INTRODUCTION TO DIGITAL

FORENSICS

Aung Zaw Myo

(ThirdEye)
www.forensicsmyanmar.com
1

1
2

Forensic

DNA F

Digital Forensics ၂ ။

Electronic Device

. Elec

.Electronic PC LaptopTablet

IOT Device

။)

၂ ။

2
3

....

....

....

3
4

၇ Heal

1822-1911

1847-1915

1858-1946

1887-1954

1891-1955

1932

4
5

1984 The Computer Analysis and Re

1993

1995

1998The Internatio

2000

Case

vi

5
6

( ...

၁ A++

၂ Operationsystem(window,linux,MAC,etc..)

၃ BasicNetworking

၄ RoutingandSwitching

၄ ProgrammingBasic

၅ Server/Vmware/Bigdata -Virus

၆ Webapplication

၇ SocialNetwork(Facbook,twitter,linkedlin,etc....)

၈ Mobilephone..Tablet(software,hardware)

၉ wirelessDevice..

- I orensics C

- ။

- ။

How to Management Evidence ?

6
7

....

device ။ ။

.. dumps

7
8

၇ ၇

..... Example soon .....

8
9

၇ ၇

....

။ wri

Original ima ၇ ၇

write

၇ ၇

9
10

worm storage ... (Write One Read many ) ။

file save save file wri .။

foren

:)

10
11

၇ ၇ ၇

evidence

tracking softwar

Class 100 , Class

၁။

၂။

၃။

၄။

၅။

၆။

၇။

Anti-DigitalForensics

11
12

device

- ........

Type of Digital Data

VolatileData

user log on , Process information, command

history,

12
13

....

Non-VolatileData Data)

TransientData Data)

websi

example Active Network Connection

FragileData Data)

Hard Disk , Mem

TemporarilyAccessData

HardDisk,MemoryStick, Data,Encrypted file sys

ActiveData

ArchivalData

BackupData

( ) ...

13
14

Collection Evidence

Server,Ram.Hard disk , CD DVD, removable

st

User Created File

example= database file , documents file ,

audio video file, text file , internet bookmarks,

User Protected File

Example

password protect file , folder , hidden file , rar,zip, tar,

Computer Created File

example = backup file ,

server log, event logs , system file , swap file, printer pools

ev

14
15

dont make anythings

(example ..usb, router , modern)

Electronic

...

- (eg..database,excel,paper),-

..Image, video , social chat log,internet

activities, browser activities,phone content , call Credit card .

.....configuration file, exe file, bat file, rar, zip,

tar,....

Id

Writer

CreditcardGenerator

15
16

excel,world,database)

Imagefile

Email,Note,Letterbrowser,chatrecord,

Content No , call log

excel,world,database)

Imagefile

Email,Note,Letterbrowser,chatrecord,

Content No , call log

SimcardClone(hardware)

userdatabase ElectronicSerialnumber(ESI)

MobileidentificationNumber(MIN)

Browser,socialNetworkRecord

Steganography

16
17

DVD/

။Eg..... bitstream

17
18

(10111110) (10111111) (10111111) (10111111) (10111111) (10111111)

(10111111) (10111110)

(10111111) (10111110) (10111110) (10111110) (10111110) (10111110)

(10111110) (10111111)

Frequency (DSSS-Direct Sequence Spread Spectrum)

- ။

E-mail Forensics

Type Of Crime E-mail

(Cyber Stalking)

(Fraud Mail)

phishing)

(Ema

-----

18
19

- (Bank Securit

(www.google.com www.gooogle.com

၇ email serve

။ mail

gmail.com=>yahoo.com

Email protocolsSimple mail transfer protocol

(S (listeningport)

25

SMTP Serv

yahoo.com

19
20

E-MailHeader

(IPaddres

။ ။

။ KBZ ba

How To Email Forensics

20
21

Heade

။ ။

Memory forensics

username password , Browser History ,

Internet Connection LAN,Wireless (IP address DNS) ,Open Port,

။ ။

21
22

Evidence Device Cloning and Hashing

။ ။

။ Pos

၁ ။

၂ ။ ၇

22
23

၄ ။

၅ ။

၆ ။

၇ ။

23
24

24
25

Window Registry Analysis

stab

Window Default Application

Application

25
26

User Information

System Information

Network Information

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

=========================

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

။ ။

26
27

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

======================

၅ ။

Software

System

SAM

Security

Default

================

Software

System

SAM

Security

27
28

Default

===============

1.REG_BINARY

Raw Binary

2.REG_DWORD

------------------------

Device Dri

3.REG_EXPAND_SZ

----------------------------

4.REG_MULTI_SZ

--------------------------

28
29

5.REG_SZ

-----------------

6.REG_FULL_RESOCE_DESCRIPTOR

------------------------------------------------------

29
30

Login Time

Account Level

File Open activities

Network Connecting activities

Browser activities

Every things Leave a Trace.

Registry File location

Windows\System32\Config

---------------------------

HKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system

HKEY_LOCAL_MACHINE \SAM : \system32\config\sam

HKEY_LOCAL_MACHINE \SECURITY : \system32\config\security

HKEY_LOCAL_MACHINE \SOFTWARE : \system32\config\software

HKEY_USERS \UserProfile : \winnt\profiles\username

HKEY_USERS.DEFAULT : \system32\config\default

================================

30
31

Passwo

။ Pa

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

========

31
32

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\NetworkCards

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Enum\USBSTOR\

HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices

=====

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Explorer\RunMR

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current

32
33

Registry

.။ Window Forensics

။ Forensics

Law Enforcement

။Eg kali, auto spy (current version

4.9) ။ More tools Search in Google ....

Post Window Forensic

...

..

window registry

Forensics Tools ။ Window Registry

။ (Key point

Forensics Tools .

..

Investigator Knowledge )

Live system bit by bit (clone) Network information

။ ၊ image . Hashing Write Blocker

....

33
34

Hard Disk Forensic . (Part 1) .

Hard Disk forensics Hard disk

...

Platter Hard disk ။

Platter aluminum alloy, or glass meganitic

။ Platter size 5.25-inch 3.5-

inch ။platter

။ 01 ။

Hard disk 6

34
35

platter

။ Platter ။

======================

Spindle ။

4,200 RPM 15,000 RPM ။,

၇ 5,400 rpm

10,000 RPM ။

======================

Head Platter

။ platter head ၂ ။ head platter

0.5 microinches ။ hd

PLATTER SWAP HEAD

data ။

======================

Actulator

Actuator coil actuator arm

======================

Actulator Arm

Actuator Arm platter

Head ။

35
36

Actuator arm actuator

.. ။ ။

======================

Actuator Axis Actuar arm axis arm

======================

track

track ။

k data ။

Track Number platter

။ track number cylinder

======================

Cylinder

head

track number

။ cylinder

head access track ။

access

track ။

======================

36
37

Sector

Sector

။ sector 512 (byte)

။ sector ၄

ID information: sector data

Synchronization fields data ။

data

ECC: data error check , Correction

Gaps: data

======================

Cluster

cluster data logical storage unit

။ ။

sector cluster ။ HD partation

cluster size ။ 4 sector cluster ( )

64,128 ။ cluster size Eg= 4 x 4k(sector) = 1600 byte

(slack space forensics )

======================

volume

37
38

partation logical ။ Volume

38
39

Sector

။ sector 512 (byte)

4,096 bytes (4k) (Advanced Format ) ။

Bad sector

( )

head platter ၊ read/write head

platter sector ။

/ power Off

sector ။arm

head Track

sector ECC error correction

Hard disk Controller bad sector

====================================

Slack Space

39
40

Cluster data logical storage unit

။ ။

sector cluster ။ HD partation

cluster size ။ 4 sector cluster ( )

64,128 ။ cluster size Eg= 4 x 4k(sector) = 1600 byte

sector 3 Cluster ။ 10000

bytes file save sector ၂

။ cluster size 12000 bytes 2000 bytes

slack space ။ file save 2000 bytes

။ cluster ။

10000 bytes file

။ 9000 bytes file

3000 bytes slack space

clone image (or) HD

choice ။

autopsy slack space ။

====================================

HD firmware

HD firmware HD software

။ spin time , hade read/write , read write speen ။.

40
41

HD firmware ။ HD power on

service track ( Track

firmware ။ microcode ။ code

PCB microcode ။

firmware

Boot Loader , Boot Sector , Master Boot Record (MBR) & Window System Boot Process

Boot Loader (Boot manager) Program boot

Operation system ။ Boot loader

41
42

Operation System ။

Boot Sector Hard Disk Memory Sector Hard Disk

Track Sector ။

bootstrapping system ။

e power-on self-test (POST) ။ Boot sector

Two Bytes ။ (POST

===============================

Boot Sector ၂ ။

Volume Boot Record (VBR)

VBR HD Sector partition Sector

။ loading ။

===============================

Master Boot Record (MBR) (512 Bytes)

Storage Device Sector OS Partition

။ VBR partition ။

(multi boot)

MBR Master partition table • Master boot code ၂

42
43

Master partition table

Storage small bit

Master Boot Code

Boot Process BIOS ။ small bit

===============================

===============================

Window System Boot Process

===============================

1. Power Supply Voltage CPU ။

2. CPU BIOS (ROM)

3. System start up Program the power-on self-test (POST)

4. POST the BIOS chip CMOS( system date, time, and

setup parameters) ။

5. Battery Power Fail , POST

။ DVD,keysboard , Mouse ,extended Harddisk , etc .....

43
44

6. POST CPU ။

7. The BIOS CMOS chip OS Install

8. The BIOS boot record Operation System OS

install device OS

9. OS The BIOS OS

OS

Control ။

11. Operation System Ram memory

Run Run ။

===============================

44
45

Window file ..... ?

file

0,1 hard disk cluster

Delete

Delete recycle bin

) ( Recycle bin

Restore )။

Recycle Bin clean Recycle Bin ။

Shift+Delete

45
46

Shift+Delete Recycle Bin

။ Hard disk

=====================================

Window File System

Microsoft File System

။ window 2000 New Technology File System (NTFS)

။ NTFS Hard disk cluster

file ၂ ။

၁. Master File table (MFT) ) Or (Meta File Table)

၂. Cluster Bitmap.

၁. Master File table (MFT) ) Or (Meta File Table)

Master File table (MFT) ) Or (Meta File Table) File ၊ file

၊ Read Only Compressed Encrypted

.၂. Cluster Bitmap.

Cluster Bitmap Hard disk map ။

Cluster ။

46
47

Cluster

==========================================

Window file delete

==========================================

file file name Special Character MFT

Processor file ။ index field NTFS

Fat file name first letter ။

file ။

Cluster Bitmap cluster

။ file ။

===============

file cluster size ၊

save file size Cluster Size

Recovery ။

47
48

(Redundant Array of Independent Disks) (RAID) (FORENSICS) (Part 1)

=======================================

RAID data

Raid system ၃ ။ striping,

mirroring, parity, ။

Striping။

Block Size

။ Block Size 32KB 128KB ,1 MB

။ Block

Hard disk Read/Write Performance

။ ­ ­ ­ ။

Mirroring

48
49

။A File Hard disk 1 Hard Disk 2

Save ။ ­ ­ ­ ။

Parity

Hard Disk 01 ။ Parity

Xor Parity Data (information)

Disk ­ ­ ­ ။. Xor 0

(disk 4 Parity information )

Disk 1 = 1 0 1 0

Disk 2 = 1 1 0 0

Disk 3 = 0 0 1 1

------------------------------------------------

Disk 4 = 0 1 0 1 ( Parity Information)

------------------------------------------------

when Disk 1 Fail <==== disk 4 Parity information Xor ။

Disk 1 = x x x x

Disk 2 = 1 1 0 0

Disk 3 = 0 0 1 1

49
50

------------------------------------------------

Disk 4 = 0 1 0 1 ( Parity Information)

------------------------------------------------

Result

Disk 1 = ၁ ၁

Disk 2 = 1 1 0 0

Disk 3 = 0 0 1 1

------------------------------------------

Disk 4 = 0 1 0 1 ( Parity Information)

============================================

Software Raid = raid 0 (window 7 )

raid 5 , raid 0 = window 8.1 and Window 10

Hardware Raid Controller = SCSI ,SATA, Fiber Channel

=============================================

RAID 0 (Striping ) (Block Size)

==============

- Raid 0 (Striping ) ။

- Same Size Hard Disk 2 ။

50
51

HD

500 GB hard disk base

Storage device 1000GB ။

- ။

- ­ ­ ­ ။

RAID 1 (Mirroring )

==============

- Raid 1 Mirroring ။

- Size Hard Disk ၂ ။

500 GB 2 1000 GB 500 GB ) ။ 500

750 500 GB ။

- Read ။

- ­ ­ ­ ။

- ­ ­ ­ -1) HD 3 (3-1) (2)

RAID 5 (Striping with parity)

====================

- Raid 5 Striping Parity ။

- Hard Disk 3 ။

51
52

- ­ ­ ­ ။

- Read ။

- Available Space = (N-1) 500GB hard disk

(3-1) = 2 1000 GB ။ 500 party information ။

=============================================

RAID 0 , RAID 1 , RAID 5 ။

striping, mirroring, parity,

.။ ။

============================================

HOW To Forensics RAID SYSTEM

============================================

- how to collect Evidence

- , Server raid level

။ Raid 1 raid 1 Mirroring

52
53

။ raid level auto Detec forensics

- Encase auto Volume

။ (Try to Image ......Hash.....load image and Recover If Need )

(image HD storage Forensics station SCSI

။ Or SATA ။

- Example raid 5 ... ။ ... Sorry …

Detail .. Crime Case

Copy Right Example Forensics .။

။ ။ (CHFI CCFP example Case ။

53
54

Case Back Ground

===============

Company Editing (RAW

file ) You tube ။ Company physical

Security ၊ CCTV Camera ။ Digital Lab

Specific -------

Window 10 64 bit

Processor Brand Intel

Processor Type Core i7 4.2 GHz

RAM Size 16 GB

Hard Drive Size 1 TB + 1 TB (Raid0)

Graphics Coprocessor Nvidia Geforce GTX 1070

Graphics Card Description Nvidia Geforce GTX 1070

========================================

Step 1 - Hypothesis Striping

, HD 2 .. video Raw file (4K) . 100 GB

။ USB External Hard Disk

။ Raid0 window

။ (Network )

54
55

Window Registry window

....Hard disk

Master file table , ...

Ok ...

======================

Step 2 - Clone ...

physical logical ... raid

Recovery process ။

။ Block Level , Parity Level

။ ။

raid0 (striping) hd 2 clone ။

Encase Boot raid volume Clone ။

boot HD Clone .. raid reconstructor Virtual

:D ။

Forensics Work Station PCI slot Raid Recovery / raid connector HD 2

Clone ။

Hash ။ (Problem )(

55
56

... Forensics Kit HD image 2

raid reconstructor Virtual Array ။

window Forensics HD Forensics Concept

။ ။ Window

..... :)

digital forensics

...။

Forensics Methods and Principles (Hypothesis)

Digital Forensics Scientific Process

scientific ။ Philosophy 2

။(Verification Falsifiability) ။ Digital Forensics Scientific

Methods ။

Method Hypothesis ။ hypothesis

။ forensics

။ ...

Crime Case Back Ground (NOTE: Base On CHFI&CCFP Note Not Real Wold Case)

======================================

56
57

Organization PDF ။ file

။ ။

( (korea) :D)

A USB Stick 2

။A File usb ။ ။ C

Forensics Process ။

usb file usb file

။ usb formant

....

... A

..

...

A File

... usb

... Ok Let it be ...

...

... .... usb

.. Ok Let it Be ...

57
58

... ။ (

Organization Policy ..)

(Note. E- government Organization Policy

(How To Forensic process )

..... ( Hypothesis )

philosophy Verification

။ Falsifiability)

Locard's principle , inman-Rudin Paradigm

Peer view

===========

Peer View Digital Forensics Field

( Cyber Law )

============

58
59

Locard's Principle Dr.Edmond Locard (1877-

" ။

Physical Investigation

Theory ။

Digital Evidence ။

Evidence Evidence

Copy and hashing 2 ။

(Digital Forensics Investigator EQ IQ Skill

Skill ) ။

inman-Rudin Paradigm

inman-Rudin Paradigm The origin of evidence

...

Transfer

(Locard's principle) ။

Identification

Case Evidence

Individualization

Evidence ။ Case

59
60

Association

Reconstruction

Evidence Transfer & Custody

ATA Password (SSD and Hard Disk Forensics )

Knowledge BIOS ,UEFI, h

Self-Encrypting

Drives (SED) ။

Forensics process

Self-Encrypting Drives (SED)

ATA Password ။ Googling

linux tools / HD tools / boot CD Password data lost

90 ။

60
61

PC Repair ။ Forensics

detail ။

ATA password Unlock ..........

User Password ......... ?

Master Password ......... ?

High Maximun Security ......... ?

HD ......... ?

Laptop Model Bios features ......... ?

User password :)

HD manufacture Master password . ။ (Laptop

Feature )( Problem

Hardware build ATA password .

61
62

Hard Disk Platter Forensics

Platter Hard Disk

Platter Data

... ( post )

Youtube ..

PLATTER head

SPINDLE RPM ..

...

.... Hard disk forensics

...

===============

- HD Cover ..

- arm ...

62
63

-arm Theory (Youtube

.. .. )

-Same Doner HD Theory HD

head Spindle

..Platter

- ....

===================

- spindle .. Head

Platter .... 20%

.. 50 ..

- Testing

- ...40%

- Recovery (bad sector , track, cylinder

- 60 % ...

- .

Solid-State Drive (SSD) - Forensics

63
64

Hard Disk

Read / Write Head

။ Solid-State Drive (SSD)

Block ။

၊ HD Solid State Drive

data input-out ၊

hard disk ၊ ၊ ၊ Power

၊ data

SSD read- write

။ SSD Flash Memory ။SSD

TRIM Wear leveling ။

SLC (Single-Level Cell) MLC (Multiple-Level Cell) ။ SLC Cell

1 0 1 bit MCL Cell 2

bit ။ Triple Leve Cell Cell 3 bit

။ Storage SSD

64
65

Life Time ။ user level

Life time SSD write

SSD ။

Controller

Controller Chip SSD Processor ။

SSD Input-Output

Interface ။ Error Correction (ECC)

။ garbage collection, encryption, wear-levelling, , RAISE

(Redundant Array of Independent Silicon Elements) ...

Buffer Memory

Buffer Memory Chip algorithms Type

SSD Input-Output Interface SSD Controller

Input-Output Interface Power Connector SSD

Device ။ .....

SSD SATA ,SSD M2, SSD msata, SSD U2 , SSD Pcie , SSD sas ,

Garbage Collection

65
66

SSD Hard Disk

read Write Hard Disk ။ (HD

read-write Operation

Post )

SSD Flash Memory Block ။

Page erase Block

။ (erase delete ) page Size 2KiB, 4KiB, etc ,,,

User data

Block data Bock

။( flash Controller data block

logical block address (LBA) ။)

data save page Block Erase save ။

Clear erase data save )

program/erase cycles (P/E cycles)

Block Erase ။

data flash Controller Free Block ။

Garbage Collection ။ HD

SSD ။

Wear leveling

66
67

Wear leveling SSD

။ program/erase cycles (P/E cycles)

write ။

Trim ( You can use from OS )

Trim Hard Disk Defrag .. data write block ...

write .. data write ( file size)

။ SSD ။ Trim on

data data save

။ Garbage Collection ။

(Garbage Collection SSD Forensics

...

67
68

SSD ။ NOR Flash memory

။ SSD Write -

Delete - Rewrite Garbage Collection , (P/E cycles) , Trim

Data Recovery hard disk

HD file 50 recovery file

SSD - ။

OS file system

:)

Garbage Collection , (P/E cycles) , Trim

။ . Process

Knowledge ။ EC

။ SSD

sata , m2 , u2 , pcie, sas ။ Work Station

- laptop or PC Forensics Live CD Boot ။

- SSD Boot ။

- kits or tools or Live CD auto mount

- bit-stream copy ... ။

68
69

- SSD connector ။ (kits or

tools ) ( same connector (hashing Problem )

- Encryption ။

- Flash Memory hard Disk ။ Memory

amount .

- SSD RAID raid forensics

Electronic Forensics (Part 39)

Aplus Network System web

application programing database Crypto mobile

69
70

.. Forensics Detail

Aplus Network, System, Mobile software

.. ..

...

E goverment

..Device ..

Forensics

...

Detail

..

..

....

.Electronic

..

70
71

. SSD hardware encryption

user password code

user

SSD company SSD Firmware (Controller Chip) .. User

Password Company

Controller Chip .. SSD Firmware reverse

..

EC .. SSD Falsh memory

FORENSICS

Sata SSD m2 . pcie

. Flash Gate

..data size board

checking

... EC

SSD ...

...HD PCB

71
72

PCB EC

.... :-) Data recovery ..

Mobile Phone EC .. IT

application layer EC Softskill

Product ..

၆ UPS power supply

... :-)

.. ...

..

:-)

:-) :-)

L3 Switch Power ... power

power :-)

Warranty :-)

L3 Switch Circuit Board power supply Fan ..EC

Switc ...

... :-)

72
73

EC Diode Capactor

... ...

..

...

CCTV and DVR Forensics

CCTV and DVR Forensics investigator

။ CCTV

CCTV

Setting Video File encoding , Hard Disk Wipe

Time ။

။ Suspect ... Record

CCTV Record

။ CCTV

CCTV

Dome Camera, Bullet Camera, C-mount Camera

Day/Night Camera,PTZ Camera

IP Camera , Portable CCTV Camera ။

73
74

Camera DVR Cable Type

Coaxial Cable,Siamese Cable (Include Power cable)

Twisted-Pair Cable,Optical Fiber

Video Power Cables,Power Cable

Video Voice Storage

Embedded DVRs

Hybrid DVR

PC-based DVR systems

Self Storage with CCTV Camera

Storage Media

User ။ (500 GB,1 TB, 2

TB)

CCTV Hard Disk

.။

Connector Type

Camera Cable

(BNC Male to RCA Female Adaptor ,BNC Female to RCA Male Adapter,Female To

Female RCA Phono Coupler Adapter,Female To Female RCA Phono Adapter,Co-Axial

74
75

RG59 Coax Male BNC Twist On Connector Adapter,Female Jack Connector Adapter ,

etc...... )

CCTV Video File Formant

type ။

။ CCTV Forensics

CCTV Video

Raw Data File Size , Data

။ compression

။ Compression Methods

။, - Video

Compression ။ Storage Video Quality

Compression ။ Transmit bandwidth (bit

rate ) transmit ။

Video bandwidth

====================

H.264

Camera H.264 Encoder Compressed data

75
76

H.264 Encoder Methods Compressed

I-frame P-frame ။

Camera Compressed I-Frame ။

Play Back Forward Backward Seeking time ။

P-Frame Frame

Frame Motion Back Ground

Save ။ Motion

save ။ Storage ။

File

H.264 , H.265 , MPEG-4 Part 10,

MPEG-4 part 2, JPEG, MPEG-2

.dav, .asf files, .avi

=======================

Part 41 42 How to CCTV Forensics

။ Thanks

First Responder Chain of Custody

။ Lab CCTV Record DVR

DVD ,Stick ။

DVR Storage media ။

76
77

Resolution

DVR, NVR

(DVR )( )

Storage ( Storage Size)

Storage DVR setting

(DVR )

...

။ record

။ :)

Storage Fill Concept Hard Disk Recovery

Concept ။ Recovery

Image enhancing (example Image Transcoding)

77
78

Tracking The Target ( more Source Require... )

Comparing ( image database Require)

Demonstrative Comparison

Height Calculating

etc .... ။

CCTV ,DVR Forensics HR

။ IQ EQ AQ ။

example case

bamakhit

CCTV ။(Download :)

Video File Low Resolution ။ Resolution

. Resolution

Hardware

1 Video file ။

410 ။

78
79

cambodia Case Resolution ။

CCTV ။ ။ Motion

Sorry ။ ။

Raspberry Pi Forensics

Raspberry Pi IT EC

။ ARM-Based RISC OS Plan 9 FreeBSD Chromium OS Windows 10 IoT

79
80

AmigaOS IchigoJam BASIC Kali * ။ Raspberry Pi

3 Model B WiFI Blue tooth

။ portable

. Pentest

Remote , WiFI Base

Raspberry Pi OS loading Storage USB, SD card Class 10

memory Chip ။

File System Ext4

How To Forensics

(When where and How)

( How to Connect With )

... ?

(What Happen ?)

80
81

Imaging and hasing .

SD, USB , linux Forensics

Vmware Forensics

Operation System

Virtual System ။

Virtual Box

VMware

Window Virtual PC

Hyper -V

Oracle VM

Parallels

81
82

Docker ။

Vmware Forensic ။ VMware

forensics Esxi, Vspher ,Vcenter Forensics

Esxi, Vspher ,Vcenter Forensics

Vmware

vmem – Virtual machine memory file

vmdk – Virtual machine storage disk file

vmss – Virtual machine information file

log – Virtual machine log file

nvram – Keeps ’

vmsn – Virtual machine snapshot file

vmxf – Additional configuration file.

.Vmdk

.Vmdk VMware Forensics ။ VMware

။VMware Hard disk

.vmem

82
83

.vmem

VMware memory ။ Memory Forensics

Forensics ။ vmem

User account, Password, Chat history, Web browsing history ။

.log

Log file User ။

။ ။

VMware

How to Forensics ?

Online Forensic Extraction

Offline Forensic Extraction

Simulation ။

) Knowledge

Wireless Forensics

83
84

Wireless Forensics Bluetooth satellite

Wireless Router Access Point Forensics ။

Wireless Device

Wireless

Broad Band Wireless Service FTTX line

Wireless Router

(repeater.point to point , bridge mode , Client mode), hostspot (Teathering)

။.

Wireless routers Wireless access points Wireless modems

Wireless network adapters Repeaters Antennas

video, Photo ။

(Adapter , Antenna , Cable Device )

။ point to point ,

bridge mode , Client mode ။

Wireless signal , channel ,range , Connected Device

84
85

use => window tools (or) Kali wireless hacking tools or Other OS

(MAC SSID Vendor Media type Channel Signal Strength)

(wireless packet analysis Incident Response

How to Forensics ?

Wireless Network Theory ,Device and Configuration , ISP

Post ။

Event Log Forensics

85
86

Event Log

။ MS Operation System security

software hardware ။Forensics

MS Server ။

incident Response ။

Event Log

User

Access ။ WS OS MS

file size OS ။MS OS vista

MS Server 2008 ။

forensics view case

Case log ။

MS server subcategory ။

(subcategory)

86
87

Online (active) live system incident Response

။ Offline (System Power Off) Event Log

investigation ။ Event Log -

Power Off Log ။

Event log ။

Event View System Log, Application log , Security log

save ။ save .evtx .cvs

.xml .cvs ။

C:\Windows\System32\winevt\Logs

။ MS Window , MS Server ။

87
88

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

Event Log

Password Time and Date

User logon logout OS start Stop time

User account permission

USB attachment ။

Windows Event log,System Event Log, Security Event Log,Application Event

Log,Directory DNS Event Log

MS server log enable ။ User

disable

။ save System Time ။

investigator

save

filter Click ။ Forensics

Tools

88
89

Event Log forensics computer Forensics

။ Case

OPEN SOURCE INTELLIGENCE (OSINT) Digital Forensics

89
90

Second War TV

။ ။

။ ၊ ၊

Juniper Research 2019

Open Source Intelligence

Open Source Intelligence (OSINT) Publice

။ Open Source Intelligence (OSINT)

၊ ၊

OSINT

90
91

။ Hacking Information Gathering Dns lookup ,

… ။

Social Media

Selfie

Electronic Device ။

Open Source Intelligence (OSINT) US

။ Second war

။ facebook,

Twitter

91
92

Operation "Hate Book"

Reuters Facebook

UC Berkeley School Human Rights Center

Social media ။ Facebook

. Operation ။

UC Berkeley School ( Human Rights Center) Social Network

Digital Forensics Human Rights Crime

။ Program McMahon ။ Program

Facebook , Twitter Graph Search ။

online

Team Leader

။ Facebook Report ။

Foreign Broadcast Information Service (FBIS) public

...

...

...

92
93

Crush

... ..

amazon

... Review

...

..OSINT

. ...

Digital Forensics Countermeasure

Vi ။

Cyber Security ။

( OSINT Counter

93
94

Digital Forensics (48) SCADA(Supervisory Control and Data Acquisition)

Station Stuxnet

။ Stuxnet computer Stuxnet

Computer Computer PLC ၊

။ PLC Siemens (PLC) Stuxnet ။

Control Computer Control

။ Threat

။ Forensics

(Supervisory Control and Data Acquisition) ။ PLC

။PLC ။

Control system ။ Social

Engineering ။ Routeable

Forensics ။

Security ။

94
95

Connection Routeable Connection ။Monitoring

Workstation Window Version Forensics ။

Live system imaging Event log , Reg Log,

။ Volatile

SCADA sys record

။ video record ။

။ PLC diagram Future forensics

။SCADA Forensics Workstation

Restore Plan Forensics Plan

။ Restore Plan

Forensics ။ Forensics

Forensics Process

Device Attack

Program bug

Attack

95
96

Expert Witness Technical Witness

Investigation Report ။ Investigation Report

Forensics

။ Case

Expert Witness

Investigator Expert Witness

။ .

Electronic Law IT

။ Technical Witness forensics field

Electronic Law

။ Investigator

။ Law

96
97

၊ IT

။ Expert

Witness Lawer ။ ၊

Witness ။

၊ ၊ IT Certificate၊

Foreneics ။

Law Firm .

၊ IT Certificate၊

Forensics Tools , Device ၊

Technical Expert

investigator .

Example

) (Irrawady

English New ၊။

97
98

IoT Device Forensics Flow

2020 34 ။ Digital Forensics IoT

forensics Hardware ။

Iot cable,wireless,RF,Bluetooth,Sensor application ။ digital Forensics

Iot device ။ Iot device

။ Case Iot device

IoT Forensics Flow ။

Case

IoT device

Iot device

Device Iot Device

( medium device eg-wireless router )

(Iot device communication wireless,bluetooth )

Iot devie Sensor program

Iot Device

98
99

file type Save

…..

( )

( )

။ IoT device

save Device

။ ?

? First Responder team Data Collect ?

(LAB )

(Eg. Network Diagram) Iot

။ ။

IoT Device ။

smart home security Google . device

Manual guide

Data Communication , Remote Control Network Forensics

Data storage Storage Cloud ။ IoT Devie

Control Device ။ Eg . Mobile Phone or Tablet

99
100

Iot Device

Iot Forensic

100
101

NTFS File System timestamp Forensics

NTFS file system Master File Table (MFT) HardDisk

MFT Hard Disk ႕ Cluster file ,folder
MFT
MFT ႕ $STANDARD_INFO
Modified Time (M-time)
Accessed Time (A-time)
Created Time (C-time)
Changed ($MFT Modified )
( User )

4 3 Modified Time (M-time) Accessed Time (A-time) Created Time (C-

time) user ႕ Changed ($MFT Modified) Forensics tools MFT
viewer tools ႕ example autopsy, Encase,FTK,
$FILE_NAME file, folder

file folder Create modified (edit)

access MAC time Antiforensics ႕ time
stamp file folder file folder random
time Example timestomp
timestamp timestamp (antiforensics)
W5

what ? File
Where? File
Why ? file ႕
How ?
Who?

Text File Win 10 hello.txt time zone W7

႕

101
102

MCAB Time

window 10 txt file create

W10 window 7

102
103

NTFS Time Stamp Forensics w10 thirdeye

word,pdf,image file 3 create ။ timezone GMT6:30

။ file metadata timestamp

window 10 u thirdeye word,pdf,image file 3 Window 7

(GMT7) ။ file metadata , timestamp

TimeZone GMT 7 window 7 ။

window 7 ။ vmware

dick image (bit by bit) Copy ။ Logical Drive vmdk

103
104

image ။ forensics workstation timezone

forensics tools timezone ။ Example Encase , autopsy, FTK

Thirdeye World file forensics workstation

Thirdeye.World file

Case Back Ground (example)

Company company ။

company file

။ ။

။ clock

backdate ။

104
105

Back Da

Methodology ႕ Hypothesis I
nternet History ,User ,Create time, USB history, ႕ System window
time back ႕ ႕

105
106

File System Categories 5 ။ Digital Forensics

Categories 5

File System (Eg.NTFS,FAT32,)

File Content (Eg.docx .txt,.html)

Metadata (Eg. file location, Time Stamp )

File Name (Name of file)

Application (Eg. File Open Application , MS Word, WordPad and Notepad)

NTFS docx file Copy,Cut

။ Create Date (ctime) ။

FAT32 (USB) (ctime)

။FAT32 Last Accessed Date time ။ Create

Date & Times, Modify Date & Times ။

FAT32 (USB) docx file NTFS

NTFS paste File Edit

106
107

EXT4 (Kali) docx file ။ Open,Edit

။ Modified Date Accessed Date

EXT4 docx file

Accessed Date Modified Date EXT4 (Kali) Time Zone

Unix(Linux) System EXT4 System

Access Time ( atime)

Change Time (ctime)

Modify Time ( mtime) ။

File Creation Time ။ Access Time (ctime) Modify Time

(mtime) File Creation Time ။File

create Current Time ။

EXT4 System Create Time (Birth Time) ။

Access Time (ctime) Unix(Linux) CLI Or GUI File

(read) ။

Access Time (ctime) ။ Current Time ။

107
108

Change Time – (ctime) file Ownership , Access Permissions

Modify Time – ( mtime) File Content ။(eg. edit

and Save)

kali (vmware) result

Metadata Forensics

Metadata (data)

။ Metadata file

type ။ file extension,file

size,file create , Create , create

, ။ Metadata

108
109

။ Metadata

word file word file èRight Click è

PropertiesèDetail test1 Metadata ။ Author name PC

File save ။ Create

save ။ edit

test1 file

။metadata file name ။ Edit

save metadata ။

109
110

Test1 metadata stick

metadata

110
111

Test1 metadata Edit

Metadata ။

Test1file googleDrive Download download Test1

metadata ThirdEyes save
Author kOLUCHAW ႕
pdf-metadata Microsoft word

111
112

Image ,video,mp3 metadata ႕ site

location mode
Exif data image ႕
႕ image site image
user privacy example facebook
site resolution

Image metadata Link

http://exif.regex.info/exif.cgi

http://metapicz.com/#landing

pdf word file metadata

https://www.get-metadata.com/

What Where Who When How

Digital Forensics ..

What
Where
Who
When
How
What
Cyber Crime Case

Where
or
or

Who

( )

When

How

112
113

Case

Cyber Crime Law ... Case Cyber Law

Law Enforcement
Case

Volume Shadow Copy (VSS) Forensics

႕ ႕
႕

VSS ႕

႕ ႕ Example Encase

Volume Sha

Excange PCB Board

113
114

Bit by Bit

First Responder Team Tasks in Cyber Crime

႕
accessories

႕
La

External Hard Drives, Removable Media, Thumb Drives,and Memory Cards,

Peripheral Devices,
Mobile Phone,tablet,
Potential Sources of Digital Evidence

႕ ႕

႕ ႕

႕ ႕

114
115

႕
႕

႕
႕

(Example)

Login and Password

Password
Elec

-----------------------------------------------------------

TRAIGE METHOD

႕ .

႕
☺ ´

Digi

႕ Special
႕

115
116

116
117

117
118

118
119

Cyber Enable Crime and Cyber Dependent Crime

Electronic Crime, E-Crime, Technology Enable Crime,Hi-Tech Crime ,Computer Crime,
Computer Related Crime, Cyber Space Crime ..

.Non
Border .

၃
( )

Computer

Computer
( Computer )

Computer

၂ ၆ Gordon Ford

Type 1

Eg. Hacking Methods

Type 2
႕

Eg.Online Gambling

Type 1 Type 2 AI Robotic Type 3

Cyber Enable Crime, Cyber Dependent Crime

၂

119
120

Cyber Enable Crime

Computer Data Store Data Electronic Device

. Internet Device

၁၈ + photo video Payment card ID email

( )

Cyber Dependent Crime

Computer Data Store Data Electronic Device

Online offline Computer Network
System ႕ data Data
CIA

DDoS DRDoS Phishing Virus and Malwares Hacktivist

First Responder Guide

Android Device

Mobile Device Power Power Power

Bank Power Volatile Information
Encryption Keys Volatile Data
Encryption Keys Physical Extraction Methods Chip Off

Mobile Device Pin Code Password Pattern biometric

Screen time out / Lock Timer Never USB
Debugging Mode
Airplane mode ႕ Farady Case Stronghold
Bag kill Switch Feature ( Remote Wipe)

Airplane mode Wireless / Bluetooth On

႕ Airplane mode On Wireless / Bluetooth

kill Switch Feature Remote Wipe Application Airplane mode Battery

Pin Password Pattern Mobile Phone Auto
Wipe Farady Case Stronghold Bag ႕ Mobile Device

120
121

Airplane mode kill Switch Feature Remote Wipe Application

Airplane mode Wireless / Bluetooth
Auto On .. ႕ ႕ Farady Case Stronghold
Bag

Damage Mobile Device

Chemical

-
-
- DNA/
- Mobile Device
- Lab ႕ ႕ (Eg. ) Label
- Lab ႕ ႕

OTG Stick/ Laptop/Desktop/ Paper pieces/USB Stick /Externa; Hard Disk / Sim Card / Etc .......
Device Information document
International Mobile Equipment Identity (IMEI),
Mobile Equipment Identifier (MEID),
Mobile Carrier
Mobile Phone Serial
Mobile Phone Condition (Good or Damage )
Pin Password Pattern
Etc ............

121
122

First Responder Guide

Android Device

122
123

Embedded Universal Integrated Circuit Card “eUICC or (Embedded Sim (E SIM )

Mobile Phone Circuit board Chip Set Chip Set

memory Network Operator ႕ Profile ၁ ႕ ၂
Sim Card Operator
roaming E-SIM Profile IMSI , ICCID MSISDN
E-Sim Profile
Mobile Operator Bar Code ( ႕) QR Code( ႕)
Application( ႕) Manual

Telecom Profile E-SiM Operator

Profile Profile ၂ E-Sim
Profile Disable /Enable

E -SIM Forensics
Information / Call Detail Record / IPDR / Location Operator

Mobile Forensics E-SIM Operator Profile

E-Sim Operation System ( ႕) E-Sim Memory

Mobile Operation System ( ႕) Mobile Phone ႕ Memory (Power ) ( ႕) Backup ( ႕)

Cloud
(E-Sim )

Mobile Forensic Data Acquisition

Manual Extraction
Mobile Device Mobile Device
App /
Telecom / Wireless AP document
႕

123
124

Logical Extraction
Mobile Device Memory Storage System data / user data
Back Up ႕ ႕ OS
Model Logical Extraction Recovery
Physical Extraction
Mobile Device Memory Storage Internal Memory /
External Memory Bit by Bit Copy
(Recovery )
Mobile phone Physical Extraction
JTAG ( Joint Test Action Group)
Mobile ph Mobile Ph
Chip Set / ႕ ႕
JTAG Connector ႕ Circuit Board
Memory Chip JTAG ႕ Wire ႕ TAP (Test Access
Port) ႕ ႕ Mobile Ph ႕ Processor Memory Chip
Command Full Memory Record Lock
႕ (JTAG ႕
adapter/ Reader/ software JTAG ႕ ႕ cpu memory

Chip OFF
JTAG ႕ Memory Chip Chip Set Reader Memory Chip
JATG
Android 6.0
Encryption
Micro Read
Memory Chip
Chip Gate Microscope ႕ Gate ႕
Binary HEx , HEX data ႕

SIM CARD FORENSIC

SIM CARD FORENSIC

SIM ( Subscriber Identity Module) CPU RAM OS EEPROM ROM ႕ SIM ႕
File System Tree File System
Master File (MF), Dedicated Files (DF) Elementary Files (EF) ႕
Master File (MF) File 2 ႕ Root Child directories
Dedicated Files (DF) Elementary Files (EF) ႕ Dedicated
Files (DF) ႕ Elementary Files (EF) Sim Card
ISO/IEC 7816 ISO/IEC 7816 ၁၅

124
125

UMTS 3G SIM Card Video Call

Data encryption Method ႕ Storage

SIM Card Forensics

Integrated Circuit Card Identifier uniquely identifies (ICCID )

Issuer Identification Number (IIN)
Account Identification Number (AIN) ၂
(ICCID Sim Card Sim Card ႕ Barcode ႕
MPT Sim Card )

Issuer Identification Number (IIN) ၇

၂ Major Industry Identifier (MII) ၂ ၃
Country Code (CC) ၂ ႕ ၃ Mobile
Network Code (MNC) Issuer Identifier Number (IIN) ႕
Account Identification Number (AIN)
႕ Sim card ႕ Sim
card Home Location Register (HLR) ႕ Sim Card
MPT Sim Card ႕ ICCID
89 95 01 41 7315 0258567 4 ၂ ႕
89 Major Industry Identifier (MII) Telecommunication 95
႕ Country Code (CC) 01 MPT ႕ Mobile Network Code
(MNC)
41 7315 0258567 Account Identification Number (AIN)
1 barcode Error

MYTEL SIM Card ႕ ICCID

89 95 09 000600 8831487 1 ၂ ႕ MYTEL ႕ Mobile
Network Code (MNC) 09
GSM Sim Card
899501…… = MPT , 899505 = Ooredoo, 899506…. Telenor , 89950… = Mytel
International Mobile Subscriber Identifie (IMSI )
(IMSI ) 15 Mobile Phone ႕ Cell Tower
႕ ၃ Mobile County Code (MCC) ၂
၂ Mobile Network Code (MNC) ၁ Mobile
Identification Number (MSIN)
MPT (IMSI) = 414 01 0050258547
414 Telecom
01 MPT ႕ Mobile Network Code (MNC)
Telenor (IMSI) = 414 06 0511957386
06 Telenor ႕ Mobile Network Code (MNC)
Mobile Station International Subscriber Directory Number (MSISDN)
(MSISDN) ႕
Call 15

125
126

+95 1 444444 +95 Country

Code +1 National Destination Code Mobile ph

SPN and SDN (Service Provider Name and Service Dialing Numbers) Telecom Operator
႕ Customer Care ph no ႕
Temporary Mobile Subscriber Identity(TMSI)
(TMSI) Cell Tower
႕ Cell
Tower IMSI
Phone Contact Sim Card : Abbreviated Dialing Numbers (ADN ) LND (Last
Numbers Dialed) Call Log Call
Log
Short Message Service (SMS)
(SMS) Si Card Sim Card

Sim Card ႕Dedicated Files (DF) Location Information (LOCI) the Location
Area Identifier (LAI) Mobile Country Code (MCC) Mobile Network Code (MNC) the Location
Area Code (LAC) Routing Area Code (RAC) the Routing Area Information (RAI) Location
Update Information ႕ MCC,MNC, LAC RAC RAI ႕ (Call Detail Record
)

Sim Card Sim Card Adapter (R/W) Sim Card ႕ (Bit by

Bit Copy) Sim Card
Sim Card ၄ ၂၅

126
127

First Responder Guide

CCTV

DVR

Stand-Alone Embedded Digital Video Recorder (DVR)

Network Video Recorder (NVR)
Hybrid Digital Recorder
PC Based DVR
Personal Computer (By using Video Recording Software)
Server Based (Eg- Network Attach Storage) (NAS)

Video Forensics
႕ (Monitor Video
) (Resolution )
( DVR )

Compression Methods
=====================

CCTV Video ႕ Audio Record File Formant DVR , NVR

Type type ႕ type
႕ type CCTV Forensics compression Methods
CCTV Video Raw Data
File Size Cable/Wireless ႕ ႕ , Data ႕
compression Methods
႕ Compression Methods . H.264 ,
MPEG-4 , MJPEG Video Compression Storage ႕
Video Quality Compression Transmit bandwidth (bit rate
) ႕ transmit

CCTV Record
=====================

Record CCTV System Hard ware Record

Laptop

Record CCTV System Hard ware / ) Eg .. Lan

DVD
USB Or Wireless Mouse / Keyboard , Lan Cable , Power Extension / Marker Pan

127
128

USB Extension

႕ DVR Mouse (or) Wireless Mouse USB Port ) DVR

USB Port Memory Stick USB Extension

External Hard Disk (or) USB Stick (Minimun 16 GB ( (HD CCTV

Record 1 1.5 GB 2 GB )

DVR Mobile Data

Google DVR Specification

CCTV Record
=====================

Camera Channel
Channel
(Physical CCTV )( CCTV
Record )

DVR System Information

(Eg. DVR Channel Camera DVR
Channel System Login PassWord (admin/user)

Record DVR Record Record ႕

( - )

Record Video USB/External Hard Disk/DVD or Laptop ႕ / File

Type

- DVR Setting Compression Methods Compression Methods

Resolution Compression Methods
(Save Video Documented )

- USB Stick USB Stick Fomant USB Stick

Documented
=====================
-DVR Location Address (ph No, Etc ... )
- DVR
-DVR model, and serial number
-DVR password & username(s)

128
129

- Camera Camera
- DVR
( DVR )
- DVR
-DVR Video
- DVR Hard Disk Storage
- Storage Over Write
( Over Write Eg- 7 day or 30 days )

- DVR System settings -

Image Video quality (i.e. high, medium, low)
Frames per second
Recorded image/frame size (e.g. 320 x 240)
Alarm , motion trigger settings for cameras
DVR firmware version

- *System logs (Important)*

Camera / DVR Log File Save

- DVR CCTV Camera ( ႕) Camera

(NVR ) (LAN/Wireless/DHCP )

DVR
========================
DVR

- DVR Video Record

-
- DVR
- Video Size
- ႕ ( ႕)
- DVR Recovery
-

129