| 000 | 06796nam a22002537a 4500 | ||
|---|---|---|---|
| 008 | 210125b2018 a|||f mb|| 00| 0 eng d | ||
| 040 |
_aEG-CaNU _cEG-CaNU |
||
| 041 | 0 |
_aeng _beng |
|
| 082 | _a658 | ||
| 100 | 0 |
_aAyman Shaaban AbouElela Mansour _9203 |
|
| 245 | 1 |
_aDigital Forensics Analysis Techniques, Findings versus Resources _cAyman Shaaban AbouElela Mansour |
|
| 260 | _c2018 | ||
| 300 |
_a75 p. _bill. _c21 cm. |
||
| 500 | _3Supervisor: Nashwa Abd El-Baki | ||
| 502 | _aThesis (M.A.)—Nile University, Egypt, 2018 . | ||
| 504 | _a"Includes bibliographical references" | ||
| 505 | 0 | _aContents: CHAPTER ONE Foundations and Principles of Digital Forensics .................... 1 Scope .............................................................................................................. 2 Digital Forensics ............................................................................................. 2 Digital Evidence .............................................................................................. 3 Digital Forensics Goals .................................................................................. 4 Analysis Approaches ...................................................................................... 5 CHAPTER TWO Previous and Related Work ................................................... 7 CHAPTER THREE Case Study Scenario, Circumstances and Evidence Acquisition ........................................................................................................ 11 Evidence Acquisition .................................................................................... 13 Volatile Data ................................................................................................. 13 Using DumpIt to Create a RAM Dump ......................................................... 14 Using FTK Imager Lite to Create a RAM Dump .......................................... 15 Non-Volatile Data ......................................................................................... 16 System Down ................................................................................................ 16 System is Up and Running ........................................................................... 17 viii CHAPTER FOUR Digital Analysis .................................................................. 21 Memory Forensics, Small-Size High-Value ................................................. 21 Analysis .................................................................................................... 22 Memory Forensics Findings Summary .................................................... 31 Timeline Analysis, Long Creation Time but High Value .............................. 31 Plaso and Super Timeline Tools .............................................................. 31 Analysis .................................................................................................... 32 Live Analysis, Fastest and Most Valuable ................................................... 38 Live Analysis Tools ................................................................................... 38 Analysis .................................................................................................... 39 Findings against Techniques Comparison ................................................... 50 Findings .................................................................................................... 50 Resources ................................................................................................. 51 CHAPTER FIVE Conclusion and Future Approach ........................................ 53 REFERENCES ................................................................................................ | |
| 520 | 3 | _aAbstract: Change is the only constant. IT and cyber space are not exceptions for that. Everything along with day by day work flow is taking new, faster and easier form. The technology is changing everything. The crime, as we know it, is changing as well and taking new form with integrating technology in the process. This was a natural result after the nature of valuable assets changed as well. It will be easy to spot differences between the old west’s way of robbing a bank versus the modern way of hacking online banking systems and bank users. Also, espionage methods had its share of change. Its methods evolved from its traditional form in the WW2 movies to the nowadays form of cyber espionage and hacking governmental digital assets by other governments, activists or terrorists. As a normal result, a new counter wave had to appear to fight against these new crimes. From there, Digital Forensics analysis was introduced. Digital Forensics is relatively a new science and its importance rapidly increased in the last decade. Generally, forensics science is the scientific methods of gathering and examining data about past activities to extract useful information related to case under investigation. Therefore, we can define Digital Forensics analysis as the process of identifying information security incidents and analyzing the digital evidences in order to answer questions related to the digital incident. Live analysis process can take place just after the incident time or after the infected systems are down in what is called post-mortem analysis. Different from live analysis, post-mortem takes place in almost all cases. Generally, the analysis can confirm or refute hypothesis about the incident to rebuild full image about the activities of either attacker or victim during the time of the incident. Therefore, there is a necessity to continuously adjusting the best practices of digital forensics analysis in different situations for quicker results. xvi In our work, we help deciding which digital forensics analysis should be used in different situations. Using only free and open source tools on simulated reallife incident on Windows Operating System, we used three main digital forensics analysis techniques; live analysis, memory forensics and timeline analysis. For the same incident, solved by the three different techniques independently, the output of our experiment shows which incident’s tracks can be an output from each of these three techniques against the time and resources consumed by each analysis process itself. This will help incident responders and digital forensics investigators deciding which technique to use based on the circumstances of each situation. | |
| 546 | _aText in English, abstracts in English. | ||
| 650 | 4 |
_aInformation Security _9294 |
|
| 655 | 7 |
_2NULIB _aDissertation, Academic _9187 |
|
| 690 |
_aInformation Security _9294 |
||
| 942 |
_2ddc _cTH |
||
| 999 |
_c8863 _d8863 |
||