A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence

1. Digital Forensics Evidence

2. Road Map Basic Digital Forensics Traditional Digital Forensics Live Digital Forensics Anti-Digital Forensics Questions

3. Basic Forensics Registry Thumbs.db Index.dat Commands

5. Thumbs.DB Pictures opened in Windows OS Filmstrip Thumbnails Thumbs.DB Viewer

6. Index.DAT Contains all of the Web sites Every URL Every Web page All email sent or received through Outlook or Outlook Express All internet temp files All pictures viewed

7. Commands Dir: Lists all files and directories in the directory that you are currently in. Ls: List the contents of your home directory by adding a tilde after the ls command. Ps: Displays the currently-running processes. Fdisk: A utility that provides disk partitioning functions, and information.

8. Traditional Forensics Hardware Write Block/Software Write Block Cell Phones Digital Forensics Programs Hex Editor FTK EnCase ProDiscover

9. Hardware Write Block

10. Hardware Write BlockHard Drive Connected

11. Hardware Write Block Image in process

12. Destination Drive

13. Safe Block XP

14. Software Write Block Registry Edit USB Block HKEY_LOCAL_MACHINEYSTEMurrentControlSetontroltorageDevicePolicies Write protect Disable WriteProtect dword:00000001 Enable WriteProtect dword:00000000

15. Cell Phone

16. USB Drive

17. Hex Editor

18. FTK

19. EnCase

20. EnCase Continued

21. ProDiscover

22. Live Digital Forensics ProDiscover IR Helix Sleuth Kit & Autopsy Caine FTK/EnCase making them live? Both newer offerings have live capabilities

23. ProDiscoverIR

24. Live environment warnings

25. Helix

26. Helix Continued

27. Sleuth Kit & Autopsy

28. Caine

29. FTK/EnCase Live? Older versions no. EnCase 4.6 no. FTK 1.8 no. New versions yes EnCase 6 supports network and live digital forensics. FTK 3 supports live digital forensics

30. Problems Firewalls/Routers/Switches Proxies IP packets TTL issues IDS

31. Anti-Digital Forensics Steganography Encryption Data Wiping Metadata Spoilage Alternative Data Streams Index.Dat Thumbs.db Death of digital forensics

32. Steganography Detection WetStone Technologies' Gargoyle Niels Provos' Stegdetect Hiding StegoMagic wbStego HIP (Hide In Picture)

33. StegoMagic

34. wbStego

35. HIP

36. Encryption File encryption Full disc-encryption

37. Data Wiping M-Sweep Pro Data Eliminator DBAN DOD 5220.22M File Shredder Beyond DOD

38. M-Sweep Pro Data Eliminator

39. DBAN

40. File Shredder

41. Metadata spoilage Metaspolit TimeStomp Slack Metachanger

42. Metasploit

43. Timestomp

44. MetaChanger

45. Alternative data streams Data fork Resource fork old Macintosh Hierarchical File System Impossible to protect your system against ADS. Cannot be disabled No way to limit this capability redirect [>] and colon [:] to fork one file into another. C:est> type c:indowsotepad.exe > ads.txt:hidden.exe

46. Alternate Data Streams scan engine

47. Locations of Index.DAT files VISTA serslt;Username>ppDataoamingicrosoftindowsookiesndex.datserslt;Username>ppDataoamingicrosoftindowsookiesowndex.datserslt;Username>ppDataocalicrosoftindowsemporary Internet Filesontent.IE5ndex.datC:serslt;UserName>ppDataocalicrosoftindowsistoryontent.IE5ndex.dat

48. Index.DAT Analyzer

49. Thumbs.DB Viewer

50. Death of Digital Forensics SSDs are much like memory Smallest part written too is a sector Erases data in a block Anything changes physical placement of data Logical placement stays the same. Black boxes from a system's point of view Property

51. Conclusion We can see the live digital forensics is best used for starting an investigation. Traditional Digital forensics is best for collecting the data And knowing the techniques of Anti-digital forensics can help the investigator find data that he/she might not other wise be able to find.

52. Questions