11. Digital Forensic Flashcards
what is digital forensic
- to find, preserve, analyse digital data
- criminal , private investigation, civil cases,
- acquisition and documentation of evidence
forensic process
- acquisition
- obtain data and source of data
- use electro static bags
- if device is powered on, be careful not to accidentally modify data
- bring UPS to site in case battery runs out - identification
- extract data artefacts like images, headers, emails…
- write blocker used to extract - evaluation
- evaluate and analyse data
- is the data relevant to the case - presentation
- present the result of findings
chain of custody
- documentation of evidence from time of collection until disposed
- evidence handled by multiple people using different techniques
- evidence is hashed at every iteration to check signature
- if hashed signature is different, stop as it is changing the evidence
- purpose is to show that evidence has not been modified, can be used in court
image formats
- raw
- bit by bit
- readable by most tools
- takes up as much space as original - proprietary
- compress, store and validate
- limited to single tool
- cannot share evidence
identification
- physical layer
- identify and recover data across entire drive
- file carving
- keyword searching - logical layer
- identify and recover data based on installed OS
- extract meta data
- recover deleted files
use different tools to show same results
anti forensics
- wiping hard drive
- modify file meta data
- steganography
- encrypt or compress artifacts
block chain advantages
scalable
cost effective
no single point of failure
what is a block
block one = genesis
contains a hash of its content
block 2
contains a hash of its content + hash of block 1
therefore, if attacker wants to attack block 1, hash for block 1 changes which changes hash for block 2. Attacker has to attack all blocks after block 1
proof of work
easy to validate
hard to solve
slow down attackers
when adding new blocks, 1 block calculates proof of work, the others wait and validate calculation
block validation
to validate, need to start from first block to target block
arrange block in binary tree structure, Merkle tree
compare the hashes. If hash of children = parent, no issue
if hash of children != parent, one side has issue
block tampering
need to either:
- tamper with all blocks, redo proof of work for all blocks
- take control of more than 50% of the blocks
block chain vulnerabilities
- 51% attack
- legit miners always follow longest chain
- if longest chain is malicious, they unknowingly join the attacker
- to mitigate, miner from the original chain no delay, private miners have delay - double spend attack
- when crypto currency is spent, blocks need to calculate proof of work which takes time
- until proof of work is calculated, transaction is not recorded.
- spend the same currency before transaction is recorded
- to mitigate, use backup chain of blocks
- notorised blocks will not follow longest chain - DDoS
- to mitigate, systems mainly use to calculate proof of work, therefore use low bandwidth
- if DDoS, direct to spare bandwidth
- use deep web so attacker cannot find the IP