Select Page
  

You are the computer forensics investigator for a law firm. The firm acquired a new client, a young woman who was fired from her job for inappropriate files discovered on her computer. She swears she never accessed the files. You have now completed your investigation. Using what you have learned from the text and the labs, complete the assignment below. You can use your imagination about what you found!Write a one page report describing the computer the client used, who else had access to it and other relevant findings. Reference the tools you used (in your imagination) and what each of them might have found.After answering the questions, save the file with LastnameFirstname_Assignment3 (eg., JohnSmith_Assignment3) and submit it right back here under Assignment 3 for grading. Assignments are due by 11:55 p.m. Eastern Time on Sunday of Week 3.Assignment Grading Criteria Assignment Grading Criteria Maximum Points Completes and analyzes relevant lab/activity 60 Uses proper grammar, spelling and mechanics20Timeliness & APA Style 20 Total Points:100Supporting Materials asnWeek03.doc (20 KB)
forensic_ppt15_l05.pptx

forensic_ppt15_l06.pptx

Don't use plagiarized sources. Get Your Custom Essay on
ISSC 351 Assignment 3
Just from $10/Page
Order Essay

Unformatted Attachment Preview

System Forensics,
Investigation, and Response
Lesson 5
Understanding Techniques for Hiding
and Scrambling Information
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
▪ Explain techniques for hiding and
scrambling information as well as how
data is recovered.
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
▪ Steganography
▪ Encryption
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Steganography
▪ The art and science of writing hidden
messages
▪ Goal is to hide information so that even if it
is intercepted, it is not clear that information
is hidden there
▪ Most common method today is to hide
messages in pictures using the least
significant bit (LSB) method
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
LSB Method
▪ Consider 11111111
▪ Change last digit to 0
▪ 11111110 = 254 in decimal
▪ The last bit or least significant bit is used to
store data
▪ Colored pixels in a computer stored in bits
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
LSB Method
Used with permission from Microsoft
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
LSB Method
Used with permission from Microsoft
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
History of Data Hiding
▪ Ancient Chinese wrapped notes in wax and
swallowed them for transport
▪ In ancient Greece, message written on
slave’s shaved head, then hair allowed to
grow back
▪ During World War II, French Resistance
sent messages written on the backs of
couriers using invisible ink
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Basic Steganography Terms
Payload
Carrier
Channel
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Other Forms of Steganography

Hiding
messages
in
Steganophony
sound files
Video
steganography
System Forensics, Investigation, and Response
• Hiding information in
video files
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Steganalysis
▪ The process of analyzing a file or files for
hidden content
▪ Can show a likelihood that a given file has
additional information hidden in it
▪ Common method for detecting LSB
steganography is to examine close-color
pairs
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Invisible Secrets
Courtesy of NeoByte Solutions
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Invisible Secrets
Courtesy of NeoByte Solutions
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Invisible Secrets
Courtesy of NeoByte Solutions
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Invisible Secrets
Courtesy of NeoByte Solutions
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Invisible Secrets
Courtesy of NeoByte Solutions
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Encryption/Cryptography
▪ Encryption obfuscates message so it
cannot be read
▪ Cryptography is the study of writing secret
messages
▪ The word cryptography derived from word
kryptós, which means hidden, and the verb
gráfo, which means write
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Message
hidden
System Forensics, Investigation, and Response
Message
present
but
obfuscated
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Encryption/Cryptography
Steganography
Encryption vs. Steganography
Page 18
The Caesar Cipher
▪ Referred to as the substitution cipher
▪ A simple method of encryption and very
easy to crack
1. Choose some number by which to shift
each letter of a text
2. Substitute the new alphabetic letter for the
letter being encrypted
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Caesar Cipher Example
▪ Text is:
▪ A CAT
▪ You choose to shift by two letters, then A
replaces C, E replaces C, C replaces A, and V
replaces T; encrypted message is:
▪ C ECV
▪ If shift by three letters, message is:
▪ D FDW
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
The Caesar Cipher
▪ Introduced two key terms:
▪ Text you want to encrypt is referred to as
plaintext
▪ After it has been subjected to the algorithm
and key, resultant text is called ciphertext
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
The Atbash Cipher
▪ Reverses the alphabet—substituting the
first letter of the alphabet for the last letter,
the second letter for the second-to-last
letter, and so on
▪ Is primitive and easy to break
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
The ROT13 Cipher
▪ A permutation of the Caesar cipher
▪ All characters are rotated 13 characters
through the alphabet
▪ A CAT becomes N PNG
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
The Scytale Cipher
▪ Encrypts messages by wrapping a leather
strip around a cylinder or baton, and writing
across the leather
▪ Turning cylinder produced different
ciphertexts
▪ Message decrypted by reading the
message once placed over the same
leather “key” wrapped around the same
size cylinder
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Multialphabet Substitution
▪ Uses multiple numbers by which letters in
plaintext are shifted
▪ Multiple substitution alphabets are created
▪ Represents a slight improvement on the
Caesar cipher but is still easily cracked
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Multialphabet Substitution
Example
▪ If you select three substitution alphabets
(+2, -2, +3)
▪ A CAT becomes C ADV
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
The Vigenère Cipher
© Jones & Bartlett Learning
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
The Enigma Machine
▪ World War II, electromechanical rotorbased cipher system
▪ Is a multialphabet substitution cipher using
machinery to accomplish the encryption
▪ When operator pressed a key, encrypted
ciphertext for plaintext was altered each
time
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Cryptography in Use Today
▪ Used every day by millions of consumers
on the World Wide Web to buy products
and services securely
▪ “https” at beginning of Web address or a
padlock symbol indicates a secure protocol
such as Transport Layer Security (TLS) is
at work
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Cryptography in Use Today
▪ Cryptography also used in:
▪ Antivirus software
▪ Wireless security (WPA and WPA2 encryption)
▪ Hard disk encryption using Microsoft
Encrypting File System (EFS) is a form of
cryptography
▪ Did you know your mobile phone
transmissions are encrypted, as are your ATM
and credit cards?
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Substitution and Transposition
▪ Swapping of blocks of ciphertext
▪ All modern block-cipher algorithms use
substitution and transposition
▪ Combination of substitution and
transposition increases security of
resultant ciphertext by making
cryptanalysis more complex
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Block Ciphers and Stream
Ciphers
Block
cipher
Stream
cipher
System Forensics, Investigation, and Response
• Encrypts data in groups
of bits, also known as
blocks
• Encrypt data as a
stream, one bit at a
time
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
The Feistel Function
© Jones & Bartlett Learning
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Data Encryption Standard (DES)
1. Data is divided into 64-bit blocks.
2. Data is manipulated by 16 separate
steps of encryption involving
substitutions, bit-shifting, and logical
operations using a 56-bit key.
3. Data is then further scrambled using
a swapping algorithm.
4. Data is transposed one last time.
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
What Happened to 2DES?
▪ 2DES basically does DES two times
▪ Was not much more secure than DES
▪ Took more time and computer
resources to implement
▪ Iis not widely used
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Triple DES (3DES)
▪ Was created as an interim solution to
DES
▪ Does DES three times, with three
different keys
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
Why 4DES Was Never
Implemented
▪ Early simulations indicated it was too
scrambled
▪ Blocks of original plaintext appeared in
the final ciphertext
▪ One of the driving factors behind
searching for a new algorithm not in
the DES line
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 37
Advanced Encryption Standard
(AES)
▪ Also known as the Rijndael block
cipher
▪ Can have three different key sizes:
• 128, 192, or 256 bits
▪ Referred to as AES 128, AES 192, and
AES 256
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 38
AES Steps
Key
expansion
Initial
round
• AddRoundKey
Rounds




SubBytes
ShiftRows
MixColumns
AddRoundKey
Final
round
System Forensics, Investigation, and Response
• SubBytes
• ShiftRows
• AddRoundKey
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 39
RSA
▪ Described in 1977 by Ron Rivest, Adi
Shamir, and Leonard Adleman at MIT
▪ Perhaps the most widely used public key
cryptography algorithm today
▪ Is based on relationships of prime
numbers
▪ Security of RSA derives from fact that it is
difficult to factor a large integer composed
of two or more large prime factors
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 40
Diffie-Hellmen
▪ A cryptographic protocol that allows two
parties to establish a shared key over an
insecure channel
▪ Often used to allow parties to exchange a
symmetric key through some insecure
medium, such as the Internet
▪ Enabled all secure communications between
parties that did not have a pre-established
relationship, such as e-commerce
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 41
Diffie-Hellmen (cont.)
▪ Groundbreaking research provided the
foundation for secure transactions across
the Internet
▪ E-commerce sites like Amazon.com and
Staples.com can provide secure electronic
communications, thanks in great part to
Diffie and Hellman
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 42
Frequency Analysis
▪ In natural languages, certain letters of
alphabet appear more frequently than
others
▪ By examining frequencies, can derive some
information about the key used
▪ Method effective against classic
ciphers, but not modern
methods of cryptography
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 43
Kasiski
▪ A method of attacking polyalphabetic
substitution ciphers, such as Vigenère
▪ Can be used to deduce the length of the
keyword used in a polyalphabetic
substitution cipher
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 44
Kasiski (cont.)
▪ When length of keyword is discovered,
ciphertext is lined up in n columns, where n
is keyword length
▪ Each column
▪ Treated as a monoalphabetic substitution
cipher
▪ Can be cracked with frequency analysis
▪ Involves looking for repeated strings in the
ciphertext
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 45
Modern Methods
Known plaintext attack
Chosen plaintext attack
Ciphertext-only
Related-key attack
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 46
Rainbow Tables/Ophcrack
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 47
John the Ripper
▪ A password cracker popular with
network administrators and hackers
▪ Enables user to select text files of word
lists to attempt cracking a password
▪ Command-line based, no Windows
interface
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 48
Summary
▪ Steganography
▪ Encryption
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 49
Virtual Lab
▪ Analyzing Images to Identify
Suspicious or Modified Files
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 50
System Forensics, Investigation,
and Response
Lesson 6
Recovering Data
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
▪ Explain techniques for hiding and
scrambling information as well as how
data is recovered.
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
▪ Undeleting data
▪ Recovering information from damaged
drives
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Operating Systems
Current
Legacy
Windows 8,
7, Vista
Windows XP,
2000
Windows
Server 2012,
2008, 2003
Mac OS 8 or
earlier
Mac OS 9
and 10
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Windows
▪ FAT16 and FAT32 used in pre-Windows
2000 versions
▪ NTFS file system in use since Windows
2000
▪ Uses a table to map files to specific clusters
where they are stored on the disk
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Storing a File in Windows
(FAT/FAT32)
Record cluster number for next
cluster
Add EOC if at end of chain
Mark bad, reserved, open
clusters
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Deleting a File in Windows
(FAT/FAT32)
▪ When a file is deleted, data not removed
from disk
▪ FAT is updated to reflect clusters no longer
in use
▪ New data saved to those clusters may
overwrite old information
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
NTFS Fundamental Files
MFT
• Master File Table
• Describes all files on
the volume
Cluster
bitmap
• A map of all the
clusters on the hard
drive
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Storing a File in Windows (NTFS)
MFT contains one base file
record for each file and directory
MFT serves same purpose as
FAT
Cluster bitmap file maps all
clusters on disk
System Forensics, Investigation, and Response
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Deleting Files in Windows (NTFS)
▪ When a file is deleted, data not removed
from disk
▪ Clusters are marked as deleted and
“moved” to Recycle Bin
▪ When Recycle Bin is emptied, clusters
marked as fully available
▪ Filename in the MFT is marked with a
special character …
Purchase answer to see full
attachment

Order your essay today and save 10% with the discount code ESSAYHSELP