1 of 25

Digital Forensics Investigations + SJU ACM Clue

SJU ACM STUDENT CHAPTER

Sign In Form:

2 of 25

Intro to Digital forensics

3 of 25

What is Digital Forensics?

  • A branch of forensics science that focuses on electronic data
  • Electronic data is a huge component of criminal investigations
  • Can also be used during incident response as a part of cyber attack investigations
  • Both public and private sector
  • Requires a deep understanding of how computers and file systems work

4 of 25

5 Stages of a Digital Forensics investigation

5 of 25

1. Identification

  • there are Legal constraints to what data can be collected and examined in public sector investigations
    • determine what data is relevant to the case
    • Determine the scope of the investigation
    • Need to acquire a search warrant
    • fourth amendment rights are in play
  • Even in the private sector, it is important to identify data prior to investigating to ensure a smooth process

6 of 25

2. Acquisition

  • Preserving evidence is paramount During any forensics investigation
    • Always use a write blocker
  • as such, Acquisition is a delicate stage
  • Most common acquisition format: Image file
    • A bit-by-bit direct copy of a storage drive
    • Compatible with forensics toolkits for further analysis of the contents of the drive

7 of 25

3. Analysis

  • The fun part
  • Examine data for any evidence that contributes to the goal of your investigation
  • Correlate any facts previously known or open source intelligence to the data at hand
  • Many techniques to perform deeper analysis (more on this later)

8 of 25

4. Documentation

  • The not so fun part
  • Very important to keep track of any findings during the investigation
    • include explanations on how the evidence was found (tools/techniques used)
    • Findings should always be reproducible

9 of 25

5. Presentation

  • Finally, Compile all your notes and findings into a report to be presented to the proper authority

  • Public sector:
    • Forensics experts can provide testimony in court
    • Evidence collected can be used in criminal and civil cases
  • Private sector:
    • Findings are to be presented to whoever hired you to conduct the investigation

10 of 25

How data is stored

11 of 25

physical Data storage types

hard drive

  • Data is magnetically stored on platters
  • Data is read based on magnetic force which equates to zeros and ones

Solid State drive (ssd)

  • data is electrically stored in circuits
  • Data is read based on electrical charges which equate to zeros and ones

12 of 25

File system basics

  • Many different types of file systems
  • General structure:
    • Files are stored as clusters on the drive
    • Master file table - contains the physical location (cluster) where each file is stored. also contains metadata on each file
    • any unused area on the drive is considered unallocated space and does not have an entry on the master file table

13 of 25

Data carving

  • When files are deleted from a file system, the Master file table entry for that file is removed, but the file itself is not actually deleted
    • The bits remain intact until overwritten
    • The file system just no longer knows that the file exists
  • these files can be recovered using data carving
    • Searches through unallocated space for recognized file headers to rebuild a lost file

14 of 25

Steganography

  • A method of hiding data within other files
    • Most commonly hidden in media file formats
  • Data is embedded into the file’s bits so that the media looks the exact same at face value
  • Often times the data is encoded using a key or passphrase to provide an added level of secrecy/security

15 of 25

LAb PREP

16 of 25

Tools you will be using

FTK imager

  • tool used to image a drive into various different file formats
  • we will be imaging a usb drive as an “e01” file

Autopsy

  • digital forensics toolkit
  • automatically performs data carving
  • We will use this for the investigation portion of the lab

17 of 25

Autopsy dashboard

18 of 25

Quick note on USB Safety

  • Never plug in a USB drive from an untrusted source
  • Bad USB drives can automatically download malware to your computer

19 of 25

LAB Briefing

20 of 25

SJU ACM

A Hack at St. John’s

21 of 25

THE HACK

The day is Thursday, October 5. The St. John’s ACM Student Chapter club is meeting for its second meeting of the Fall 2023 semester. Upon entering the cyber lab, the club is met with a terrifying discovery: St. John’s University has been HACKED! The only piece of evidence left behind by the attacker is a USB drive. St. John’s IT was able to estimate that the hack occurred at approximately 12 pm on Thursday, October 5, however, they suspect that a member of the SJU ACM e-board was behind it all. To assist in the investigation, the members of SJU ACM have agreed to examine the contents of the USB drive in hopes of uncovering the true identity of the culprit. It’s up to you to figure out who did it, where they did it, and what malware they used.

22 of 25

RAYMOND RAMDAT

JAKE ENEA

DAVID ROSOFF

TOMAS SANTOS YCIANO

IGNACIO ANTEQUERA SANCHEZ

BEN HANIM

FAIROOZ EHSAN

AQUEENA ALEXANDER

THE SUSPECTS

23 of 25

ST. JOHN HALL

MONTGORIS DINING HALL

MARILLAC HALL

ST. AUGUSTINE HALL

TAFFNER FIELD HOUSE

CARNESECCA ARENA

SULLIVAN HALL

D’ANGELO CENTER

BENT HALL

THE BUILDINGS

24 of 25

VIRUS

VIRUS

WORM

WORM

RANSOMWARE

RANSOMWARE

SPYWARE

SPYWARE

RAT

RAT

ADWARE

ADWARE

THE MALWARE

25 of 25

Thank you!