Forensic computing?

Vai · 20 Jun 2007 at 19:11

Alty said:
HOLY THREAD REVIVAL BATMAN!11!1!one!1!

It wasn't too bad, he is offering help to the OP. Not like some revivals where people bring back a 2 month old topics just to spam.

knowlesy · 21 Jun 2007 at 08:28

Riiya said:
I was going to do a Forensics Degree, but I opted for MGeoscience instead; that was after realising that Forensics seems to be the new Psychology fab. Huge numbers of people are studying it now, making job opportunities quite scarce for the present time and future

i gotta admit it does seem like that but forenic computing is few and far between with very few degrees that are sole devoted to it...... the ones that have arnt that old so if you start this or next year youll probbaly be at the forefront of the flood ..... so well get in first with all the experience or ethical hacking been thinking of changing degrees to that but forensic computing covers a vast more... :confused:

choices choices

The Mad Rapper · 21 Jun 2007 at 10:02

I am a Forensic IT Analyst, and have been for approaching 5 years. E-Mail is in trust if you want to ask any questions etc.

The Mad Rapper · 21 Jun 2007 at 10:03

Business Man said:
NHTCU can only do so much though from what ive heard, with encryption available free off the net these days how do you get around it ? brute force or demand the person hand over the passphrase ?

you have truecrypt and drivecrpyt which encrypts the whole hdd and i've heard these are uncrackable.

They are difficult to crack, that's true. That said, if the suspect refuses to hand over the password he goes to jail for 2 years.

Oh, and the NHTCU no longer exists, it was disbanded at leats a year ago and merged into SOCA.

The Mad Rapper · 21 Jun 2007 at 10:05

MoratJG said:
I was lucky, I landed a job in the military police CCT and had all the training and courses I could wish for, previous to that the only experience I had was home use and basic system administrators course. I then moved into the private sector and did contract work for the Met and later moved to the Serious Fraud Office for a short while. There would have been no way in hell I would have got either of those jobs without the police background and experience I got in the Army, I would strongly suggest you get yourself in some government role (also, many of the best courses are only open to law enforcement or government agencies).

I seem to recall you also had an incredibly talented boss as well, now, who was that again? Oh yes, it was me!

platypus · 21 Jun 2007 at 10:11

The Mad Rapper said:
I seem to recall you also had an incredibly talented boss as well, now, who was that again? Oh yes, it was me!

Gimme a job!

Una · 21 Jun 2007 at 10:36

Business Man said:
NHTCU can only do so much though from what ive heard, with encryption available free off the net these days how do you get around it ? brute force or demand the person hand over the passphrase ?

you have truecrypt and drivecrpyt which encrypts the whole hdd and i've heard these are uncrackable.

You can attack the key phrase using certain characteristics built up from profiling the person. A lot of people use the same or similar passwords for different authentication.

Practically your not going to crack AES in the length of the universe with brute force so unless there is a flaw with the implementation / algorithm is discovered in future it will remain safe for a long time. I feel safe investing my trust in AES256.

The only really unbreakable encryption is one time pads with truly random data.

Your best bet is to get a key logger onto the machine and log their keystokes in plaintext and get their keyphrase from that. Either in hardware or software.

As mentioned above under the RIPA act you legally have to have over your keys to the authorities if requested anyhow.

The Mad Rapper · 21 Jun 2007 at 11:44

platypus said:
Gimme a job!

If you want to commute to London on a daily basis and are any good then it's a possibility. E-mail me your CV, we're always looking to expand.

The Mad Rapper · 21 Jun 2007 at 12:44

Una said:
You can attack the key phrase using certain characteristics built up from profiling the person. A lot of people use the same or similar passwords for different authentication.

Practically your not going to crack AES in the length of the universe with brute force so unless there is a flaw with the implementation / algorithm is discovered in future it will remain safe for a long time. I feel safe investing my trust in AES256.

The only really unbreakable encryption is one time pads with truly random data.

Your best bet is to get a key logger onto the machine and log their keystokes in plaintext and get their keyphrase from that. Either in hardware or software.

As mentioned above under the RIPA act you legally have to have over your keys to the authorities if requested anyhow.

This is called social engineering. Basically you use an application to scan a disk looking for key words which are then used as passwords in an attempt to access the file.

lemonkettaz · 21 Jun 2007 at 12:48

lol serious revival here.

im on the same course as knowelsy...

tis great, i really enjoy... although im well prepared to do my do's for experience when i finish.. its definitely a career path im sticking at because i really do find it interesting.

little old me working away at osx.. behind closed doors

We have had a few companies come to give us talks.. the best one being 7safe i think, was well impressed by them.. would love a good work placement somewhere like that...

doublehelix2 · 21 Jun 2007 at 13:28

Alty said:
Realistaically working in the private sector, salaries can vary from £25k to thru the roof (literally £100ks) depending of course on your ersonally, position and experience.

You can earn multiples of 100k? Seriously?

The Mad Rapper · 21 Jun 2007 at 13:46

doublehelix2 said:
You can earn multiples of 100k? Seriously?

No. You can't.

An Junior Analyst with 2 years experiance in London will earn between £25K - £30K. A Senior Analyst will earn between £40K - £65K. A Senior Manager will earn £80K or more.

If you had superb contacts and worked for yourself in London, then you could easily earn more than £100K, but you'll never get that working for someone else.

knowlesy · 22 Jun 2007 at 09:05

does anyone know if Vole have a forensic division you would have thought that they do or would it be incorperated into different divisions... ??? :confused:

Manlove is my forte · 22 Jun 2007 at 10:03

I'm doing my final year dissertation on Ways and means of destroying data on a HDD prior to selling/recyleing the disk, in order to prevent Identity theft.

I was wondering if you Forensics chaps could point me in the direction of a few things.

I'm looking for some statistics on computer related fraud (particularly as a result of the loss/sale/theft/disposal of a computer hard disk).

I'm going to attempt to recover a HDD from various scenarios.

HDD recovery data untampered
HDD recovery after file deletion (but not emptying the recycle bin)
HDD recovery after emptying the recycle bin
HDD recovery after emptying Recycle bin and a Defrag
HDD recovery after a quick format
HDD recovery after a full format
HDD recovery after dropping a partition
HDD recovery after a repartition
HDD recovery after a Low level format
HDD recovery recovery after a datascrub
HDD recovery after an encryption

All tests will be performed on FAT32 and NTFS file systems.

I appreciate some of these things will show the same results or are not recoverable but I'm doing it for thoroughness. Are there any other tests I'm missing?

What sorts of tools should I use? (I'm looking for Freeware or trialware)

My method for performing this was going to be:

Take bit level image of HDD,
Take Checksum of image
Copy image to other PC
Take checksum of copied image and compare to original checksum
Use recovery software to identify data attempted to be destroyed.
Use auditing software to try to identify any information that could be used maliciously.
Document findings.

Am I heading in the right direction can you give me any pointers?

bam0 · 22 Jun 2007 at 10:16

damn double posting

bam0 · 22 Jun 2007 at 10:17

Kronologic said:
I'm doing my final year dissertation on Ways and means of destroying data on a HDD prior to selling/recyleing the disk, in order to prevent Identity theft.

I was wondering if you Forensics chaps could point me in the direction of a few things.

I'm looking for some statistics on computer related fraud (particularly as a result of the loss/sale/theft/disposal of a computer hard disk).

I'm going to attempt to recover a HDD from various scenarios.

HDD recovery data untampered
HDD recovery after file deletion (but not emptying the recycle bin)
HDD recovery after emptying the recycle bin
HDD recovery after emptying Recycle bin and a Defrag
HDD recovery after a quick format
HDD recovery after a full format
HDD recovery after dropping a partition
HDD recovery after a repartition
HDD recovery after a Low level format
HDD recovery recovery after a datascrub
HDD recovery after an encryption

All tests will be performed on FAT32 and NTFS file systems.

I appreciate some of these things will show the same results or are not recoverable but I'm doing it for thoroughness. Are there any other tests I'm missing?

What sorts of tools should I use? (I'm looking for Freeware or trialware)

My method for performing this was going to be:

Take bit level image of HDD,
Take Checksum of image
Copy image to other PC
Take checksum of copied image and compare to original checksum
Use recovery software to identify data attempted to be destroyed.
Use auditing software to try to identify any information that could be used maliciously.
Document findings.

Am I heading in the right direction can you give me any pointers?

It should be fairly obvious to you that in any situation where the data has not actually been overwritten it will be trivial to recover it.
For example dropping a partition or repartitioning only affects the partition table, the data on the drive that marks where the filesystem starts will still be there along with the MFT/FATs.
Not to belittle your idea but when your result is going to be encrypt/overwrite the data I just wonder if you can make a worthwhile dissertation out of it.

As a counter suggestion a dissertation on Ways and Means of hiding data and methods to try and discover it could be more interesting and useful.

Manlove is my forte · 22 Jun 2007 at 10:38

bam0 said:
It should be fairly obvious to you that in any situation where the data has not actually been overwritten it will be trivial to recover it.
For example dropping a partition or repartitioning only affects the partition table, the data on the drive that marks where the filesystem starts will still be there along with the MFT/FATs.
Not to belittle your idea but when your result is going to be encrypt/overwrite the data I just wonder if you can make a worthwhile dissertation out of it.

As a counter suggestion a dissertation on Ways and Means of hiding data and methods to try and discover it could be more interesting and useful.

I agree for almost all scenarios it should be an easy recovery. I am trying to show that. I am also trying to show what can be "recovered" in terms of as its so easy to recover the data, what information or knowledge can I find stored on these recovered disks.

I will be posing the question of who is responsible for the data destruction/encryption. The dissertation focuses on the non technical to average (not ocuk average btw) home user. So the type of user that thinks that pressing delete (or shift+delete) removes the data, up to the person that might be aware of repartitioning (remember you get a warning that states repartitioning your HDD will remove all data).

Computers are powerful and complicated machines. With the growth in internet computing, there has been a growth in home computing. O/S manufactures (MS in this case) and retailers do not seem to care who buys the product and whether or not they have the capacity to fully understand and quantify all the measures that need to be taken into account to secure their computer and their data on the computer.

So I have to ask and investigate, who is ultimately responsible for the data's destruction. Are MS not doing enough to protect the data on the HDD? Should retailers be more responsible to who they sell PCs to? Should PC manufacturers bundle a HDD scrubber in with the package of software that comes with every off the Shelf PC? Should the Government be legislating that all the above take effective measures to ensure that Home Users are not putting their financial security at risk?

Or is it just the responsibly of the PC/Data owner?

knowlesy · 22 Jun 2007 at 11:10

Kronologic said:
I'm doing my final year dissertation on Ways and means of destroying data on a HDD prior to selling/recyleing the disk, in order to prevent Identity theft.

I was wondering if you Forensics chaps could point me in the direction of a few things.

I'm looking for some statistics on computer related fraud (particularly as a result of the loss/sale/theft/disposal of a computer hard disk).

I'm going to attempt to recover a HDD from various scenarios.

HDD recovery data untampered
HDD recovery after file deletion (but not emptying the recycle bin)
HDD recovery after emptying the recycle bin
HDD recovery after emptying Recycle bin and a Defrag
HDD recovery after a quick format
HDD recovery after a full format
HDD recovery after dropping a partition
HDD recovery after a repartition
HDD recovery after a Low level format
HDD recovery recovery after a datascrub
HDD recovery after an encryption

All tests will be performed on FAT32 and NTFS file systems.

I appreciate some of these things will show the same results or are not recoverable but I'm doing it for thoroughness. Are there any other tests I'm missing?

What sorts of tools should I use? (I'm looking for Freeware or trialware)

My method for performing this was going to be:

Take bit level image of HDD,
Take Checksum of image
Copy image to other PC
Take checksum of copied image and compare to original checksum
Use recovery software to identify data attempted to be destroyed.
Use auditing software to try to identify any information that could be used maliciously.
Document findings.

Am I heading in the right direction can you give me any pointers?

what imiging software will you be using ..... might be an idea to use "recuva" and compare it from a freeware .... just as a mention even though i doubt "recuva" would actualy stand up in court for evidence ....

Manlove is my forte · 22 Jun 2007 at 11:30

knowlesy said:
what imiging software will you be using ..... might be an idea to use "recuva" and compare it from a freeware .... just as a mention even though i doubt "recuva" would actualy stand up in court for evidence ....

I'm not looking at this from a legal perspective so it shouldn't matter what tools I use. Actually I'm looking at it from an "Illegal" perspective. In the sense I am trying to identify how easy and cheap it is for a computer fraudsters to retrieve your sensitive data from a hard disk.

knowlesy · 22 Jun 2007 at 11:43

just copying these..... from other posts i made in a diff forum and stuff from uni and my own experience...

hirens boot cd 9.1
nortan ghost
recuva
siw
cain & able
orphcrack
acronis

i mean the point is you can get anythign ilegal thse days thanks to torrents and warez.....

these sites should help you further ...
http://www.forensicfocus.com/
http://www.forensicswiki.org/wiki/Main_Page
http://www.forensics.nl/lists
http://www.f3.org.uk/
http://www.darknet.org.uk/2006/03/10-best-security-live-cd-distros-pen-test-forensics-recovery/

this all should help ill add some more soon

EDIT:

Pro Discover
ftk imager (how did i forget that !!!!! still forgotton the other common one )