Which process builds a set of hashes of sectors from the original file and examines sectors on the suspect drive to find matches?
Presentation on theme: "Chapter 9 Digital Forensics Analysis and Validation"— Presentation transcript: 1 Chapter 9 Digital Forensics Analysis and Validation Show
2 Determining What Data to Collect and Analyze
3 Determining What Data to Collect and Analyze 4 Approaching Digital Forensics
Cases
5 Approaching Digital Forensics Cases 6
Approaching Digital Forensics Cases 7 Approaching Digital Forensics Cases
8 Using OSForensics to Analyze Data 9 Using OSForensics to Analyze Data
10 Using OSForensics to Analyze Data 11 Using OSForensics to Analyze Data
12 Using OSForensics to Analyze Data 13
Using OSForensics to Analyze Data 14 Validating Forensic Data 15 Validating with Hexadecimal Editors 16 Validating with Hexadecimal Editors
17 Validating with Hexadecimal Editors 18
Validating with Hexadecimal Editors 19 Validating with Hexadecimal Editors
20 Validating with Hexadecimal Editors 21 Validating with Digital
Forensics Tools 22 Validating with Digital Forensics Tools
23 Validating with Digital Forensics Tools
24 Validating with Digital Forensics Tools
25 Addressing Data-Hiding Techniques
26 Hiding Files by Using the OS 27 Hiding
Partitions By using the Windows diskpart remove letter command
28 Hiding Partitions To detect whether a partition has been hidden 29 Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition 30 Hiding Partitions Guide to Computer
Forensics and Investigations, Fifth Edition 31 Marking Bad Clusters A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters Involves using old utilities such as Norton DiskEdit Can mark good
clusters as bad clusters in the FAT table so the OS considers them unusable Only way they can be accessed from the OS is by changing them to good clusters with a disk editor DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media Guide to Computer Forensics and Investigations, Fifth Edition
32 Bit-Shifting Some users use a low-level encryption program that changes the order of binary data Makes altered data unreadable To secure a file, users run an
assembler program (also called a “macro”) to scramble bits Run another program to restore the scrambled bits to their original order Bit shifting changes data from readable code to data that looks like binary executable code WinHex includes a feature for shifting bits Guide to Computer Forensics and Investigations, Fifth Edition
33 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition
34 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition
35 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition
36 Understanding Steganalysis Methods 37 Understanding Steganalysis Methods
38 Understanding Steganalysis Methods
39 Examining Encrypted Files
40 Recovering Passwords Password-cracking tools are available for handling password-protected data or systems Some are integrated into digital
forensics tools Stand-alone tools: Last Bit AccessData PRTK ophcrack John the Ripper Passware Guide to Computer Forensics and Investigations, Fifth Edition 41
Recovering Passwords Brute-force attacks Dictionary attack
42 Recovering Passwords With many programs, you can build profiles of a suspect to help determine his or her password Many
password-protected OSs and application store passwords in the form of MD5 or SHA hash values A brute-force attack requires converting a dictionary password from plaintext to a hash value Requires additional CPU cycle time Guide to Computer Forensics and Investigations, Fifth Edition
43 Recovering Passwords Rainbow table Salting passwords 44
Hashing Password hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e b9824 hash("hbllo") = c05c68dfac fad6a93f8146f337a69afe7dd238f hash("waltz") = c0e f1777c232bc6bd9ec38f616560b120fda8e90f 45 Source https://crackstation.net/hashing-security.htm 46 Hashing Password The user creates an account.
47 Hashing Password the hash functions used to protect passwords are not the same
as the hash functions you may have seen in a data structures course. The hash functions used to implement data structures such as hash tables are designed to be fast, not secure. Only cryptographic hash functions may be used to implement password hashing. Cryptographic hash functions like: SHA256, SHA512, RipeMD WHIRLPOOL
48 How to attack hashing passwords 49 How to attack hashing
passwords 50 How to attack hashing passwords
51 How to attack hashing passwords 52 How to attack hashing passwords
53 Adding Salt Lookup tables and rainbow tables only work because each password is hashed the exact same way. If two users have the same password,
they'll have the same password hashes. We can prevent these attacks by randomizing each hash, so that when the same password is hashed twice, the hashes are not the same. We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing.
54 Adding Salt The salt does not need to be secret. 55 Wrong way to use Salt Salt Reuse
56 Wrong way to use Salt For the same reason, the username shouldn't be used as a salt. Usernames may be unique to a single service, but they are predictable and often reused for accounts on
other services. To make it impossible for an attacker to create a lookup table for every possible salt, the salt must be long. A good rule of thumb is to use a salt that is the same size as the output of the hash function. For example, the output of SHA256 is 256 bits (32 bytes), so the salt should be at least 32 random bytes. 57 Wrong way to use Salt Short Salt 58 Wrong way to use Salt Short
Salt
59 Wrong way to use Salt Double Hashing & Wacky Hash Functions 60 Wrong way to use Salt Double Hashing & Wacky Hash Functions 61 Right way To Store a Password To Validate a Password 62 Salt How to implemented What type of file contains the hash values for every possible password that can be generated from a computer's keyboard?rainbow table — A file containing the hash values for every possible password that can be generated from a computer's keyboard. salting passwords — Adding bits to a password before it's hashed so that a rainbow table can't find a matching hash value to decipher the password.
What is block wise hashing How is it done?block-wise hashing. The process of hashing all sectors of a file and then comparing them with sectors on a suspect's drive disk to determine whether there are any remnants of the original file that couldn't be recovered. cover-media. In steganalysis, the original file with no hidden message.
Which action alters hash values making cracking passwords more difficult?Salting means adding randomly generated characters to the input values before hashing them. It's a technique that's used in password hashing. It makes the hashing values unique and more difficult to crack.
Why is it important to validate forensic data and why are advanced hexadecimal editors necessary for this process?Why is it important to validate forensic data, and why are advanced hexadecimal editors necessary for this process? It is important to validate collected forensic data during an investigation to ensure the data's integrity is intact and that data corruption has not occurred in your data copies during collection.
|