#Security of #Information #Systems – Lecture 7 : Digital Forensics and Incident Response, Evidence

LSU students welcome to the lecture 7 of security of Information Systems So the today’s topic is digital forensics and incident response Let’s start digital forensics and incident response okay, so the outline is incident response digital forensics Finding evidence and the demos demos Estimated demos, okay Who does this? Digital forensics is often part of an incident responders job DFI are so what is the F IR? Let’s check it out Okay as you can see it is digital forensics and incident response TIR digital forensics and incident response is an important Yes, sorry about the pulse So I would read it again digital forensics and incident response is an important part of business and law enforcement operations Let’s continue So who does this law enforcement and Certes government industry specific company specific company IR T is let’s check the IELTS Okay and system admins consultants and others may change according to the countries, of course, so the incident response Incident Management incident response policy and incident response team so there is policy and there is a team whenever an incident happens so incident response policy responsibilities Who makes the decisions? asset priority Which systems can be taken offline? Which systems can absolutely not be taken offline Outside experts and agencies Who you gonna call? At what point is law enforcement involved? Okay These are all the questions that comes to your mind when an it related incident happens, okay incident response policy as an employee if I discover an incident, what do I do the policy must include information on? Okay, so the policy must include information about Chain of escalation chain is for the chain of escalation So hoping your report and the person you reported with a reporter who and how will be the chain of escalation basically how to prevent further damage This is also really important but to do when you discover the incidence how to preserve evidence until the response team can take over this is also a very important issue Many names and definitions the same principles apply to all of them Yes So these are the names and definitions of the response team Let’s open them to see Okay sat is maybe the most common one as you can see computer Emergency Response Team and such and permanent virtual and hybrids Let’s see them So these are the responses probably

red team blue team Derived from military war games a simulated attack using security specialists the incident Response Team defends the system from the attack incident response procedures detect this fault and recover So basically you have to detect it first and give an appropriate this fault and then we cover the damage so it is like this Pockets up I detect hygiene issues and operator activity that does not follow best practices which are inventory Telemetry detection and reach then when I let him and Malaysia real or adversely I detected in religion at multiple points along the kill chain So traits behaviors hunt during incident response IO played at the same Temple as the adversary adversary to protect my business assets attracting tracking And acting okay So these are the incident response procedures before the attack happen You have to take your countermeasures That is the important thing So you have to have a some kind of detection system to detect the incidence attacks to do that know your assets if you don’t know your assets, you cannot defend them triage weed out false positives This is important that can be always false positives Categorize events type of incident Source growth and damage potential so you have to categorize the events and take actions As related to the category of the event collect data mitigate damage and isolated systems This is response And this is the detection parts and continue to response analyze and track adversary So adversary is there your attackers What is the root cause of the incident? Who how when why and is loved and forstman’s is necessary at that point when you are getting attacked and after you respond to to attack it is time to recover fix the problem Let’s say you have an and exploit in your system which lets attackers to Modify your database without permission You have to patch it Okay page the exploit then improve your incident response based on what happened so far and how you responded it and disclosure is the close of the incident of oh disclosure is the probably explanation of Publication of the instance or something? I don’t know what it means in this context So let’s continue with digital forensics So this was all related to incident response Maybe we can find another source to get better idea He’ll send this disease from here as well Having multiple sources is useful

Which I think is a better one as a source Sir Chief customer architect has reading this article incident response steps six steps for responding to security incidents when a security incident occurs, every second matters malware infections rapidly spread ransomware can cause catastrophic damage and compromised accounts can be used for privilege escalation leading attackers to more sensitive assets Whatever the size of your organization you should have a trained incident Response Team tasked with taking immediate action when incidents happen read on to learn a six-step process that can help your incident responders take action faster and more effectively when the alarm goes off Okay So in this article, we are going to learn about this Let’s see each of them What is incident response? Incident response IR is a structured methodology for handling security incidents breaches and cyber threats a well-defined incident response plan IRP allows you to effectively identify minimize the damage and reduce the cost of a Cyber attack while finding and fixing the cause to prevent future attacks So it’s a structured method methodology This is important During a cyber security incident security teams faced many unknowns in a frenzy of activity in such a hectic environment They may fail to follow proper incident response procedures to effectively limit the damage This is important because a security incident can be a high-pressure situation and your IR team must immediately focus on the critical tasks at hand clear thinking and swiftly taking pre-planned incident response steps during a security incident can prevent many unnecessary business Packs and reputational damage Okay, this is the important part Let’s read that part again Clear thinking and swiftly taking pre-planned incident response steps during a security incident can prevent many unnecessary business impacts and reputational damage You can help your team perform a complete rapid and effective response to a cyber security incident by having a comprehensive incident response plan in place in addition completing an incident response plan checklist and developing and deploying an IR policy can help before you have fully developed your IR plan Why should you immediately report a cyber security incident? When a cyber security incident is confirmed by security analysts It is important to inform relevant parties as soon as possible privacy laws such as GDP are and California’s CCPA require public notification and in some cases personal notification to data subjects in the event of a data breach Depending on the severity of the breach legal press and executive management should be involved in many cases other departments such as customer service finance or it need to take immediate action Your incident response plan should clearly State depending on the type and severity of the breach who should be informed the plan should include full contact details and how to communicate with each relevant party to save time in the aftermath of an attack Okay, of course, this is based on the location where you live other words in many of the countries that are cyber security Let’s say cyber security related enforcement’s so letting them know of informing time could be useful for you and prevent further attacks What are the six steps of incident response? The first priority when implementing incident response cybersecurity is to prepare in advance

by putting a concrete IR plan in place your incident response methodology should be battled tested before a significant attack or data breach occurs It should address the following response phases as defined by nist computer security incident handling guide SP 800 261 important Let’s read this part again, your incident response methodology should be bad Tested before a significant attack or data breach occurs, but they’ll test it That’s it That is why there are white hackers who tries to find the exploits in the systems and let the companies know to fix them before a real Attack happens preparation planning in advance how to handle and prevent security incidents I just saw these are the six steps of incident response Detection and Analysis encompasses everything from monitoring potential attack vectors to looking for signs of an incident to prioritization Containment eradication and Recovery developing a containment strategy identifying and mitigating the hosts and systems under attack and having a plan for recovery Post-incident activity reviewing Lessons Learned and having a plan for evidence retention So this preparation detection and Analysis containment and education and Discovery you see this is a loop and therefore whenever a detection happens, you make containment and eradication I didn’t continue Discovery again and then Sports incident activity which let us improve our preparation for the next attack next possible attack, so this figure is from the nist recommended phases for responding to a cyber security incident I think they have also given a name to nist yes, so this is the nearest and which is computer security incident handling guide by the US Department of Commerce as you can see, I think yes Computer security or k this is 2012 basis Yes Department of Commerce Okay, it’s put me probably useful for you to read this and I can’t read it it moment Okay Building on the outline missed phases here are specific incident response steps to take once a critical security event has been detected So these are the steps that we have to take van The instance is detected Assemble your team This is the number one step 1 It’s critical to have the right people with the right skills along with Associated tribal knowledge appoint a team leader who will have overall responsibility for responding to the incident This person should have a direct line of communication with management So that important decisions such as taking Key Systems offline if necessary can be made quickly in smaller organizations or where a threat is in severe your SOC team or manage Security Consultants may be sufficient to handle an incident, but for the more serious Incidents you should include other relevant areas of the company such as corporate Communications and human resources If you have built a security incident Response Team see sirt Now is the time to activate your team bringing in the entire range of pre-designated Technical and non-technical Specialists If a breach could result in litigation or requires public notification and Remediation, you should notify your legal department immediately Okay, so Step 2 To detect and ascertain the source the IR team you’ve assembled should first work to identify the cause of the breach and then ensure that it’s contained security teams will become aware that an incident is occurring or has occurred from a very wide variety of indicators including just so these are the

indicators users system administrators Network administrators security staff and others from within your organization reporting signs of a security incident Seems or other security products generating alerts based on analysis of log data File Integrity checking software using hashing algorithms to detect when important files have been altered anti-malware programs logs including audit related data, which should be systematically reviewed to look at anomalous and suspicious activity with users external storage real-time memory network devices operating systems cloud services applications James salted step 3 3 contain and recover A security incident is analogous to a forest fire Once you’ve detected an incident and its source, you need to contain the damage this may involve disabling network access for computers known to be infected by viruses or other malware so they can be quarantined and installing security patches to resolve malware issues or network vulnerabilities You may also need to reset passwords for users with accounts that were breached or block accounts of insiders that may have caused the incident additionally your team should back All affected systems to preserve their current state for later forensics You used to it That is a key Point reset passwords for users I think there are already many cases for this Let’s say Okay, I think that is a news here about eBay It is written in 2014 eBay makes users change their passwords after hack So find many many needs related to hacking and password reset Online Marketplace eBay is forcing users to change their passwords after a Cyber attack compromised its systems the US firm set a database had been hacked between late February and early March and had contained encrypted passwords and other non-financial data the company added that it had no evidence of their being unauthorized activity on its members accounts However, it’s said that changing the passwords was best practice and will help enhance security for eBay users the california-based company 128 million active users and accounted for two hundred twelve billion dollars 126 billion pounds worth of Commerce on its various marketplaces and other services in 2013 It said it would be contacting users to alert them of the issue via email its website adverts and social media a spokesman added that the firm’s Engineers were in the process of rolling out a feature that would oblige members to choose new passwords when they next logged in which should be live in each of the countries eBay Created in by the end of the day usual practice that is followed by websites When you log in they will force you to change your password if they believe that your password has been exposed Okay? All right, and this is also important you should take back up for later forensics Next move to any needed service restoration which includes two critical steps perform system Network validation and testing to certify all systems is operational recertify any component that was compromised as both operational and secure Ensure your long-term containment strategy includes not only returning all systems to production to allow for standard business operation, but also locking down or purging user accounts and back doors that enabled the intrusion So step forth Assess the damage and severity

Until the Smoke Clears, it can be difficult to grasp the severity of an incident and the extent of damage It has caused For example, did it result from an external attack on servers that could shut down critical business components such as an e-commerce or reservation systems or for example did a web application layer intrusion perform a SQL injection attack to execute malicious SQL statements on a web applications database or potentially use a web server as a pathway to steal data from our control critical I can systems if critical systems are involved escalate the incident and activate your see sirt or Response Team immediately In general look at the cause of the incident in cases where there was a successful external attacker or malicious Insider consider the event as more severe and respond accordingly at the right time review the pros and cons of launching a full-fledged cyber attribution investigation five begin the notification process A data breach is a security incident in which sensitive protected or confidential data is copied transmitted viewed stolen or used by an individual unauthorized person privacy laws such as GDP are in California’s CCPA require public notification in the event of such a data breach notify affected parties, so they can protect themselves from identity theft or other Fallout from the disclosure of confidential personal or financial data ETA CXC beams blog on how to create a breach notification letter in advance of a security incident Six start now to prevent the same type of incident in the future Once a security incident has been stabilized examine Lessons Learned to prevent recurrences of similar incidents This might include patching server vulnerabilities training employees on how to avoid phishing scams or rolling out Technologies to better monitor Insider threats fixing security flaws or vulnerabilities found during your post-incident activities is a given also review Lessons Learned From the incident and Implement appropriate changes to your security policies with training for staff Find employees, for example, if the attack resulted from an unwitting employee opening an Excel file as an email attachment Implement a company-wide policy and training on how to recognize and respond to a phishing email Lastly update your security incident response plan to reflect all of these preventative measures Every organization will have different incident response steps based on their unique it environment and business needs study industry guides such as those published by nist to ensure your I are planning includes all the necessary incident response steps to protect your organization when a cyber security incident occurs Conclusion and incident response methodology enables organizations to Define response countermeasures in advance There is a wide range of approaches to I are the majority of Security Professionals agree with the six incident response steps recommended by nist including preparation detection and Analysis containment eradication recovery and post-incident audits when it comes to preparation many organizations leverage a combination of assessment checklists detailed incident response Hands summarized and actionable incident response playbooks as well as policies that can automate some of the processes while well-planned and incident response methodology should remain flexible allowing for continuous continuous Improvement Okay, so, what did we learn? We have learned What is incident response? Why should you immediately pour the cyber security incident? What are the six steps of incident response preparation detection and Analysis containment dedication and Recovery post-incident activity, but are the steps that we are going to take assembling our team when we detect an incident that occurs ascertain the source of the incident contain and recover from the incident Assess the damage and severity beginning of the creation begin the notification process and after that start now to provide same type of incident in the future So these are the steps and if you want to learn more, I think there are some resources

here Okay, so we have seen The Incident Management incident response and now time for digital forensics all right, so digital forensics in court the Dennis Lynn Rader BTK Killer metadata in Word file led to her arrest after 30 years Okay Let’s get some information related to this case here Dennis Lynn Raider born March 9 1945 is an American serial killer known as BTK and abbreviation He gave himself for bind torture kill or the BTK Strangler between 1974 and 1991 Raider killed 10 people in Wichita and Park City, Kansas and sent taunting letters to police and newspapers describing the details of his crimes 456 after a decade long Hiatus Raider resumed sending letters in Thousand four leading to his 2005 arrest and subsequent guilty plea He is serving ten consecutive life sentences at El Dorado Correctional Facility in Prospect Township Butler County, Kansas one Okay, so maybe we can find information Want to hear I think it’s here Let’s read it from here in January 2005 Raider attempted to leave a cereal box in the bed of a pickup truck at a Home Depot in Wichita, but the box was discarded by the trucks owner It was later retrieved from the trash after Raider asked what had become of it in a later message surveillance tape of the parking lot from that date revealed a distant figure driving a black Jeep Cherokee leaving the box in the pickup in February 2005 more postcards were sent to cake and another cereal box left at a rural location was To contain another bound all apparently meant to symbolize the murder of 11 year old Josephine Otero citation needed in his letters to police Raider asked if his writings if put on a floppy disk could be traced or not The police answered his question in a newspaper ad posted in the Wichita Eagle saying it would be safe to use the disk on February 16th 2005 Raiders sent a purple 1.44 megabyte Memorex floppy disk to Fox TV affiliate ksas TV in Wichita 4546 also enclosed were a letter a gold-colored necklace with a large Medallion and a photocopy of the cover of rules of prey and 1989 novel about a serial killer 46 police found metadata embedded in a deleted Microsoft Word document that was unknown to Raider still stored on the floppy disk 47 the metadata contained the words Christ Lutheran Church, and the document was marked as last Modified by Dennis 48 and internet search to Women that have Dennis Rader was president of the church Council 45 when investigators drove by Raiders house a black Jeep Cherokee the type of vehicle seen in the Home Depot surveillance footage was parked outside 49 This was strong circumstantial evidence against traitor, but they needed more direct evidence to detain him 50 police obtained a warrant to test a pap Smear taken from Raiders daughter at the Kansas State University Medical Clinic DNA tests showed familial match between the pap smear and the sample from waverly’s fingernails This indicated that the killer was closely related to Raiders daughter and combined with the other evidence was enough for police to arrest Raider 51 Okay, you can see how metadata how digital forensics lead to arrests of a serial killer and hickey who kills more or equal to 10 people Okay

We’ll see Grenier Lusha search of laptop led to discovery of bomb-making equipment These are all cases For example, we can also get an idea of this from Wikipedia, I think Okay Anyway what they could Suicide of wife ruled murder after incriminating Google searches is discovered four years later Well, this is interesting case Yes, perhaps Okay, let’s see Matt Baker has always claimed that his wife committed suicide just as he told the 911 operator a little after midnight on April 8 2006 She just looks like from a book On April 7 2006 carry Baker an elementary school teacher was found dead in her bathroom in the family’s bedroom in Hewitt near Waco, Texas in what her husband Matt told authorities was a suicide at the time of her death Baker a 38 year old pastor and father of two young daughters had been having an affair with the music Minister’s daughter the book explores Baker’s double life examines the physical evidence against him and includes 80 interviews with police attorneys from both Sides Family Friends Church and community members one Baker was convicted of murder and in January 2010 was given a 65 year sentence for killing his wife and covering up her murder to the author interviewed Baker in state prison after his conviction and sentencing three upon the books release Casey appeared on cab TV Fox San Antonio’s daytime at 9:00 show telling the host Matt Baker Almost Got Away With killing his wife Baker had left a typed unsigned Suicide note and police originally believed it had been written by the wife who was thought to have died from an overdose of sleeping pills for the death was ruled a suicide and an autopsy was not ordered by the justice of the peace the case remained a suicide until local authorities reopened the investigation after the victim’s family hired an attorney and private investigators, then police began piecing together the clues using the evidence gathered a Texas Ranger encourage police to file charges against Baker the candlestick Smite never have gone to trial if Baker’s mistress hadn’t told a McLennan County grand jury that Baker had confessed to her that he’d staged the suicide and murdered his wife Baker was indicted for murder in March 2009 5 6

Okay, he couldn’t find the information related to this one Okay, let’s let’s look at this case may be this is a move Definitely one Not the first case Oh here On the morning of October 13, 1996 lopaka informed her husband She was going to Georgia to meet acquaintances one She also left him a note that she would not be returning home and requested not to track down glass the note also read that if my body is never retrieved Don’t worry know that I’m at peace one that morning lopaka drove her blue Honda Civic to Baltimore’s Pennsylvania station a 45-minute drive for and had arrived on an Amtrak train at Charlotte, North Carolina Not by 8:45 p.m For one glass drove with low pakka in his pickup truck to his rural Lenoir North Carolina mobile home 80 miles from Charlotte 100 packages husband Victor found the note his wife left for him and notified the police who found six weeks of email conversations between lopaka and glass for in her email correspondence with glass lopaka had explicitly asked glass to torture her to death for glass interviewed later during his imprisonment it Emitted to fulfilling lopaka is torture fantasy, but also said that the death was an accident as he recalled I don’t know how much I pulled the Rope I never wanted to kill her But she ended up dead one This was supported by the autopsy performed by dr John butts the chief State medical examiner of North Carolina who stated that lopaka was accidentally strangled to death three days after her arrival in North Carolina one However, the police disagreed their search warrant affidavits described the death as And that the emails proved it one North Carolina police staked out glass home for several days for but did not see lopaka on October 25 1996 judge Beverly t-bill issued a search warrant on the home and inside the house investigators discovered items belonging to lopaka one in addition They also found drug and bondage equipment child pornography magazines a .357 Magnum pistol and several computer discs as well as trash and toys outside the trailer for one a police officer then noticed a mound of soil 75 feet away from the home before finding some body parts buried two and a half feet below one glass was arrested at work following this discovery charged with first-degree murder and held without bond in the Caldwell County Jail one glass was also hit with additional state and federal charges for the possession of child pornography Seven County investigator Da Brown said that lopaka has body might have never been found had it been buried in the woods behind glass house 1 Okay, you see the images have? Very important in this case The low Parker case was reportedly the first where a murder suspect was put in custody by the police department mainly due to evidence from emails one you see from emails It was put to the custody and let’s see the other paragraph a majority of the media coverage of lopaka Skilling mainly put their focus on the dangerous consequences of Internet held meetings Okay, sorry get the idea So all these terms are same which are Digital forensics computer forensics Network forensics electronic data Discovery cyber forensics forensic Computing Okay, these all of these May mean the same thing However, there is a big difference in the handling Peter handling of the evidence which are love enforcement’s and corporate incidents soul of importance and corporate incidents are differently handle it Okay What is digital evidence?

Any Digital Data that contains reliable information that supports or refutes a hypothesis about an incident? forensic investigation process identification preservation collection examination analysis and presentation Jaso at the crime scene document the crime scene document who has access to the crime scene document any contamination photograph everything especially the C cream locate the media followed cables All Digital devices may contain digital evidence if computer is running thumb to Ram because there may be a very useful information in the Ram at that moment and which will be lost when computer is Close, okay so basic Sciences scientific principles best evidence is minimal intrusion minimal Force minimal Interruption transparency chain-of-custody primary submission in party reality and documentation So the evidence location maybe network analysis media analysis software analysis and Hardware analysis So with dealing with evidence ryoka tight return or says original cologne image targeted copy extensive copy Admissible evidence hot Was it God Richard Who was it treated? How was it treated who handle it? How reliable is it is the chain of custody complete So okay Let’s continue Everything’s categories conclusive evidence That is fact based evidence This is it secondary evidence This is this how it looks direct evidence This is what I saw evidence categories corroborative evidence Okay that happened because of this circumstantial evidence that could have happened because of this opinion evidence I am an expert is whether what happened here is a evidence I heard this about that digital evidence is considered hearsay, unless an expert watches for it Okay? So maybe we can find a better way article about this you see there are a lot of resources Okay, let’s read from Wikipedia, which is very useful generally The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations one to forensics researcher own Casey defines it as a number of steps from the original incident alert through to reporting of findings 3, the process is predominantly used in computer and mobile forensic investigations and consists of three steps acquisition analysis and Reporting digital media seized for investigation is usually referred to as an exhibit in legal terminology investigators employ the scientific method to recover digital evidence to support or disprove a hypothesis either for a court of law or in civil proceedings to personnel the stages of the digital forensics process require different specialist training and knowledge There are two rough levels of personnel three digital forensic technician technicians gatherer process evidence at crime scenes These technicians are trained on the correct handling of technology For example how to preserve the evidence technicians may be required to carry out live analysis of evidence various tools to simplify This procedure have been produced most notably Microsoft CEO feee

digital evidence examiner’s examiner’s specialize in one area of digital evidence either at a broad level IE computer or network forensics Etc or is a subspecialist ie image analysis process models there have been many attempts to develop a process model but so far none have been universally accepted part of the reason for this may be due to the fact that many of the process models were designed for a specific environment such as law enforcement and they therefore could not be readily applied in other environments such as incident response for this is a list of the main models since 2001 in chronological order for you may read this if you want let’s continue so the savior Is really important seizure Prior to the actual examination digital media will be seized in criminal cases This will often be performed by law enforcement Personnel trained as technicians to ensure the preservation of evidence in civil matters It will usually be a company officer often untrained various laws cover The seizure of material in criminal matters Law related to search warrants is applicable in civil proceedings The assumption is that a company is able to investigate their own equipment without a warrant so long as the privacy and Rights of employees are preserved acquisition Once exhibits have been seized and exact sector level duplicate or forensic duplicate of the media is created usually via a right blocking device The duplication process is referred to as Imaging or acquisition 5, the duplicate is created using a hard drive duplicator or software Imaging tools such as dcfldd IX imager guy Meagher true back in case ftk imager or FDA s The original Drive is then returned to Secure Storage to prevent tampering the Acquired images verified by using the sha-1 or md5 hash functions at critical points throughout the analysis The media is verified again to ensure that the evidence is still in its original state the process of verifying the image with a hash function is called hashing given the problems associated with imaging large drives multiple Network computers file servers that cannot be shut down and Cloud resources new techniques have been developed that combined digital forensic acquisition and e-discovery process assesses analysis after acquisition, the contents of the HDD image files are analyzed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering to hide data 6 in 2002, the international Journal of digital evidence referred to this stage as an in-depth systematic search of evidence related to the suspected crime 7 by contrast Brian carrier in 2006 describes a more intuitive procedure in which obvious evidence is first identified after Which exhaustive searches are conducted to start filling in the holes ate during the analysis and investigator usually recovers evidence material using a number of different methodologies and tools often beginning with recovery of deleted material examiners use specialist Tools in case ILO Okay IX F TK Etc to Aid with viewing and recovering data the type of data recovered varies depending on the investigation but examples include email chat logs images Yet history or documents The data can be recovered from accessible disk space deleted unallocated space or from within operating system cache files three various types of techniques are used to recover evidence usually involving some form of keyword searching within the acquired image file either to identify matches to relevant phrases or to filter out known file types certain files such as graphic images have a specific set of bytes which identify the start and end of a file if identified a Heated file can be reconstructed three many forensic tools use hash signatures to identify notable files or to exclude known benign files acquired data is hashed and compared to pre compiled lists such as the reference data set RDS from the national software reference library five on most media types including standard magnetic hard disks once data has been securely deleted it can never be recovered nine ten Once evidence is recovered The information is analyzed to reconstruct events or actions and to reach conclusions work that can often be performed by less specialized staff 7 digital investigators particularly

in criminal investigations have to ensure that conclusions are based upon data and their own expert knowledge 3 in the US, for example, Federal Rules of Evidence state that a qualified expert May testify in the form of an opinion or otherwise so long as one the Mone is based upon sufficient facts or data to the testimony is the product of reliable principles and methods and three the witness has applied the principles and methods reliably to the facts of the case 11 reporting when an investigation is completed the information is often reported in a form suitable for non-technical individuals reports may also include audit information and other meta documentation 3 when completed reports are usually passed to those commissioning the investigation such as law enforcement for criminal cases or the employing company in civil cases who will then decide whether to use the evidence in court generally for a criminal court the report package will consist of a written expert conclusion of the Evidence as well as the evidence itself often presented on digital media three Okay, that digital evidence is used in love in the court It has to be say that according to the law So it is extremely easy to compose a fake digital evidence or generate Borgia digital evidence therefore the seizures acquisition processes are the most important parts of digital forensics to use in court in criminal cases Okay Okay, so we have seen these and let’s continue with finding evidence finding evidence many ways to hide many ways to find show hidden files setting the hidden flock on the file difference for Windows and Linux Unix systems in coefficients folder names Okay, locating hidden files The hidden flag is ignored by default Of course for any software can be set to show the drive as flat Drive ignoring folder hierarchy changing file extensions when opening the file the system returns an error message or I guess score up to bat Of course This is not the case for digital investigation discovering changed file extension somewhere some forensic science, very point out files with mismatched Extent extensions file signatures tells us what kind of oil it is also called Magic numbers For example for signatures a hexadecimal code in the file also called file headers headers and Footers example, for example, this is the hexadecimal code of PDF This is MPG MP3 This is GPA This is EMP This is exact Colombian and such Obscuring file names is also a way of hiding fires hiding files by giving them in conspicious Filenames that me that’s it By the way, I hiding files by giving them inconspicuous file names Okay, for example, we will freeze – State GPA becomes for the vacation 001 to pick Okay file names are not an issue hash functions to look for more files So page sums recognize normally set fires list of H times recognized Woods known good fires We can create our own least For example, if I were working in love enforcement, I would generate H list of common Windows files and I would ignore all of them automatically for let’s say let’s open our windows folders Okay, he is I would generate Hedgehog every files here because these are files that will be used by every computer Therefore I don’t need to check them So having hash of these files would speed my process significantly At every case at every investigation so steganography So what is the standard of broccoli?

Steganography sdn our feet listen stag Nog our fee is the practice of concealing a file message image or video within another file message image or video the word steganography comes from Greek steganography A’ which combines the word steadiness steadiness meaning covered or concealed and graffia graph meaning writing one Whereas cryptography is the practice of protecting the contents of a message alone steganography is concerned both with concealing the fact that a secret message is being sent and its contents Steganography includes the concealment of information within computer files in digital steganography electronic communications may include steganographic coating inside of a transport layer such as a document file image file program or protocol media files are ideal for steganographic transmission because of their large size, for example, a sender might start with an innocuous image file and adjust the color of every hundredth pixel to correspond to a letter in the alphabet The change is so so That someone who is not specifically looking for it is unlikely to notice the change Okay Take Meeks digital messages Okay So in this image, this cat is extract how Okay, so actually this image contains this cat image by this method Image of a tree with a steganographic lie hidden image the hidden image is revealed by removing all but the two least significant bits of each color component and a subsequent normalization The hidden image is shown below Oliver how can you know that it is the issue? Okay, so, let’s see the digital messages which we are interesting digital messages Modern steganography entered the world in 1985 with the Advent of personal computers being applied to classical steganography problems 7 development following that was very slow But has since taken off going by the large number of steganography software available Concealing messages within the lowest bits of noisy images or sound files a survey and evaluation of relevant literature techniques on the topic of digital image Steganography can be found here eight concealing data within encrypted data or within random data The message to conceal is encrypted then use to override part of a much larger block of encrypted data or a block of random data an unbreakable Cipher like the one time pad generates Cipher texts that look perfectly random without the private key chafing and annoying So many ways let’s read all of them Mimic functions convert one file to have the statistical profile of another this can forward statistical methods that help Brute Force attacks identify the right solution in a ciphertext only attack concealed messages in tampered executable files exploiting redundancy in the targeted instruction set pictures embedded in video material optionally played at slower or faster speed injecting imperceptible delays to packets sent over the network from the keyboard delays in key presses in some applications tell at a remote desktop software can mean a delay in packets and the delays in the packets can be used to encode data changing the order of elements in a set content-aware steganography hides information in the semantics a human user assigns to a datagram these systems offer security against a nonhuman adversary Warden blog steganography messages are fractionalized and the encrypted pieces are added as comments of orphaned web logs or pin boards on social network Platforms in this case the solution Election of blogs is the symmetric key that sender and recipient are using the carrier of the hidden message is the whole blogosphere modifying the echo of a sound file Echo steganography

9 steganography for audio signals 10 image bit plain complexity segmentation steganography including data in ignored sections of a file such as after The Logical end of the carrier file 11 adaptive steganography skin tone based steganography using a secret embedding angle 12 embedding within the control flow diagram of a program subjected to control flow analysis 13 digital text making text the same color as the background in word processor documents emails and Forum posts using Unicode characters that look like the standard ASCII character set the homographs spoofing attack on most systems There is no visual difference from ordinary text some systems May display the fonts differently and the extra information would then be easily spotted of course using hidden control characters and redundant use of markup EG empty bold underline or italics to Add information within HTML which is visible by examining the document Source HTML Pages can contain code for extra blank spaces and tabs at the end of lines and colors fonts and sizes which are not visible when displayed using non printing Unicode characters zero with Joyner Z WJ and zero width non Joiner Z WN J 1415 These characters are used for joining and disjoining letters in Arabic and Persian, but can be used in In Roman alphabets for hiding information because they have no meaning in Roman alphabets because they are zero width They are not displayed ZW J + z WN J can represent 1 and 0 this may also be done within space figure space and white space characters 16 embedding a secret message in the pattern of deliberate errors and Mark Corrections in a word processor Sorry about the passing Okay, so hiding an image within a sound file an image or a text can be converted into a sound file, which is then analyzed with a spectrogram to reveal the image various artists have used this method to conceal hidden pictures in their songs such as Aphex Twin in window Liquor or Nine Inch Nails in their album year zero 19 social steganography in communities with social or government taboos or censorship people use cultural steganography hiding messages in idiom pop culture references and other messages They share publicly and assume are monitored this relies on social context to make the underlying messages visible only to certain readers 2021 examples include hiding a message in the title and context of a shared video or image misspelling names or words that are popular in the media in a given week to suggest an alternate Meaning hiding a picture which can be traced by using paint or any other drawing tool Okay, that is also some other ways Anyway, now we know the standard steganography Hiding a file inside Another file hiding nuclear launch codes dot txt inside adorable cat jpg Not very common steganography example Okay, so Zeus VM botnet malware used image files to hide configuration files This is the key point of steps taken ography discovering steganography Hard to determine unless you are looking for it steganography software on suspects computer a strong indicator file type signatures to the rescue encrypted files This is where the problems start for the investigator

strong encryption algorithms almost impossible to break Sorry, I’ve forgotten my 50 character long password Yes It is impossible to decorate properly encrypted files For example, let’s say you have determinate salt put passwords for your sha-256 encryption And actually it is the one way however, you know, there are two ways encryptions as well It is impossible to decorate properly encrypted files For example WinRAR has encryption feature Let me show you add to Archive and there is set password if I do A password something like this and encrypt it and archive it No, nothing on the world can decrypt this It is impossible Okay, and you can’t even see the content of the digital archive as well So the encrypted file is smaller because it has applied zipping as well as there is also a tool Cars pass by pass for check Okay, so I’ll change this English Okay, so let’s just let Check the password We have just generated Okay, so it says you’re supposed for check is Hackers is not your password does not appear in any database of liquid passwords Your password will be brute force it with an average home computer in experts approximately 10,000 plus centuries Okay, so it is impossible as you can see, this is the password However if I make it like home Let’s see what it says Your password is easily correctable password is common or avoid this passport applicate times in a database of the capacitors This means that this password will be on the list of list of passport rainbow tables Okay, so it would be I could immediately from one of the rainbow tables If I make it like this, okay, it becomes heck resistant However, citizen not good enough It is three months in a village computer but in a supercomputer it is pretty fast If I make it like this it becomes 2 months if I make it like this becomes three centuries you see it is getting extremely hard If I add them a letter like this it becomes nine hundred centuries I mean 119 centuries if you had some legislation is it comes term plus centuries you it can be also increased security by adding some other characters and like this you see it comes six centuries, okay breaking encryption Get access to data while unencrypted Recovering key from Ram mimic its let’s search for a movie interesting no English Okay, I think it does description about minutes

Mimic its is a credential dumping open source program used to obtain account login and password information normally in the form of a hash or clear text password from an operating system or software credentials can then be used to perform lateral movement and access restricted information Mimic its is a Windows X32 x64 program to extract passwords hash pins and Kerberos tickets from memory It is used as an attack tool against Windows clients allowing the extraction of clear text passwords and password hashes from memory The program was coded in C by Benjamin delpy in 2007 to learn more about Windows credentials and as a proof of concept There are two optional components that provide additional features limit RV driver to interact with the windows kernel and minimally Bap blocker bypass off package SSP password filter and secure less a for windy BG mimikatz requires administrator or system and often debug rights in order to perform certain actions and interact with the LSA SS process depending on the action requested In the last year’s mimic its was used as a component of to ransomware worms that have reached targets around the globe both Not petya and Bad Rabbit ransomware used mimic It’s in conjunction with leaked NSA hacking tools to automate attacks whose infections saturated networks with disastrous results Not petya was able to paralysis thousands of computers at companies like FedEx mayor scan Merc It is believed to have caused over a billion dollars in Damages You see how it is a serious to have vulnerabilities in your system It has caused over a billion dollars in damages to the real damage What is a pass the hash pass the hash pth is a hacking technique for authenticating as a user using his hash password instead of the clear text password the attacker obtains that user name and user password Hash values different techniques can be used and presents them to a remote server or service the attack exploits an implementation weakness in the Authentication Protocol where the password hash remains static from session to session and until the next password change What is a meterpreter session meterpreter or more precisely Metasploit meterpreter is a payload within the Metasploit framework that runs as a dll loaded into any process on the target machine which provides control over the target system a Metasploit framework is a tool for developing and executing exploit code against a remote Target machine mimikatz can be downloaded and invoked as part of a meterpreter shell Is mi mi K 8 easy and easy tool to hack with not at all an attacker need to get access to a physical computer, which was not shut down correctly Also, there have been several Windows updates that mitigate the vulnerability that mimic its take advantage off Okay, then let’s continue the good old Brute Force which is almost impossible in the today’s world if you are using a proper password, I think this is a much more suitable way exploiting weaknesses in the software or the algorithm used Crypt analysis Some countries have laws that compel the suspect to give up keys unencrypted data the arrest of Ross ulbricht Oh I had to read this is about secret famous Yeah Silk Road used Tor and Bitcoin tour is a network which implements protocols that encrypt data and routes internet traffic through intermediary servers that anonymize IP addresses before reaching a final destination by hosting his Market as a tour site ulbrich could conceal its IP address five six Bitcoin is a cryptocurrency while all Bitcoin transactions are recorded in a public log called the blockchain users who avoid linking their identities to their

online wallets can conduct It is with considerable anonymity Okay Let’s get an idea about secrets In February 2015 Albrecht was convicted of money laundering computer hacking conspiracy to traffic fraudulent identity documents and conspiracy to traffic narcotics by means of the internet 7 in May 2015 He was sentenced to a double life sentence plus 40 years without the possibility of parole all bricks appeals to the US court of appeals for the second circuit in 2017 and the US Supreme Court in 2018 were unsuccessful eight nine ten He is currently incarcerated Serrated at the United States penitentiary in Tucson So you see he has got a life sentence from computer hackings It can be this much little and silliness It’s best to avoid catching practices Okay Albrecht was first connected to dread pirate Roberts by Gary Alfred and IRS investigator working with the DIA on the Silk Road case in mid 2013 2425 The connection was made by linking the username Altoid used during Silk Roads early days to announce the web site and a forum Post in which Albrecht posting under the nickname Altoid asked for programming help and gave his email address which contained his full name 24 in October 2013 Albrecht was arrested by the FBI while at the Glen Park branch of the San Francisco Public Library and accused of being The Mastermind behind the site, 26 27 28 to prevent ulbricht from encrypting or deleting files on the laptop He was using to run the site as he was arrested two agents pretended to be quarreling lovers when they had sufficiently distracted him 29 according to Joshua bearman of wired a third agent grab the laptop while Albrecht was distracted by the apparent lovers Fight and handed it to agent Thomas Kiernan 30 Kiernan then inserted a flash drive in one of the laptops USB ports with software that copied key files Okay, you made it more information related to this case I think this is the biggest crime history of this is the biggest case of a computer crimes in history I think or what they say be my same biggest sentences case Okay, so, let’s see the convictions money laundering computer hacking conspiracy to traffic narcotics, February 6 2015 double life imprisonment plus 40 years without possibility of parole May 29 2015 16 shot of that site and the Secret in shot of the Ulrich laptop at the library as you can see, this is from the picture taken from the laptop while it was open So if he were able to close the laptop probably everything will be remain it encrypted or get deleted automatically and they wouldn’t have the necessary evidence to arrest at Rob’s froze over it Okay? Okay, there is also another case somebody new case Okay, here’s

and I didn’t even know The most well known instance of the latter category was a February 2016 court case in the United States district court for the central district of California the Federal Bureau of Investigation FBI wanted Apple to create an electronically signed new software that would enable the FBI to unlock a work issued iPhone 5c it recovered from one of the shooters who in a December 2015 terrorist attack in San Bernardino, California killed 14 people and injured 20 to the to attack Later died in a shootout with police having first destroyed their personal phones The work phone was recovered intact but was locked with a four digit password and was set to eliminate all its data after 10 failed password attempts a common anti-theft measure on smartphones Apple declined to create the software and a hearing was scheduled for March 22nd However a day before the hearing was supposed to happen the government obtained a delay saying they had found a third party able to assist in unlocking the iPhone Phone and on March 28th in announced that the FBI had unlocked the iPhone and withdrew its request in March 2018 The Los Angeles Times later reported the FBI eventually found that farooq’s phone had information only about work and revealed nothing about the plot for I think they have used a method that copies the entire bone and emulates it and each time when an incorrect password entered they were using that key Again, and again there for four digits is very easy to solve and they have solved the password themselves However, if this was for two digits or 40 letters passport, it would be impossible for them to break even in a long time It was they were able to solve it because it was only 4 digits Okay, I think there is technical details Okay All day so good Maybe it is written somewhere else because I have ridden I have read it somewhere else Maybe we can find another article Not this one is now Senator confirms FBI paid $900,000 to unlock San Bernardino iPhone Okay, it was here I think

The technique dismissed by FBI director James Comey is unworkable at the time of the agency’s high-profile battle with apple sees the memory, which is used as the main storage location on iPhones cloned in the passcode counter reset to zero because I can create as many clones as I want I can repeat the process many many times until the passcode is found scrub ago Dave says in the video each set of six guesses takes 90 seconds to complete meaning the 10,000 possible combinations could be fully Tested in just over 41 hours Okay, you see since it was four-digit passcode It would only taking 941 horse If it was five digits, it would take 400 hours If it was six digit code it would take four thousand hundred horse and more The process does not require any expensive and sophisticated equipment all needed parts are low cost and were obtained from local electronics Distributors scrub a god of said in the paper entitled the bumpy road towards iPhone 5c Nan mirroring suggesting all together The components could be bought online for as little as $100 While the technique demonstrated works for all iPhones up to the iPhone 6s Carrabba God of added that with the use of more sophisticated Hardware the same technique should work for the iPhone 6s and even apples brand new iPhone 7 So the technique is basic to iPhone 5C and AD and Andy mirroring episodes for it We can find it Okay, so This paper is a short summary of a real-world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9 this was achieved by de-soldering The nand Flash chip of a sample phone in order to physically access its connection to the SOC and partially reverse engineering its proprietary bus protocol You see that I’m even papers about the attack at the right now, maybe the Apple has fixed this It’s later bonds I don’t know However, as you can see if you have asked if you have physical access to the device has your chances of finding a vulnerability and exploit increasing But if the passwords were too weak it would take too much more time, and it would be impossible to create passwords You see it says exploit weakness exploit weaknesses deleting files deleting the files from the computer before law enforcement claims it You can’t prove anything there is nothing there How does the system delete files? Deleting a file does not actually remove it In Windows, the file is renamed as this as you can see This tells the system that the space is available to be over in in the future reclaiming deleted files data carving ignore file system extract file directly from the media renaming the file reclaiming over it in files by the they did the leading is more about by just clicking the delete file It would attempt to the recycle bin However, if you do shift the let or direct from sexual doing it can be seated reclaim it let’s read again reclaiming overwritten files Pieces of data can be recovered from slack space file slack Ram slack Drive Slack forensic software can often recover files or parts of files from slack space People encrypt their drives nowadays your drive, of course, it would become impossible and there is also another way of properly deleting files, which is secure erase

Okay, if you do a secure erase, that means that file can never be recovered again Data Erasure, sometimes referred to as data clearing data wiping or Data Destruction is a software based method of overriding the data that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by using zeros and ones to overwrite data on to all sectors of the device by overriding the data on the storage device The data is rendered unrecoverable and achieves data sanitization ideally software designed for data Erasure should allow for selection of a specific standard based on unique needs and verify the overriding method has been successful and remove data across the entire device permanent data Erasure goes beyond basic file deletion commands, which only removed direct pointers to the data disk sectors and make the data recovery possible with common software tools unlike degassing and physical destruction, which under the storage media unusable data Erasure removes all information while leaving the disc operable new Flash memory-based media implementations such as solid state drives our USB flash drives can cause data Erasure techniques to fail allowing Remnant data to be recoverable one Software-based overriding uses a software application to write a stream of zeros ones are meaningless pseudorandom data on to all sectors of a hard disk drive There are key differentiators between data Erasure and other overriding methods which can leave data and Tack and raise the risk of data breach identity theft or failure to achieve Regulatory Compliance many data eradication programs also provide multiple overwrites so that they support recognized government and Industry standards though a single Has override is widely considered to be sufficient for modern hard disk drives good software should provide verification of data removal, which is necessary for meeting certain standards To protect the data on lost or stolen media some data Erasure applications remotely destroy the data if the password is incorrectly entered data Erasure, tools can also Target specific data on a disk for routine Erasure providing a hacking protection method that is less time-consuming than software encryption Hardware firmware encryption built into the drive itself or integrated controllers is a popular solution with no degradation in performance at all metadata What if we only have a file and not the source media? using metadata data about the file When was the file last used? When was the file created who opened it? Where was it created can prove who had access to the file Okay, I did that are also websites that online meta-analysis I will just show you an example so we can drop image files here or we can upload documents to this website I will upload upload a PDF file and let’s see What will it show us? Usually it goes off tools at metadata to your files So it says it was composed by Microsoft PowerPoint 2016 title is Catch Me If You Can you see the Creator is still kept in the metadata, which I am using if you if you have check it I have put original Lecturer here as you can see it is shown here as well So from this metadata, the altar could be identified because it is kept However, I can all I could also remove it Let me show you an example of three more from properties there is

security and from here There is this option this option and you say this option it will let you to delete all the private information and And I save it again like this Okay By the way, my software is in Turkish at the moment and I don’t have time to change right now Let’s reanalyze, but same steps you can obtain the same results So all the metadata should have gone right now the private metadata Okay all just still – I have removed it, but Interesting why? Let’s check it out Well, I know why I know why Oh Jay Kate is gone And okay It is that because I didn’t delete this as you know, okay now I’m going to delete it I’m going to re-save it Okay, let’s be analyzed Okay to still a brilliantly have failed to delete again resting maybe it is using the cages file I don’t know Oh because I have uploaded incorrect file Sorry about that So this is the latest file Okay, let’s analyze it Okay Now you see there is no information that could identify back to me Okay, we have removed all the private information and Okay Bravo Heather from this round-headed probably you can determine the file type Okay, let’s continue where we have left Metadata example watch home So this is file is generated by which home? Okay Okay So this is related to the this lecturers for prepare this file And you can check the photos for this is Reddit Forum, I think Let’s open it And there’s also a Reddit forum Okay, forensics forensics eyes and criminal analysis can find a lot of useful information here, I believe I know there is this one? Maybe we can find something better Okay, permission security needs discussion problem or this has so many members so that could be some useful information here

Okay Anyway, let’s change some more information related to metadata because it is important Metadata is data that provides information about other data one In other words It is data about data many distinct types of metadata exist, including descriptive metadata, structural metadata administrative metadata to reference meta data and statistical metadata Descriptive metadata is descriptive information about a resource It is used for Discovery and identification It includes elements such as title abstract author and keywords structural metadata is metadata about containers of data and indicates how compound objects are put together For example how pages are ordered to form chapters It describes the types versions relationships and other characteristics of digital materials for administrative metadata as information to help manage a Stores like resource type permissions and when and how it was created V reference metadata is information about the contents and quality of statistical data statistical metadata Also called process data May describe processes that collect process or produce statistical data You can see more information related to metadata here So we have come to the end of the lecture I have posted your final project on our GitHub page and also on our LMS system So let’s open it Here the semester project details So let’s download it Okay in this project you are not going to develop or software how this project is more likely to prepare articles Okay, kind of academic article your architect article must have all of the Areas in here Okay, so as much as you define the areas here in your article, you will get more points Okay, so I will decide based on your article quality to your scores It should be just copy and paste it article from internet because we will be also needed to explain it In a video and please visit this pilot is two times Please start working on it already to not be get late So this is more likely let’s say sa type article, okay If you have any questions, you can ask me from my email from Discord Channel and such Hopefully see you next week Please try to erase from Coronavirus Okay, I’m not going to save this Okay, it should be fine Let’s upload the latest lecture to the GitHub By the Way digital forensics is a is an area that will be extremely popular in near future If you become an expert on digital forensics, you can find a job that will pay you very bad believe me digital forensics is extremely important and becomes more and more important each day as

Our Lives become more digital and crimes becomes being committed by digitally done for this is an idea that you can become an expert, okay? Okay See you later