Análisis Forense

Just an initial demo map, so that you don't start with an empty map list ...

Get Started. It's Free
or sign up with your email address
Análisis Forense by Mind Map: Análisis Forense

1. The Alpha 5 principles are: Assessment of the suspect area/workplace to have preliminary walkthrough and to crystalize the scope of examination. Acquisition of applicable evidences in a non-intrusive way to prevent tampering Authenticate the acquired evidences through Hash or digital sign or any other crypto checksum to verify the data integrity. Analysis of evidential data to connect them in a logical and intelligible manner in order to arrive at conclusion. Archiving of all evidential data and reports to ensure high and secure availability

2. the 4 guiding principles of any examination are: Safe handling of evidences to ensure they are intact. The originating evidence/suspect should not be tampered or worked upon. The suspect host OS should not be trusted, as it may have rootkits, malicious software installed likeanti-forensic. All the audit trails of examination should be retained and recorded in substantiating documents

3. Digital Incident Response - Deepak

3.1. Initial Assesment -Parties Involved, Location & Available resources

3.2. Type Of Incident

3.3. Parties Involved

3.4. Equipment Location

3.5. Available Response resources

3.6. Securing Digital Evidence

3.7. Chain of Custody

3.8. Potential Digital Evidence

4. Computer Forensic Incidents - Afzal

4.1. What is computer forensic- Gathering of digital evidence in a manner which should be untainted, authentic and can be admissible in the court of law

4.1.1. What is the legal system. Different laws and criminal cases in the digital forensics as case study and different section and act for the same. Criminal incidents like Identity Theft, online auction, Child pornography, Network Intrusions etc. Computer Frauds. Frauds can be Internal and External. Internal frauds can be done in a company by the internal users by using company resources.External frauds are done by outsiders mostly by hackers for financial gains.For eg;Denial of service, Intrusions etc.

5. OS / Disk Storage Concepts - Hari

5.1. CHS Cylinders, Heads and Sectors; LBA-Logical Block addressing. A cluster is a minimum unit the OS uses to store info. (4096 byte cluster for only 1 byte).

5.1.1. Master Boot Record - initial disk sector consists of 1. Master bootstrap loader code (466 bytes); next 4 partition records and the hexadecimal signature 55AA completes a valid MBR; The FAT / MFT are Master File Indexes storing info about disk's directory stru and what clusters are used.

5.1.2. When a file is deleted, the OS rewrites the info in the file index about the file's clusters freed. Data remains on the disk till rewritten. Slack space is where many deleted files may reside and be recovered as evidence;

5.1.3. File Mgt Concept is important for forensic; 0s and 1s (1 is on and 0 is off); - basic unit of binary info is bit; basic unit of memory is byte; location of the byte is memory address

5.1.4. 1 byte=8 bits; 1 KB= 1024 bytes; 1 MB=1000 KB; 1 MB=1000 KB; 1GB=1000 MB; 1 TB=1000 GB; 1 PB-Petabytes= 1000 TB; 1 Exabyte- EB=1000TB; 1 Zettabyte = 1000EBs

5.1.5. Format is set of rules referred by appln for saving; Quickviewplus, outside-in and ACDSee etc allow direct access to varios file formats

5.2. DOS was the first operating system used on early IBM PCs - use of disks is an inherent part; FILE ALLOCATION TABLE File system is used. Last standalone version is MS DOS 6.22; MS DOS 7.0 runs underneath the first windows 95 ver while 7.1 or later underlie windows vers from Windows 95 OEM Service Rel or later. MS DOS 7.1 supports VFAT and FAT32 New Tech File system was brought in to avoid crippling windows NT and is not based on FAT. NTFS shares stage with UNIX and LINUX .Files contain any info - Code or Data and Prog files.Directories are special kind of files that contain list of file names. and can be nested.

5.2.1. Each track is broken into smaller units called sectors; each sector holds 512 bytes of user data. A hard disk is made up of multiple platters; each platter uses 2 heads to record and read data - 1 for top and 1 for bottom (Instead of track no. referred as cylinder no.) Cylinder is the set of all tracks that all the heads are currently positioned.

5.3. New node

6. Digital Acquisition and analysis tools - Maddy

6.1. Goal - Protect & Preserve the evidence to ensure authenticity & integrity

6.2. Defenitions

6.2.1. Acquisition : Process of extracting digital evidence by following properly laid out procedures.

6.2.2. Copy : An exact replica of the digital evidence. Only the contents are replicated not the attributes.

6.2.3. Duplicate : An accurate digital reproduction of all the data in the electronic storage including the content and attributes Document Everything, Take Macro photographs, Ensure the target media is sterile and atleast of the same size as the evidence media Authenticate Ensure the original evidence media is write blocked

6.3. Authentication Methods : Digital Fingerprints

6.3.1. Hashing : CRC32, SHA1, MD5, SHA2

7. RAVI- Forensic Examination Protocols>>>>>>>>>>>>>The protocol spells out necessary guidelines and methodolgies to ensure reliability, consistency, integrity/accuracy/precision of data in an investigation. This approach ascertains that evidential information acquired or analyzed as a course of examination are admissible in the court of law with reasonable assurance about its authenticity/origin.

8. Digital Evidence Protocol - Abhishek

8.1. Rules of Evidence

8.1.1. (1) Digital Information can be recovered including deleted files

8.1.2. (2) Expert must be allowed to retrieve the recoverable files

8.1.3. (3) Duplicate of digital evidence is admissible as long as someone knowledgeable can authenticate it

8.2. Different types of Data Files

8.2.1. (a) Active Data || Readily available eg word,spreadsheets, web pages

8.2.2. (b) Archival Data Files that have been sent for storage as that data is not used frequently

8.2.3. (c) Back Up Data||copied to safe area to ensure recovery in case of system failure

8.2.4. (d) Residual Data ||Not visible to end user but recoverable from digital media (1) Free Space (2) File Slack (3) RAM Slack (4) Swap Files (5) Temp Files (6) Unallocated Space

8.2.5. (e) MetaData||data points such as date, time, author and relevant details of document author

8.2.6. (f) Electronic Mail

8.2.7. (g) Background Data|| such as audit trails, system logs, ACL records

9. Presentación de la Evidencia Digital

9.1. Ways of presenting Digital evidence to Higher Authorites.

9.2. Always consult with corporate Attoreny like ravi

9.3. Gather as much evidence that can be admissible digital evidence.

9.4. Copy of evidence should be kept intact for proceeding with the investigation.

9.5. Gathering of information should be dealt with extra precaution and chain of custody be maintained as opponent can always challenge the authenticity of evidence submitted to court.