Ahmed Abbas

Ahmed.abbas1992@hotmail.com

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

owasp.org/index.php/Khartoum
Computer Forensic
101
The Art Of Hunting Tigers .

2
3
 Bio
O Network Student At SUST-CSIT.
O I am a Programmer For More Than 4
Years.
O I Spend All My Time Reading Or
developing Programs.

4
5
 What is Forensic ?
O Computer Forensic is a
branch of digital forensic
science pertaining to legal
evidence found in
computers and digital
storage media
6
Goal of Computer Forensics
O The goal of computer forensics
is to examine digital media in a
forensically sound manner with
the aim of
identifying, preserving, recoveri
ng, analyzing and presenting
facts and opinions about the
information. 7
8
 Simply It means …
O Computer forensic experts will
have to handle computer
device or media storage
devices , keep them save
, analyze those devices and try
to get any information that can
helps in the case he is working
on. 9
 But … One Thing …
O One SO important thing .. No
personal feeling or
opinions . You can not
hide information to
protect some one because
you will get … will you know
what I mean .
10
 Keep This In Mind …
O Every hacking attempt has
a weak point that can lead
the hacker to jail.

11
Forensic in News..

12
13
14
15
Critical Incident Response
Team CIRT

16
 What is CIRT
O A CIRT is a carefully selected
and well-trained group of
people whose purpose is to
promptly and correctly handle
an incident so that it can be
quickly contained, investigated
, and recovered from.
17
Who is CIRT members ?
O Itis usually comprised of
members from within the
company. They must be people
that can drop what they’re
doing (or re -delegate their
duties) and have the authority
to make decisions and take
actions. 18
 CIRT Members
O Management.
O Information Security.
O IT .
O IT Auditor.
O Security.
O Human Resource.
O Public Relations.

19
Role Of The Investigator
O Impartiality : not our job to
make decisions about cases ..
We just offer the facts of the
case.

20
Role Of The Investigator
O Must ensure all evidences
are probably acquired
, handled , documented.

21
Role Of The Investigator

ODo the investigation

and analysis of all
evidences .

22
Role Of The Investigator
OReport all findings and
maybe testify in court
of law.

23
As a forensic expert you may go to Court

24
Skills Needed.

25
 Technical Skills
O Basic computer maintenance and
networking skills.
O Know laws and criminal procedures.
O Know network security in a good
way.
O Know investigation techniques.
O Know multiple OS’s.
O Know forensic tool very good. 26
 Presentation skills
O Ability to write reports in clear
manner and acceptable format.
O Ability to translate high
technical words to simple non
technical words.
O Ability to speak well in public
forum.
27
Good Speaker ? You Will Do A great
Job At Court…

28
Why Do Companies Has Different Way To Do
Forensic

29
Perfect policy !!!

30
How To be A Forensic Expert ?

31
How To be A Forensic Expert ?

32
How To be A Forensic Expert ?
O You need to learn computers
maintenance , computer
security , network security.
O You need strong self
confidence .

33
How To be A Forensic Expert ?
You can take some certificates :-
O Forensics Certs: Certified Computer
Examiner (CCE)
O IT Certs: Certified Hacking Forensic
Investigator (CHFI)
O IT Certs: Certified Forensic Computer
Examiner (CFCE)

34
O IT Certs: GIAC Certified Forensic Analyst
and Forensics Examiner
O Forensics Certs: Professional Certified
Investigator (PCI)
O EnCase Certified Examiner
O AccessData Certified Examiner.

35
 Sites To Learn From ..
O ForensicFocus The Place For You ..
O computer-forensics.sans.org Who don’t
know Sans ….
O Google Our best friend …
O DefCon The top conference for hackers ..
And forensic men too.

36
37
How To Build Your Forensic
Lab ?

38
 Commercial Tools (High Cost)

O Encase.
O AccessData Date Forensic Tool Kit FTK
O DriveSpy.
O Parben.

39
 Free Tools ^_^
O Linux DD.
O Autopsy
O The Sleuth Kit
O Helix.
O Forensic incident response environment.
O Knoppix.

40
Linux Distribution for Forensics

41
Linux Distribution for Forensics
O CAINE (Computer Aided investigation
Enivrement).
O DEFT .
O Helix 3.

42
Forensics Steps

43
 Forensic Steps

O Obtain authorization to
search and seize.

44
 Forensics Steps
O Secure the area, which may
be a crime scene.

45
 Forensics Steps
O Document the chain of custody of
every item that was seized.

46
 Forensics Steps
O Bag, tag, and safely transport
the equipment and e-
evidence.

47
 Forensics Steps
Acquire the e-evidence from the
equipment by using forensically
sound methods and tools to create
a forensic image of the e-evidence.

48
 Forensics Steps
O Keep the original material
in a safe, secured
location.

49
 Forensics Steps
O Design your review strategy of
the e-evidence, including lists of
keywords and search terms.

50
 Forensics Steps
O Examine and analyze forensic
images of the e-evidence (never
the original!) according to your
strategy.

51
 Forensics Steps
O Interpret and draw
inferences based on facts
gathered from the e-
evidence. Check your
work.

52
 Forensics Steps
O Describe your analysis and
findings in an easy-to-understand
and clearly written report.

53
 Forensics Steps
O Give testimony under oath in a
deposition or courtroom.

54
 Disk imaging
O The operation to make an
exact copy of a
computers hard drive.

55
 Disk Imaging
O The copy includes all the
partition information, boot
sectors, the file allocation
table, operating system
installation and application
software.

56
 Disk Imaging
O Disk images are used to copy
a hard drives contents during
a investigation, to restore a
hard drives contents during
disaster recovery or when a
hard drive is erased.

57
 Disk imaging Tools
O DD : a Linux tool.
O FTK imager : windows
Based Tool.

58
 Log File Analysis
O Very important Part of the
investigation , it can reveal
attempts to hack some
devices , accessing
unauthorized data , etc.

59
 Log File Analysis
We can Analyze a lot of log files
like :-
- Windows event log
- Security events log
- Application events log
- Firewall events log.

60
Forensic Experts!!

61
The Dark Side!!!

62
 The Dark Side!!!
O Doing computer forensics for any amount
of time in your life changes you. It
damages you. It makes you unfit to be
around others in decent
company, because you have to mentally
screen absolutely everything you say in
fear of drawing looks of horror or disgust
from the good people around you.

63
 The Dark Side
O For forty hours a week, a computer
forensic examiner is exposed to the
worst that the world has to offer —
child
pornography, beheadings, torture, r
ape — all in high resolution photo or
video formats.

64
 The Dark Side
O In fact, people in the business
have found that for general
criminal computer forensic
examiners there is a two-year
time limit before your soul dies.

65
 The Dark Side
O Around that time, every
examiner either has built-up
enough of a callus that he/she
can continue forever, or that
examiner pushes the chair
away from the desk, stands up,
and says, “I can’t do this
anymore.” 66
 The Dark Side
O Being exposed to this kind of
daily horror changes you. I’m
not asking for sympathy; I think
paramedics or police officers
have it worse.

67
OWASP Forensic Guide..
O OWASP is working on A massive
document covering all aspects of
forensic work .
O Not Yet Out …
O Coming Soon ….

68
After All .. Why To be a Forensic…?

O Three of the top coolest security

jobs are related to forensics.

69
After All .. Why To be a Forensic…?

O It pays well … thousands of dollars if you

leveled up to expert stage of the sience .

70
After All .. Why To be a Forensic…?

O Most important .. No Social Life …

O Of course I am Joking …..

71
Questions ???!!

72
I hope this was entertaining .

73