Kroll Ontrack - Seminar Slides - Anthony Ranasinghe

Computer Forensics Investigation and The

Review Tool

1

by Anthony Ranasinghe

Proprietary | Kroll Ontrack

| Agenda

» Computer Forensic Investigations

» Computer Forensic Cases

» Computer Forensic Process

– Acquisition

– Analysis

» Case Study

» Review Tool

2


| Computer Forensics Investigation

What is a Computer Forensic Investigation?

» Captures, preserves, extracts, and analyzes digital evidence

» Main focus on electronic evidence and that it can be located and accessed

» Retrieval and analysis of evidence, report on findings

What makes data become Electronic Evidence?

» Electronic evidence needs to be captured in a manner that guarantees it is not altered in any way during, or subsequent to, the actual collection; and that provides a verifiable audit trail starting at the moment of capture.

3


| Computer Forensics Cases

Bribery / FCPA

Preservation of data

Termination for cause

Intellectual Property theft

Suspected computer misuse

Fraud / Executive misconduct

4


| Computer Forensics Process

5

Incident Response

Strategy Planning

Acquisition

Preservation

Analysis

Presentation

Review


| Computer Forensics Acquisition

Typical source of Digital Evidence

» Emails (local machine, server, webmail)

» Computer devices (desktop, laptop, external drive, USB stick)

» Network shares (individual or department shared drives on network)

» Mobile Devices

» Forensic Imaging of an entire hard drive or a partition

» Active file collection from PC media, server, network location or cloud

» Remote collection

6


| Computer Forensics Analysis

7

Recovery of Deleted Files

» File Carving

System Registry Files (Computer Log Record)

» Security Account Manager registry (SAM)

» USB device connection record

Link File Analysis

File Slack

Internet History Analysis


| Recovery of Deleted File

Files to be recovered

» Deleted without Recycle Bin, or when Recycle Bin has been emptied

» Removed by virus attack or power failure

» After the partition with the files was reformatted

» When the partition structure on a hard disk was changed or damaged

» Operating System Temporary files (Cookies, Log Files …etc)

File Carving - is the process of reassembling computer files from fragments in the absence of file system

metadata ( Content and context of a files)

8


| System Registry Files

Security Account Manager (SAM)

9


| System Registry Files

USB device connection record

10



Link File Analysis

» There are no records of a file being copied

» If someone drags and drops a file onto a USB drive, there will be no record other than the USB device being plugged in.

» Possibility that someone copied a file to a USB and then opened it from the USB

» In this case there will be an LNK file (shortcut in Recent Documents) that is created pointing towards the file on the USB, Share drive, File Transfer Protocol.

11



File Slack

» Space on the hard drive between the logical and physical file size. It means that anything that was in that space before becomes file slack.

» File slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text.

12



Internet History Analysis

13


14


The Angry Employee

The Problem

An employee is fired. An inattentive supervisor gives him the opportunity to access his computer to remove ‘personal files’.

When the supervisors goes to access key files on the system – they all have mysteriously disappeared.

The Solution

File recovery

» Active and Deleted file list

Look for evidence

» Copying of files

» USB Device Analysis

» Any secure-delete or wiping software installed


Taken

The Problem

Five key employees all quit on the same day, leaving behind large bonus payments and secure jobs.

Rumor has it that they are starting their own firm.

Did they take company data with them?

The Solution

E-mail Search

» Recovery of deleted e-mails

Look for evidence

» Active File List

» USB device Analysis

» Link File Analysis

» Internet History Analysis

Forensics can find what was Copied or Removed

Review Tool

17

Review Tool | Legal Technologies | Asia Pacific


When is it used?

Litigation

» Patents

» Products Liability

» Bankruptcy, Contractual Disputes, etc

International Arbitrations and Mediations

Competition and Anti-Trust Investigations

» Price Fixing

» Abuse of Market Share

Internal Investigations


Data Filtering Overview

Key benefits:

» File identification

» Effective keyword searching

» Elimination of blank and duplicate documents

» Segregation of potentially privileged documents

» Flagging of very large files

Responsive Non-Responsive Privileged


E-Mail Analytics

Who Was Talking to Whom?


E-Mail Analytics – Subject Lines

What Were the E-Mails Talking About?


E-Mail Analytics

When Did the E-Mail Communications Occur?

Proprietary | Kroll Ontrack 23

Review Tool Interface

Proprietary | Kroll Ontrack 24

Projects will… » Achieve deadlines

» Be defensible

» Position you to win your case

Tool set will… » Maximize efficiency

» Enable continuous improvement

» Result in predictable lower costs

It’s our promise.


|For further inquiries

Anthony Ranasinghe

DID - +65 6645 4941

Mobile - + 65 8692 8293

Email – [email protected]

www.krollontrack.com

25

mailto:[email protected]

http://www.krollontrack.com/