hooks in Odoo 18 - Odoo 際際滷s
Celine George
Kaun TALHA quiz Prelims - El Dorado 2025
Kaun TALHA quiz Prelims - El Dorado 2025Kaun TALHA quiz Prelims - El Dorado 2025
Kaun TALHA quiz Prelims - El Dorado 2025
Conquiztadors- the Quiz Society of Sri Venkateswara College
CRITICAL THINKING AND NURSING JUDGEMENT.pptx
CRITICAL THINKING AND NURSING JUDGEMENT.pptxCRITICAL THINKING AND NURSING JUDGEMENT.pptx
CRITICAL THINKING AND NURSING JUDGEMENT.pptx
PoojaSen20
How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18How to Modify Existing Web Pages in Odoo 18
How to Modify Existing Web Pages in Odoo 18
Celine George
Essentials of a Good PMO, presented by Aalok Sonawala
Essentials of a Good PMO, presented by Aalok SonawalaEssentials of a Good PMO, presented by Aalok Sonawala
Essentials of a Good PMO, presented by Aalok Sonawala
Association for Project Management
N.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity BriefingN.C. DPI's 2023 Language Diversity Briefing
N.C. DPI's 2023 Language Diversity Briefing
Mebane Rash
Adventure Activities Final By H R Gohil Sir
Adventure Activities Final By H R Gohil SirAdventure Activities Final By H R Gohil Sir
Adventure Activities Final By H R Gohil Sir
GUJARATCOMMERCECOLLE

Module 3 continuation of computer forensic

  • 2. Securing a Digital Incident or Crime Scene When investigating a digital incident or crime scene, securing the environment is critical to preserving evidence, maintaining its integrity, and ensuring proper chain of custody. Below are the key steps and best practices to follow:
  • 3. 1. Initial Assessment Identify the Incident: Understand the nature of the digital crime or incident. Is it a data breach, unauthorized access, malware attack, or insider threat? Preserve Volatile Data: Certain data (like information in RAM, network traffic, or running processes) can be lost quickly. Use specialized tools to capture this information before shutting down systems. Document the Scene: Take detailed notes, photographs, and screenshots of what you observe in real-time. Record system states, open programs, and logged-in users. 2. Isolate the Affected Systems Prevent Further Damage: Disconnect affected systems from the network to prevent data exfiltration, remote access, or malware spreading. However, avoid turning off devices unless absolutely necessary, as valuable evidence may be lost. Secure Physical Access: Ensure that only authorized personnel can access the crime scene. Lock down rooms, servers, or computers involved in the incident.
  • 4. 3. Maintain Chain of Custody Document Everything: Every interaction with the digital evidence must be thoroughly documented, including who accessed the systems, what actions were taken, and when. Use Tamper-Evident Methods: Seal and tag storage media (e.g., hard drives, USBs) and log their transfers to maintain the integrity of the evidence. Custody Logs: Keep a log of who has handled the evidence from the time of discovery to its presentation in court, ensuring that it has been properly secured and is unaltered. 4. Preserve Evidence Forensic Imaging: Create exact copies (forensic images) of storage devices to analyze them while keeping the original evidence intact. Use write-blocking devices to ensure that no changes are made to the original media. Verify the integrity of forensic images using cryptographic hashes (e.g., MD5, SHA256). Data Types: Preserve all types of evidence, including logs, emails, IP addresses, user credentials, encrypted files, network traffic, and system configuration data. Document Metadata: Note timestamps, file permissions, and access details to avoid tampering or deletion concerns.
  • 5. 5.Protecting Network Evidence Network Logs: Capture network logs (e.g., firewall, router, VPN) as soon as possible to understand traffic patterns and potential external connections during the incident. Traffic Analysis: Use packet sniffers or intrusion detection systems (IDS) to capture and analyze live network traffic for suspicious behavior, such as exfiltration attempts or malware communication. 6. Securing Cloud-Based Evidence Collaborate with Cloud Providers: Work with cloud service providers to capture logs, access records, and other cloud-based evidence. Understand that cloud data can be volatile and may require legal action (e.g., subpoenas) for retrieval. Audit Logs: Retrieve audit logs from the cloud environment showing user activities, such as logins, file access, or modifications. Snapshots and Backups: Secure cloud snapshots and backups as potential sources of evidence.
  • 6. 7. Ensure Legal Compliance Privacy Laws: Ensure compliance with local laws and regulations, such as GDPR, HIPAA, or CCPA, when handling digital evidence containing personal information. Warrants and Permissions: Obtain proper legal authorization (e.g., search warrants) when accessing sensitive or personal data. Unauthorized access could lead to evidence being inadmissible in court. Third-Party Involvement: If third parties, such as contractors or employees of service providers, are involved, their actions should also be documented and justified. 8. Collaboration with Law Enforcement and Forensics Experts Involve Forensic Experts: Digital forensics experts should be called in to handle evidence properly, analyze systems, and produce reports that will hold up in court. Coordinate with Law Enforcement: If the incident is a criminal matter, law enforcement agencies need to be contacted. Ensure smooth coordination by following proper procedures and maintaining a clear chain of custody.
  • 7. 9. Post-Incident Analysis and Reporting Post-Incident Documentation: After securing evidence, provide a thorough report that includes: Timeline of the incident. Methods used to secure and collect evidence. Analysis of the compromised systems and suspected causes. Lessons Learned: Document and communicate the findings to improve the organizations security posture and reduce the likelihood of future incidents. Forensic Tools Used: Clearly document the forensic tools (e.g., EnCase, FTK, Wireshark) used during the investigation to establish the authenticity of the findings. 10. Final Considerations Avoid Contamination: Be cautious when interacting with digital evidence. Any alterations can compromise its admissibility in court. Use Authorized Tools: Only use certified forensic tools that are accepted by courts and industry standards to collect and analyze data.
  • 9. Obtaining digital hash Obtaining a digital hash is an essential process in digital forensics, ensuring the integrity and authenticity of digital evidence. A digital hash is a cryptographic value generated from a file, drive, or set of data that uniquely identifies its contents. This value serves as a "digital fingerprint," making it possible to verify that the data has not been altered. Heres how you can obtain a digital hash: Steps for Obtaining a Digital Hash 1.Select a Hashing Algorithm The choice of the hashing algorithm is crucial. Common algorithms include: MD5 (Message Digest Algorithm 5): Produces a 128-bit hash value. It is fast but vulnerable to collision attacks (where two different files produce the same hash). SHA-1 (Secure Hash Algorithm 1): Generates a 160-bit hash. Stronger than MD5 but still susceptible to certain attacks. SHA-256: Part of the SHA-2 family, it generates a 256-bit hash value and is highly secure, making it widely recommended for forensic purposes.
  • 10. 2. Prepare the Environment Ensure that your forensic workstation or tool is ready for hashing. When obtaining a hash from a physical storage device (like a hard drive), its critical to use a write-blocker to prevent any changes to the original data. Isolation: Make sure the evidence is disconnected from networks or external influences to avoid unintentional modifications. 3. Select the Appropriate Tool You can use various tools to generate a hash: Forensic Tools: FTK Imager: A powerful tool for creating forensic images and generating hashes. EnCase: A well-known commercial tool used for forensic imaging and analysis. Autopsy: An open-source digital forensics tool that supports hashing and other analysis features. Command-Line Utilities: Linux/Unix: Use md5sum, sha1sum, or sha256sum to generate the hash of a file or device. Windows: Use certutil or PowerShell cmdlets such as Get-FileHash.
  • 11. 4. Obtain the Hash Hashing a File: Using FTK Imager: 1. Open FTK Imager and load the file or drive to be hashed. 2. Right-click on the file or drive and choose "Create Disk Image." 3. FTK Imager will calculate the hash value (MD5 and SHA-1 are usually calculated by default). 4. Document the hash values provided. Using Command Line: Open the terminal or command prompt and run the appropriate command: For MD5: md5sum /path/to/file For SHA-1: sha1sum /path/to/file For SHA-256: sha256sum /path/to/file The output will display the hash value followed by the file name. Hashing a Hard Drive: Using FTK Imager: 1. Select the entire hard drive or partition as the source. 2. Choose "Create Image" and specify the destination where you want the image saved. 3. FTK Imager will calculate the hash for the entire drive and display the values (MD5, SHA-1, or SHA-256). Using Command Line: For Linux-based systems, you can generate a hash for the entire drive: sha256sum /dev/sdX Replace /dev/sdX with the appropriate device identifier.
  • 12. 5. Document the Hash Record Hash Values: Make sure to write down the hash values generated by the tool, including the algorithm used (MD5, SHA-1, or SHA-256). Additional Information: File or drive name. Date and time the hash was created. Tool or software used to generate the hash. Operating system and version used in the process. 6. Verify the Hash Verification: After copying or imaging the file or drive, generate a new hash of the copied data and compare it to the original hash value. Consistency Check: If the two hash values match, it means that the data is intact and has not been altered.
  • 13. 7. Store the Hash Securely Store the hash values in a secure place, such as a digital evidence log or chain-of- custody document. This ensures that the integrity of the data can be verified at any point in the investigation. 8. Using Hashes in Legal and Investigative Contexts Present the hash as part of the forensic report, demonstrating that the evidence has remained unchanged since it was collected. Hash values can also be used to identify duplicate files, detect malware, and verify file integrity across different systems
AboutCopyright
息 2025 際際滷