SlideShare ist ein Scribd-Unternehmen logo

Computer forensics [pdf library]

N
Neyna Nair
1 von 6
Downloaden Sie, um offline zu lesen
4/26/2010 What is Computer Forensics?  • Scientific process of preserving, identifying,  extracting, documenting, and interpreting  t ti d ti di t ti Computer Forensics data on computer COMP620 • Used to obtain potential legal evidence Sara Jones Background “The FBI is committed to working with our law • The Dean of Students at Purdue University  enforcement partners and the U.S. Attorney’s estimates that 25% of all disciplinary cases  Office to investigate and prosecute those involve some sort of computer evidence i l f id individuals who choose to use computer • The Director of the FBI now expects 50% of  technology in furtherance of their fraudulent all cases handled by the FBI to involve at  schemes.” least one computer forensic examination Nathan Gray • Local law enforcement agencies and Local law enforcement agencies and  Special Agent in Charge of the FBI‐Phoenix Division prosecutors expect 20‐40% of all cases will  Thursday, April 8, 2010 require information forensics Scott L. Ksander www.cybercrime.gov 1
4/26/2010 Computers in Crime Computers Role in Crime • Computer as Target of the incident • A computer can hold data of a crime – Get to instructor’s test preparation – Access someone else’s homework – child pornography child pornography – Access/Change a grade • The computer could be stolen property – Access financial information – “Denial of Service” • The computer could hold evidence of a crime • Computer as Tool of the incident – spreadsheet of drug transactions – Word processing used to create plagiarized work – E‐mail sent as threat or harassment • A computer can be the instrument of a crime A computer can be the instrument of a crime – Printing used to create counterfeit material Printing used to create counterfeit material – hacking • Computer as Incidental to the incident – E‐mail/file access used to establish date/timelines – distribute copyrighted videos – Stored names and addresses of contacts or others  potentially involved in the incident www.cybercrime.gov Scott L. Ksander Forensic Use Law Enforcement Computer forensics is used for • Computer forensics is often used to gather  • L Law enforcement f evidence to prosecute a crime id t t i • Enforce employee policies  • Computer forensics professionals must be  • To gather evidence against an employee that  careful to follow the legal requirements for  an organization wishes to terminate handling evidence • R Recover data in the event of a hardware or  d t i th t f h d • The evidence can be dismissed if it cannot be The evidence can be dismissed if it cannot be  software failure shown that it was not tampered, either  accidently or intentionally • Understand how a system works Wikipedia 2
4/26/2010 Preparing an Investigation  Preparing an Investigation (continued) • Role of computer forensics professional:  • Follow an accepted procedure to prepare a case gather evidence to prove a suspect committed  th id t t itt d • The U S Department of Justice has a document The U.S. Department of Justice has a document  a crime or violated a company policy you can download that reviews proper  • Collect evidence that can be offered in court  acquisition of electronic evidence or at a corporate inquiry http://www.cybercrime.gov/ssmanual/index.html  – Investigate the suspect’s computer Investigate the suspect s computer • Chain of custody Chain of custody – Preserve the evidence on a different computer – Route the evidence takes from the time you find it  until the case is closed or goes to court Guide to Computer Forensics and Investigations, 2e Guide to Computer Forensics and Investigations, 2e Chain of Custody The Process • Protects integrity of the evidence • The primary activities of a computer forensics  • Effective process of documenting the  specialist are investigative in nature. complete journey of the evidence during the  • Th i The investigative process encompasses ti ti life of the case – Identification • Allows you to answer the following questions: – Preservation – Who collected it? – Collection – Examination – How & where? How & where? – Analysis  – Who took possession of it? – Presentation – How was it stored & protected in storage? – Decision – Who took it out of storage & why? Scott L. Ksander Scott L. Ksander 3
4/26/2010 Computer Forensic Activities The 3 As Activities commonly include: The basic methodology consists of the 3 As: • the secure collection of computer data  p • the identification of suspect data • the examination of suspect data to determine  • Acquire the evidence without altering or  details such as origin and content  damaging the original • the presentation of computer‐based  • Authenticate the image information  information • Analyze the data without modifying it • the application of a country's laws to  computer practice Scott L. Ksander Scott L. Ksander General Types of Digital Forensics 5 Rules of Evidence • Network Analysis • Admissible – Communication analysis – Log analysis – Must be able to be used in court or elsewhere – Path tracing • Authentic • Media Analysis – Disk imaging – Evidence relates to incident in relevant way – Content analysis • Complete (no tunnel vision) – Slack space analysis – Exculpatory evidence for alternative suspects – Steganography • Code Analysis Code Analysis • Reliable – Reverse engineering – No question about authenticity & veracity – Malicious code review • Believable – Exploit Review – Clear, easy to understand, and believable by a jury Scott L. Ksander Scott L. Ksander 4
4/26/2010 General Evidence Dos & Don’ts Creating Disk Images 1. Minimize Handling/Corruption of Original Data  • Care must be taken not to change the evidence. 2. Account for Any Changes and Keep Detailed Logs of Your Actions  • Most media are “magnetic based” and the data is volatile: 3. Comply with the Five Rules of Evidence  – Registers & Cache 4. Do Not Exceed Your Knowledge  – Process tables, ARP Cache, Kernel stats 5. Follow Your Local Security Policy and Obtain Written Permission  – Contents of system memory 6. Capture as Accurate an Image of the System as Possible  – Temporary File systems 7. Be Prepared to Testify  – Data on the disk 8. Ensure Your Actions are Repeatable  • Examining a live file system changes the state of the evidence 9. Work Fast  • The computer/media is the “crime scene” 10. Proceed From Volatile to Persistent Evidence  • Protecting the crime scene is paramount as once evidence is  11. Don't Run Any Programs on the Affected System  contaminated it cannot be decontaminated. 12. Document Document Document!!!! • Really only one chance to do it right! Scott L. Ksander Source: AusCERT 2003 (www.auscert.org) Scott L. Ksander Why Create a Duplicate Image? Bitstream vs. Backups • A file copy does not recover all data areas of  • Forensic Copies (Bitstream) are bit for bit  the device for examination copies capturing all the data on the copied  media including hidden and residual data (e.g.,  media including hidden and residual data (e g • Working from a duplicate image  free space, swap, residue, deleted files etc.) – Preserves the original evidence • Often the “smoking gun” is found in the  – Prevents inadvertent alteration of original  residual data. evidence during examination • Logical vs. physical image – Allows recreation of the duplicate image if Allows recreation of the duplicate image if  necessary Scott L. Ksander Scott L. Ksander 5
4/26/2010 Make Two Copies Computer Forensics Certification • Make 2 copies of the original media – 1 copy becomes the working copy – 1 copy is a library/control copy py y py There are several professional groups and  – Verify the integrity of the copies to the original companies that offer forensic certification i th t ff f i tifi ti • The working copy is used for the analysis • International Association of Computer  • The library copy is stored for disclosure purposes or in  Investigative Specialist (IACIS) offers the  the event that the working copy becomes corrupted • If performing a drive to drive imaging (not an image  Certified Electronic Evidence Collection  file) use clean media to copy to file) use clean media to copy to p ( ) Specialist Certification (CEECS) and Certified  – Shrink wrapped new drives Forensic Computer examiner (CFCE) – Next best, zero another drive • Global Information Assurance Certification  Certified Forensic Analyst Scott L. Ksander References • Scott L. Ksander, “Computer Forensics in the Campus  Environment ,  Environment”, www.purdue.edu/securepurdue/docs/ComputerForensics.ppt • Thomas Course Technology, “Guide to Computer Forensics  and Investigations, 2e”,  euclid.barry.edu/~zuniga/courses/cs300/ch02.ppt • Sara Jones, “Computer Forensics”,  www.middlesexcc.edu/faculty/Steven.../Computer_%20Forensics.ppt • www.cybercrime.gov 6

Empfohlen

Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20worldAqib Memon
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its toolsKathirvel Ayyaswamy
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensicsKabul Education University
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 

Empfohlen

Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20worldAqib Memon
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its toolsKathirvel Ayyaswamy
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensicsKabul Education University
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!Wayne Norris
 
Cyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital DomainCyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital Domainppd1961
 
computer forensics
computer forensicscomputer forensics
computer forensicsVaibhav Tapse
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsAnyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic SoftwaresDhruv Seth
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Computer forensics vital_for_combating_cyber_crimes
Computer forensics vital_for_combating_cyber_crimesComputer forensics vital_for_combating_cyber_crimes
Computer forensics vital_for_combating_cyber_crimesVicky Shah
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Electronic evidence
Electronic evidenceElectronic evidence
Electronic evidenceRonak Karanpuria
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxDaniyaHuzaifa
 

Weitere ähnliche Inhalte

Was ist angesagt?

TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!Wayne Norris
 
Cyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital DomainCyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital Domainppd1961
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic SoftwaresDhruv Seth
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Computer forensics vital_for_combating_cyber_crimes
Computer forensics vital_for_combating_cyber_crimesComputer forensics vital_for_combating_cyber_crimes
Computer forensics vital_for_combating_cyber_crimesVicky Shah
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 

Was ist angesagt? (20)

TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!
 
Cyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital DomainCyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital Domain
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital Forensics
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Computer forensics vital_for_combating_cyber_crimes
Computer forensics vital_for_combating_cyber_crimesComputer forensics vital_for_combating_cyber_crimes
Computer forensics vital_for_combating_cyber_crimes
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Electronic evidence
Electronic evidenceElectronic evidence
Electronic evidence
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 

Ähnlich wie Computer forensics [pdf library]

computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxDaniyaHuzaifa
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxssuser2bf502
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensicRahul Badekar
 
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02satyabwati
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloJohn Intindolo
 
Computer forensics investigation and digital forensics services
Computer forensics investigation and digital forensics servicesComputer forensics investigation and digital forensics services
Computer forensics investigation and digital forensics servicesICFECI
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptxGautam708801
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsN.Jagadish Kumar
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics SlidesVarun Sehgal
 

Ähnlich wie Computer forensics [pdf library] (20)

Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptx
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptx
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
 
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
Akcomputerforensics 130222081008-phpapp02-140809110602-phpapp02
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
 
Computer forensics investigation and digital forensics services
Computer forensics investigation and digital forensics servicesComputer forensics investigation and digital forensics services
Computer forensics investigation and digital forensics services
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptx
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
180 184
180 184180 184
180 184
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Cyber Security 1215
Cyber Security 1215Cyber Security 1215
Cyber Security 1215
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 

Computer forensics [pdf library]

  • 1. 4/26/2010 What is Computer Forensics?  • Scientific process of preserving, identifying,  extracting, documenting, and interpreting  t ti d ti di t ti Computer Forensics data on computer COMP620 • Used to obtain potential legal evidence Sara Jones Background “The FBI is committed to working with our law • The Dean of Students at Purdue University  enforcement partners and the U.S. Attorney’s estimates that 25% of all disciplinary cases  Office to investigate and prosecute those involve some sort of computer evidence i l f id individuals who choose to use computer • The Director of the FBI now expects 50% of  technology in furtherance of their fraudulent all cases handled by the FBI to involve at  schemes.” least one computer forensic examination Nathan Gray • Local law enforcement agencies and Local law enforcement agencies and  Special Agent in Charge of the FBI‐Phoenix Division prosecutors expect 20‐40% of all cases will  Thursday, April 8, 2010 require information forensics Scott L. Ksander www.cybercrime.gov 1
  • 2. 4/26/2010 Computers in Crime Computers Role in Crime • Computer as Target of the incident • A computer can hold data of a crime – Get to instructor’s test preparation – Access someone else’s homework – child pornography child pornography – Access/Change a grade • The computer could be stolen property – Access financial information – “Denial of Service” • The computer could hold evidence of a crime • Computer as Tool of the incident – spreadsheet of drug transactions – Word processing used to create plagiarized work – E‐mail sent as threat or harassment • A computer can be the instrument of a crime A computer can be the instrument of a crime – Printing used to create counterfeit material Printing used to create counterfeit material – hacking • Computer as Incidental to the incident – E‐mail/file access used to establish date/timelines – distribute copyrighted videos – Stored names and addresses of contacts or others  potentially involved in the incident www.cybercrime.gov Scott L. Ksander Forensic Use Law Enforcement Computer forensics is used for • Computer forensics is often used to gather  • L Law enforcement f evidence to prosecute a crime id t t i • Enforce employee policies  • Computer forensics professionals must be  • To gather evidence against an employee that  careful to follow the legal requirements for  an organization wishes to terminate handling evidence • R Recover data in the event of a hardware or  d t i th t f h d • The evidence can be dismissed if it cannot be The evidence can be dismissed if it cannot be  software failure shown that it was not tampered, either  accidently or intentionally • Understand how a system works Wikipedia 2
  • 3. 4/26/2010 Preparing an Investigation  Preparing an Investigation (continued) • Role of computer forensics professional:  • Follow an accepted procedure to prepare a case gather evidence to prove a suspect committed  th id t t itt d • The U S Department of Justice has a document The U.S. Department of Justice has a document  a crime or violated a company policy you can download that reviews proper  • Collect evidence that can be offered in court  acquisition of electronic evidence or at a corporate inquiry http://www.cybercrime.gov/ssmanual/index.html  – Investigate the suspect’s computer Investigate the suspect s computer • Chain of custody Chain of custody – Preserve the evidence on a different computer – Route the evidence takes from the time you find it  until the case is closed or goes to court Guide to Computer Forensics and Investigations, 2e Guide to Computer Forensics and Investigations, 2e Chain of Custody The Process • Protects integrity of the evidence • The primary activities of a computer forensics  • Effective process of documenting the  specialist are investigative in nature. complete journey of the evidence during the  • Th i The investigative process encompasses ti ti life of the case – Identification • Allows you to answer the following questions: – Preservation – Who collected it? – Collection – Examination – How & where? How & where? – Analysis  – Who took possession of it? – Presentation – How was it stored & protected in storage? – Decision – Who took it out of storage & why? Scott L. Ksander Scott L. Ksander 3
  • 4. 4/26/2010 Computer Forensic Activities The 3 As Activities commonly include: The basic methodology consists of the 3 As: • the secure collection of computer data  p • the identification of suspect data • the examination of suspect data to determine  • Acquire the evidence without altering or  details such as origin and content  damaging the original • the presentation of computer‐based  • Authenticate the image information  information • Analyze the data without modifying it • the application of a country's laws to  computer practice Scott L. Ksander Scott L. Ksander General Types of Digital Forensics 5 Rules of Evidence • Network Analysis • Admissible – Communication analysis – Log analysis – Must be able to be used in court or elsewhere – Path tracing • Authentic • Media Analysis – Disk imaging – Evidence relates to incident in relevant way – Content analysis • Complete (no tunnel vision) – Slack space analysis – Exculpatory evidence for alternative suspects – Steganography • Code Analysis Code Analysis • Reliable – Reverse engineering – No question about authenticity & veracity – Malicious code review • Believable – Exploit Review – Clear, easy to understand, and believable by a jury Scott L. Ksander Scott L. Ksander 4
  • 5. 4/26/2010 General Evidence Dos & Don’ts Creating Disk Images 1. Minimize Handling/Corruption of Original Data  • Care must be taken not to change the evidence. 2. Account for Any Changes and Keep Detailed Logs of Your Actions  • Most media are “magnetic based” and the data is volatile: 3. Comply with the Five Rules of Evidence  – Registers & Cache 4. Do Not Exceed Your Knowledge  – Process tables, ARP Cache, Kernel stats 5. Follow Your Local Security Policy and Obtain Written Permission  – Contents of system memory 6. Capture as Accurate an Image of the System as Possible  – Temporary File systems 7. Be Prepared to Testify  – Data on the disk 8. Ensure Your Actions are Repeatable  • Examining a live file system changes the state of the evidence 9. Work Fast  • The computer/media is the “crime scene” 10. Proceed From Volatile to Persistent Evidence  • Protecting the crime scene is paramount as once evidence is  11. Don't Run Any Programs on the Affected System  contaminated it cannot be decontaminated. 12. Document Document Document!!!! • Really only one chance to do it right! Scott L. Ksander Source: AusCERT 2003 (www.auscert.org) Scott L. Ksander Why Create a Duplicate Image? Bitstream vs. Backups • A file copy does not recover all data areas of  • Forensic Copies (Bitstream) are bit for bit  the device for examination copies capturing all the data on the copied  media including hidden and residual data (e.g.,  media including hidden and residual data (e g • Working from a duplicate image  free space, swap, residue, deleted files etc.) – Preserves the original evidence • Often the “smoking gun” is found in the  – Prevents inadvertent alteration of original  residual data. evidence during examination • Logical vs. physical image – Allows recreation of the duplicate image if Allows recreation of the duplicate image if  necessary Scott L. Ksander Scott L. Ksander 5
  • 6. 4/26/2010 Make Two Copies Computer Forensics Certification • Make 2 copies of the original media – 1 copy becomes the working copy – 1 copy is a library/control copy py y py There are several professional groups and  – Verify the integrity of the copies to the original companies that offer forensic certification i th t ff f i tifi ti • The working copy is used for the analysis • International Association of Computer  • The library copy is stored for disclosure purposes or in  Investigative Specialist (IACIS) offers the  the event that the working copy becomes corrupted • If performing a drive to drive imaging (not an image  Certified Electronic Evidence Collection  file) use clean media to copy to file) use clean media to copy to p ( ) Specialist Certification (CEECS) and Certified  – Shrink wrapped new drives Forensic Computer examiner (CFCE) – Next best, zero another drive • Global Information Assurance Certification  Certified Forensic Analyst Scott L. Ksander References • Scott L. Ksander, “Computer Forensics in the Campus  Environment ,  Environment”, www.purdue.edu/securepurdue/docs/ComputerForensics.ppt • Thomas Course Technology, “Guide to Computer Forensics  and Investigations, 2e”,  euclid.barry.edu/~zuniga/courses/cs300/ch02.ppt • Sara Jones, “Computer Forensics”,  www.middlesexcc.edu/faculty/Steven.../Computer_%20Forensics.ppt • www.cybercrime.gov 6