digital forensics - bsides lisbon 2013
DESCRIPTION
Digital Forensics on today's digital world.TRANSCRIPT
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.
D a v i d M a rq u e sE - m a i l :
D M a r q u e s @ D R C . p t Morada: Rua Alexandre Herculano, Edifício Central Park, 1 - Piso 7, 2795-242 Linda-a-Velha | Coordenadas GPS: 38o 43' 02.17'' N, 09o 14' 16.50'' O Telefone: 707 200 017 | Telefone: (+351) 214 146 810 | Serviço de urgência: (+351) 964 944 112 | Fax: (+351) 214 146 819 |
Digital Forensics on today’s digital
world
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.2Apr 10, 2023
Agenda | Digital Forensics
Tools & Training
Definitions
History
Portuguese Law
Branches & Methodologies
Future?
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 3
“Digital Forensics” (Computer Forensics)
Definition(Wikipédia): Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
Definition Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.
.: 3 :.
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 4
“Digital Forensics” (Computer Forensics)
Applications:• Support or refute a hypothesis before
criminal or civil court.• Internal corporate investigations or
intrusion investigation
Definition Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.
.: 4 :.
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 5
History“Forensics”
Derived from the Latin forum and the requirement to present both sides of a case before the judges (or jury) appointed by the praetor.
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 6
History• 1248 – A Chinese treatise describes features
allowing to destinguish between drowning and strangulation drawing on medical knowledge
• 1609 – F. Demelle (France) publishes a treatise on systematic document examination
• 1686 – M. Malpighi (Italy) noted fingerprint characteristics
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 7
History
• 1810 – First documented case of document analysis based on ink dyes.
• 1813 – M. Orfile (Spain) publishes a toxicology guide
• 1823 – J. Purkinje (Poland) publishes first systematic classification of fingerprints
• 1835 – H. Goddard (UK) uses bullet comparison to identify a murder weapon based on irregularities in a bullet mould
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 8
History• 1870 – Albert Bertillon– First technician at La Surete Nacionale (Paris)– Recorded criminals by photographs and body
measurements– Took photographs of victims, measured footprints,
stains and tool marks– Said that “no two human bodies were exactly
alike”
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.9
History• 1910 – Edmond Locard–Founded first Forensic Crime
Laboratory in Lyon–Locard’s Exchange Principle: “Every
contact between individuals & objects results in a transfer of material between them”
Apr 10, 2023 9Apr 10, 2023 9
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.10
History• 1970s – First cases of crimes envolving computer
systems.• On the first documented cases using magnetic
media and computers as evidence, they attempted to transfer the “document” analogy to the digital representations.
• The US FBI Laboratory started a formal programme to examine computer based evidence (CART – Computer Analysis and Response Team)
Apr 10, 2023 10Apr 10, 2023 10
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 11
History• 1989 – “Aids Diskette Case”– 20.000 diskettes (supposed to contain medical
research) contained a trojan used for blackmail, where shipped to medical clinics in 30 countries
– Evidence was collected, and shipped to New Scotland Yard (using Interpol HQ (Lyon))
– Jim Bates, a programmer was asked to write a imaging tool (DIBS – Data Image Backup System)
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 12
Portuguese Law• n Types of Law– Civil Law– Criminal Law– Commercial Law– Copyright– Intellectual Property Right
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 13
Portuguese Law• n Types of Law– Civil Law: Each one of the parties can present
evidence– Criminal Law: State has to investigate and present
the evidence (Ministério Público)
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 14
Portuguese Law• Courts– Tribunal de Primeira Instância
(1 for each 7 county)– Tribunal de Segunda Instância
(Tribunal da Relação) (4 in Portugal?)– Tribunal de Terceira Instância
(Supremo Tribunal – 1)
Apr 10, 2023 14Apr 10, 2023 14
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.15
Portuguese Law
• Jurisprudence: Previous decisions of courts on certain interpretations of laws.
Apr 10, 2023 15Apr 10, 2023 15
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.16
Legal
MindsetLegal (Circumstances)
vs Technical (0 or 1)
Apr 10, 2023 16Apr 10, 2023 16
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.17
LegalJudge
• It will not decide if IP is good or not to prove an identity
• It will not decide if a port scan can leak information
• He will decide if any law has been violated• He will decide if someone is responsible for the
action he’s accused
Apr 10, 2023 17Apr 10, 2023 17
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.18
Branches (Areas)- Computer- Mobile- Network- Software- Video- Audio- Etc.
Apr 10, 2023 18Apr 10, 2023 18
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 19
Perspectives
What is your perspective of Digital Forensics?
Depends on which side you are!
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.20
Legal and General
Apr 10, 2023 20Apr 10, 2023 20
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 21
Technical
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 22
Digital Forensics
Apr 10, 2023 22Apr 10, 2023 22
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 23
Why?
Apr 10, 2023 23David Marques 2012 | Todos os direitos reservados.
.: 23 :.
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 24
Why?
Apr 10, 2023 24David Marques 2012 | Todos os direitos reservados.
.: 24 :.
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 25Apr 10, 2023
Why?
25
Exponential growth in security incidents and cybercrime.
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 26
©David Marques 2012. Todos os direitos reservados.
• Digital evidence can be unique and determinant for the resolution of a dispute.
• Unique use of digital evidence without compromising the integrity of it.
Why?
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 27Apr 10, 2023 27
David Marques 2012 | Todos os direitos reservados.
Digital Evidence
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 28
Digital Evidence
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 29
Digital Evidence
1 2
4 3
Physical Logical
Logs Backups
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 30
Digital Evidence
Hashing
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 31
Digital Evidence
Hashing
Text: A1MD5: 96a3be3cf272e017046d1b2674a52bd3SHA-1: ddfe163345d338193ac2bdc183f8e9dcff904b43
Text: A2MD5: a2ef406e2c2351e0b9e80029c909242dSHA-1: bcac9d1d8eab3713ae489224d0130c9468e7a0e3
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 32Apr 10, 2023 32
David Marques 2012 | Todos os direitos reservados.
MethodologyPre-Analisys
Evidence Collection
Investigation
Reports / Court
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 33
©David Marques 2012. Todos os direitos reservados.
Open Source• Helix• DEFT• Sleuth Kit• Autopsy• Tons of others…
Tools
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 34
©David Marques 2012. Todos os direitos reservados.
Closed Source• Encase• FTK• X-Ways• Paraben’s• Some others…
Tools
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 35
©David Marques 2012. Todos os direitos reservados.
Closed Source (Mobile)
• XRY• Cellebrite UFED• Oxygen Forensics• Some others…
Tools
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 36
©David Marques 2012. Todos os direitos reservados.
Open Source vs Closed Source
• Cost • Command Line vs GUI• Support quality and model• Training plans• Documentation (Manuals, etc…)• Source code is available• Acceptance in courts
Tools
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 37
©David Marques 2012. Todos os direitos reservados.
Product Specific vs General
Training
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 38
©David Marques 2012. Todos os direitos reservados.
Product Specific • Encase• FTK
• Paraben• Cellebrite• Other…
Training
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 39
©David Marques 2012. Todos os direitos reservados.
General• SANS (FOR408; FOR508;
FOR526; FOR610)• EC Council (CHFI; CIH)
• (ISC)2 (CCFP – Certified Cyber Forensics Professional)
Training
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 40
©David Marques 2012. Todos os direitos reservados.
• Cloud Storage• Legal• SSD
• Encryption• Anti-Forensics
• Standards and Procedures• Accreditation
Future
Data Recovery Center Com
pany | All Rights Reserved. Corporate Presentation 2012
David Marques 2012 | Todos os direitos reservados.Apr 10, 2023 41
Q & A
Thanks!
David [email protected]
www.drc.pt
David Marques 2012 | Todos os direitos reservados.