Education Purpose Only

Aung Zaw Myo

https://forensicsmyanmar.blogspot.com/
What is Cyber Forensics ?

။
။
။

၂ ။

။)

၂ ။
 ။

....

....

၇
1822-1911

1847-1915

1858-1946

1887-1954

1891-1955

1932

1984

1993

1995 International Organization on Computer Ev

။

1998

2000
Digita
 ၇

DD

-
( ...

-
၁ A++
၂ Operationsystem(window,linux,MAC,etc..)
၃ BasicNetworking
၄ RoutingandSwitching
၄ ProgrammingBasic
၅ Server/Vmware/Bigdata -Virus
၆ Webapplication
၇ SocialNetwork(Facbook,twitter,linkedlin,etc....)
၈ Mobilephone..Tablet(software,hardware)
 ၉ wirelessDevice..
....

- ။
။

- ။

How to Management Evidence ?

device ။ ။
phonePrinterUSBHD Moderm Wireless AP , LAN cable
...etc.
-
၇

-
 ၇ ၇
Example soon .....

....case

၇ ၇
။

၇
....

။ wri

Dev

၇ ၇
Example soon .....
 Example ....Sooon
....

၇ ၇
။

.
....

။ wri

Anti-DigitalForensics
D

device
။

- storage

- Bootable

-
-

Note ( every crime leaves a trace)

Type of Digital Data

VolatileData

user log on , Process information,

command history,

....

Non-VolatileData Data)

TransientData Data)
websi

။
example Active Network Connection

FragileData Data)
Hard Disk , Memory Sti

TemporarilyAccessData
HardDisk,MemoryStick,
။
ActiveData

ArchivalData

BackupData
( ) HD
။

Collection Evidence

evidence

User Created File

example= database file , documents file ,

audio video file, text file , internet bookmarks,

User Protected File

Example password
protect file , folder , hidden file , rar,zip, tar,

Computer Created File

example = backup file , server log, event logs , system file , swap file, printer pools

။
 (example ..usb, router , modern)

Online ...

- (eg..database,excel,paper),-

..Image
Credit card .

.....configuration file, exe file, bat file, rar, zip,

tar,.......................internet activities

Writer
CreditcardGenerator

excel,world,database)

Imagefile
Email,Note,Letterbrowser,chatrecord,
Content No , call log

excel,world,database)
Imagefile
Email,Note,Letterbrowser,chatrecord,
Content No , call log

SimcardClone(hardware)
userdatabase ElectronicSerialnumber(ESI)
MobileidentificationNumber(MIN)
Browser,socialNetworkRecord

Steganography

Steganogra
။

-
- M
-
-
-

DVD/

။Eg..... bitstre

.
(10111110) (10111111) (10111111) (10111111) (10111111) (10111111) (10111111)
(10111110)

(10111111) (10111110) (10111110) (10111110) (10111110) (10111110) (10111110)

(10111111)
 ။

Frequency (DSSS-Direct Sequence Spread Spectrum)

(FHSS-FrequencyHoppingSpreadSpectrum ။

E-mail Forensics

Type Of Crime E-mail

(Cyber Stalking)

(Fraud Mail)

phishing)

(phishing) -----

-
(www.google.com www.gooogle.com

-
၇
 ။
gmail.com=>yahoo.com
၄

25 Domain n
။

yahoo.com

။
E-MailHeader

။
။ ။
။
။

How To Email Forensics

။
။
Secure Your Online Banking & ATM

********************************************************************

-
Browser
။

- ။

- ။

- ။

- ။

-
။

- ။ ။
။

- ။

- ၁ ။ Eg ($%+cadf89A)

- ။

- ။

- ။
။ ။

- ။
။
။

Safe Your ATM

AT
။

။
။
 ။
။

#onlinebanking #ATM

What is Cyber Forensics Part (21)

Memory forensics

။
။

။ ။
။
What is Cyber Forensics Part (22)
Evidence Device Cloning and Hashing

။ ။
။

။
Law Enforce
။

၁ ။
:D ။

၂ ။ ၇
။

၄ ။

၅ ။ ။
၆ ။
။

၇ ။

၈
1. Organization ။
။

။
 Social Engin
။

6.DDos

။ (Hacking is Not The Race)

Software , Ha
။

။
What Is Cyber Forensics Part (23)
Window Registry Analysis Part (1) (Window Forensics)

Window Default Application

Application
User Information
System Information

Network Information
။

။
Key, Sub key, Name , ။

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

၅
။
။
=========================

HKEY_CLASSES_ROOT

Software
။
။

HKEY_CURRENT_USER

User L
။ ။
HKEY_LOCAL_MACHINE

HKEY_USERS

။ ။

HKEY_CURRENT_CONFIG

။
======================

၅ ။

Software
System
SAM
Security
Default
================
Software

System

SAM

Security

။
။

Default

။
။

===============
 ၊ ။

1.REG_BINARY

။
။

2.REG_DWORD
------------------------

။
။

3.REG_EXPAND_SZ
----------------------------

4.REG_MULTI_SZ
--------------------------

5.REG_SZ
-----------------
။

6.REG_FULL_RESOCE_DESCRIPTOR
------------------------------------------------------

။
Window Registry Group
What Is Cyber Forensics Part (24)
Window Registry Analysis Part (2) (Window Forensics)

User
။

Login Time
Account Level
File Open activities
Network Connecting activities
Browser activities
။
။ Every things
Leave a Trace.

Registry File location

Windows\System32\Config

---------------------------
။

HKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system

HKEY_LOCAL_MACHINE \SAM : \system32\config\sam

HKEY_LOCAL_MACHINE \SECURITY : \system32\config\security

HKEY_LOCAL_MACHINE \SOFTWARE : \system32\config\software

HKEY_USERS \UserProfile : \winnt\profiles\username

HKEY_USERS.DEFAULT : \system32\config\default
What Is Cyber Forensics Part (25)
Window Registry Analysis Part (3) (Window Forensics)

။
။

administ
။

။
။

Eve ။

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

========

SS
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkCards
။
။

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Enum\USBSTOR\
HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices
=====

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Explorer\RunMRU
။

HKEY_CURRENT_USE ။

...
#Cybercrime #forensicsmyanmar

What Is Cyber Forensics Part (26)

Window Registry Analysis Part (4) (Window Forensics)

။
။
။

။ ။ More
tools Search in Google ....

Foren

။
။
 ။
၊ ....
What Is Cyber Forensics Part (25)
Window Registry Analysis Part (3) (Window Forensics)

။
။

။
။

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

========

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkCards
။
။

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Enum\USBSTOR\

HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices
=====
 ။

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Explorer\RunMRU
။

What Is Cyber Forensics Part (26)

Window Registry Analysis Part (4) (Window Forensics)

။
။
။

။ ။ More
tools Search in Google ....

Foren

။
။

။
၊
OPEN SOURCE INTELLIGENCE (OSINT)

။
။
။
။ ၊ ၊

။
၂
။
 ။

။ Open Source Intelligence (OSINT)

။
။
။
၊ ၊
။
။

။
Facebook Graph Sea
။
။
။
။

။
Foreign Broadcast Information S

What is Cyber Forensics ? Part 27

Hard Disk Forensic . (Part 1) .

။ - - ။
။ ။
 ။
။
======================

။
။
၇ ။
======================

။
၂ ။ ။

။
======================
Actulator

။
======================
Actulator Arm

။
။
။
======================

======================

track
။
။
plat ။
။
======================
Cylinder

။
။
 ။
======================
Sector
။

။ ။ ၄

data

======================

Cluster

Cluster
။
။
။
။ ။ Eg= 4
x 4k(sector) = 1600 byte

======================
volume

volume
partation ။ ။
What is Cyber Forensics ? Part 28
Hard Disk Forensic . (Part 2)

Hard Disk (bad Sector, slack space, firmware half or full damage )

၊
။

။
။

E
။ ၂
။

Hard disk Con

 ။
====================================

Slack Space

data ။
။
။
။ ။ Eg= 4
x 4k(sector) = 1600 byte

။
sector ၂ ။
။
။ ။

။
။

။ ။

====================================

HD firmware

။
။

PCB (Printed Circuit Board) ။

firmwar ။
။
။

Special R ။
What is Cyber Forensics ? Part 29
Hard Disk Forensic . (Part 3)

Boot Loader , Boot Sector , Master Boot Record (MBR) & Window System Boot Process
===============================
Boot Loader (Boot manage
။
။ ။

Boot Sect
။
။ - -
။B ။ (POST

===============================
၂ ။

Volume Boot Record (VBR)

 ။
။
===============================

Master Boot Record (MBR) (512 Bytes)

။ ။ (multi boot)
၂ ။

Master partition table

Master Boot Code

။ ။

===============================
။
===============================

Window System Boot Process

===============================
။

System s - - ။

the Com
။ DVD,keysboard , Mouse ,extended Harddisk , etc .....

။
===============================

What is Cyber Forensics ? Part 30

===============================================
 ။
။

Delete

။
။
။

Shift+Delete

။ ။

=====================================
Window File System
=====================================

။
New Technology File Sys ။
၂ ။

၁
၂

Mast ၊
၊
။

Cl ။
။
။
==========================================
fi
==========================================

။ NTFS
။
 ။
။ file
။
။

===============
၊
။

What is Cyber Forensics ? Part 31

(Redundant Array of Independent Disks) (RAID) (FORENSICS) (Part 1)

=======================================

RAI
။
။
၃ ။
။

။
။

။ ။
Mirroring

Hard disk ။
။
။ ။

Parity

။
Parity informa

Disk 1 = 1 0 1 0
Disk 2 = 1 1 0 0
Disk 3 = 0 0 1 1
------------------------------------------------
Disk 4 = 0 1 0 1 ( Parity Information)
------------------------------------------------

< ။

Disk 1 = x x x x
Disk 2 = 1 1 0 0
Disk 3 = 0 0 1 1
------------------------------------------------
Disk 4 = 0 1 0 1 ( Parity Information)
------------------------------------------------

Result

၁ ၁
Disk 2 = 1 1 0 0
Disk 3 = 0 0 1 1
------------------------------------------
Disk 4 = 0 1 0 1 ( Parity Information)

============================================

raid 5 , raid 0 = window 8.1 and Window 10

Hardware Raid Controller = SCSI ,SATA, Fiber Channel
=============================================
RAID 0 (Striping ) (Block Size)
==============
- ။
- ။

base
။

- ။
- ။

RAID 1 (Mirroring )
==============
- ။
- ၂ ။
။
။
- ။
- Fault tolerance ။
- - -

RAID 5 (Striping with parity)

====================
- ။
- ။
- ။
- ။
- -
- ။ ။
=============================================

RAID 0 , ။
။
။
============================================
HOW To Forensics RAID SYSTEM
============================================
-
- ။
။
။

- ။ (Try to
Image ......Hash.....load image and Recover If Need )
- ။

What is Cyber Forensics ? Part 32

(RAID - FORENSICS) (Part 2 )

။။ ။
Case Back Ground
===============

။ ၊
။ Ant
။
-------

Window 10 64 bit
Processor Brand Intel
Processor Type Core i7 4.2 GHz
RAM Size 16 GB
Hard Drive Size 1 TB + 1 TB (Raid0)
Graphics Coprocessor Nvidia Geforce GTX 1070
Graphics Card Description Nvidia Geforce GTX 1070
========================================
-
။
။
။

======================

။
။ ။
။

။
။
။

:D ။
 HD 2
။
။

။
။
။
:)

။။ ။
။

What is Cyber Forensics ? Part 33

Forensics Methods and Principles (Hypothesis)

။
။
။ ။
။

။ ။

Crime Case Back Ground (NOTE: Base On CHFI&CCFP Note Not Real Wold Case)
======================================
။
။ ။
:D )

။
။ ။
။

။ ။
 Ok Let it be ...

Ok Let it Be ...

။
- Organiz

philosophy ။
။
။

Locard principle , inman-Rudin Paradigm

။

။ ။

What is Cyber Forensics ? Part 34

Locard's principle , inman-Rudin Paradigm
===============

-
။

Peer view
===========

။
။

============
-
။
 ။

။
။

။
===================

inman-Rudin Paradigm

-
....

Identification

Individualization
။ ။

Association

Reconstruction

What is Cyber Forensics ? Part 35

ATA Password (SSD and Hard Disk Forensics )

BIOS ,
- ။

A ။

။
 ။
။
။

......... ?

:)

Ma ။

။
။
။
.... :)

။
What is Cyber Forensics ? Part 36
Hard Disk Platter Forensics
===============

===============
-

-Same Doner

- ...

===================
-

- ...

-
===========
Computer forensics Part 37
Solid-State Drive (SSD) - Forensics (Part 1 )

။
- ။
။
၊
။

- ၊
၊ ၊ ၊ ၊

read- ။
။
။

- - ။
။
။
။
။

Controller

S ။
-
။ ။ garbage collection,
encryption, wear-levelling, , RA

Buffer Memory

- ။

-
။

SSD SATA ,SSD M2, SSD msata, SSD U2 , SSD Pcie , SSD sas ,
======================

Garbage Collection

။ -

။
။

။
။

program/erase cycles (P/E cycles)

==========================

။
။
။
။
=============
Wear leveling

။
။
===========
Trim ( You can use from OS )

။ ။
။
။

(Garbage Collection, W
Computer forensics Part 38
Solid-State Drive (SSD) - Forensics (Part 2 )

။
။ - -

- ။
:)

။
။

။
။
။
- ။

- ။

- - ။

- ။ (kits or
(hashing Problem )

- ။

- ။

- raid ။

၃၉

..

Forensics
To

SSD hardware encryption

 Contr

m2

chec

PCB
.... :-)

..
appl

..
၆
. :-)

Cust :-)

:-) :-)

:-)

:-)

:-)
...

AUNG ZAW MYO

https://www.facebook.com/forensicsmyanmar