Computer Forensics and Advanced Topics - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Computer Forensics and Advanced Topics

Description:

Computer forensics is conducted for three purposes: ... Often concealed like fingerprints. Sometimes time sensitive. Digital Evidence ... – PowerPoint PPT presentation

Number of Views:372
Avg rating:3.0/5.0
Slides: 27
Provided by: anned158
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics and Advanced Topics


1
Computer Forensics and Advanced Topics
  • Chapter 17

2
Computer Forensics
  • Application of computer science and engineering
    principles and practices to investigate
    unauthorized computer use and/or the use of a
    computer to support illegal activities
  • Computer forensics is conducted for three
    purposes
  • Investigating and analyzing computer systems as
    related to violation of laws.
  • Investigating and analyzing computer systems for
    compliance with an organization's policies.
  • Investigating computer systems that have been
    remotely attacked.

3
Role of a Computer Forensic Specialist
  • Isolates security holes
  • Identifies modes of access
  • Detects clues for evidence of a cybercrime or
    security breach
  • Ensures maximum recovery of data and preservation
    of digital evidence

4
The Forensic Process
  • Identify evidence
  • Collection of evidence
  • Examination of evidence
  • Analysis of evidence
  • Documenting and reporting of evidence

5
Digital Evidence
  • Digital evidence can be retrieved from computers,
    cell phones, pagers, PDAs, digital cameras, and
    any device that has memory or storage.
  • Extremely volatile and susceptible to tampering
  • Often concealed like fingerprints
  • Sometimes time sensitive

6
Digital Evidence
  • Evidence consists of documents, verbal
    statements, and material objects admissible in a
    court of law.
  • It is critical to convince management, juries,
    judges, or other authorities that some kind of
    violation has occurred.
  • If evidence will be used in court proceedings or
    actions that could be challenged legally,
    evidence must meet these three standards
  • Sufficiency The evidence must be convincing or
    measure up without question.
  • Competency The evidence must be legally
    qualified and reliable.
  • Relevancy The evidence must be material to the
    case or have a bearing on the matter at hand.

7
Principles of Digital Evidence
  • Investigation/analysis performed on seized
    digital evidence should not change evidence in
    any form
  • Evidence should only be manipulated and analyzed
    on a copy of original source
  • Individual must be forensically competent to be
    given permission to access original digital
    evidence
  • Activity relating to seizure, access, storage, or
    transfer of digital evidence must be fully
    documented, preserved, and available for review

8
Identify Evidence
  • Mark evidence properly as it is collected so that
    it can be identified as the particular piece of
    evidence gathered at the scene.
  • Label and store evidence properly.
  • Ensure that the labels cannot be removed easily.
  • Keep a logbook.
  • Identify each piece of evidence (in case the
    label is removed).

9
Identify Evidence
  • The information should be specific enough for
    recollection later in the court.
  • Log other identifying marks, such as device make,
    model, serial number, and cable configuration or
    type.
  • Note any type of damage to the piece of evidence.
  • It is important to be methodical while
    identifying evidence.
  • Do not collect evidence by yourselfhave a second
    person witness the actions.

10
Identify Evidence
  • Protect evidence from electromagnetic or
    mechanical damage.
  • Ensure that the evidence is not tampered,
    damaged, or compromised by the procedures used
    during the investigation.
  • Do not damage evidence Avoids liability
    problems later.
  • Protect evidence from extremes in heat and cold,
    humidity, water, magnetic fields, and vibration.
  • Use static-free evidence protection gloves, not
    standard latex gloves.
  • Seal the evidence in a proper container with
    evidence tape.

11
Types of Evidence
  • Direct evidence is oral testimony that proves a
    specific fact, such as an eyewitness' statement.
  • Real evidence is physical evidence that links the
    suspect to the scene of a crime.
  • Documentary evidence is evidence in the form of
    business records, prints, and manuals.
  • Demonstrative evidence is used to aid the jury
    and can be in the form of a model, experiment, or
    chart, offered to prove that an event occurred.

12
Three rules of Evidence
  • Best Evidence Rule
  • Courts prefer original evidence rather than a
    copy to ensure no alteration of the evidence has
    occurred.
  • Exclusionary Rule
  • The Fourth Amendment to the United States
    Constitution precludes illegal search and seizure
    and, therefore, any evidence collected in
    violation of the Fourth Amendment is not
    admissible as evidence.
  • Hearsay Rule
  • Hearsay is second-hand evidenceevidence not
    gathered from the personal knowledge of the
    witness.

13
Guidelines for Collecting Evidence
  • While conducting the investigation, analyze
    computer storage carefully.
  • Analyze a copy of the system and not the original
    system that is evidence.
  • Use a system specially designed for forensics
    examination.
  • Conduct analysis in a controlled environment
    with
  • Strong physical security
  • Minimal traffic
  • Controlled access

14
Guidelines for Collecting Evidence
  • Unless there are specific tools to take forensic
    images under Windows, DOS should be used for
    imaging process instead of standard Windows.
  • Boot it from a floppy disk or a CD, and have only
    the minimal amount of software installed to
    preclude propagation of a virus or the
    inadvertent execution of a Trojan horse or other
    malicious program.
  • Windows can then be used to examine copies of the
    system.

15
Collecting Evidence
  • Each investigation is different. Given below is
    an example of a comprehensive investigation.
  • Remove or image only one component at a time.
  • Remove the hard disk and label it use an
    anti-static or static-dissipative wristband and
    mat before beginning the investigation.
  • Identify the disk type (IDE, SCSI, or other
    type). Log the disk capacity, cylinders, heads,
    and sectors.
  • Image the disk with a bit-level copy, sector by
    sector this will retain deleted files,
    unallocated clusters, and slack space.

16
Collection Steps
  • Make a list of all systems, software, and data
    involved, as well as evidence to be collected
  • Establish criteria for what is likely to be
    relevant and admissible in court
  • Remove external factors that may cause accidental
    modification of file system or system state
  • Perform quick analysis of external logs and IDS
    output

continued
17
Collection Steps
  • Proceed from more volatile assets to less
  • Memory
  • Registry, routing table, arp cache, process cache
  • Network connections
  • Temporary files
  • Disk or storage device
  • Check processes running on the system
  • Copy arp cache, routing table, registry, status
    of network connections
  • Capture temporary files
  • Make byte-by-byte copy of entire media
  • Remove and store original media in a secure
    location
  • Do not run programs that modify files or their
    access times
  • Do not shutdown until the most volatile evidence
    has been collected
  • Do not trust programs on the system
  • Document the procedure

18
Chain of Custody
  • The chain of custody accounts for all persons who
    handled or had access to the evidence.
  • It shows who obtained the evidence, when and
    where it was obtained, where it was stored, and
    who had control or possession of the evidence.

19
Chain of Custody
  • Steps in the chain of custody are
  • Record each item collected as evidence.
  • Record who collected the evidence along with the
    date and time.
  • Document a description of the evidence.
  • Put the evidence in containers and tag the
    containers with the case number the name of the
    person who collected it, and the date and time.

20
Chain of Custody
  • Steps in the chain of custody are (continued)
  • Record all message digest (hash) values in the
    documentation.
  • Securely transport the evidence to a protected
    storage facility.
  • Obtain a signature from the person who accepts
    the evidence at this storage facility.
  • Provide controls to prevent access to and
    compromise of the evidence while it is being
    stored.
  • Securely transport it to the court for
    proceedings.

21
Free Space vs Slack Space
  • When a user deletes a file, the file is not
    actually deleted.
  • Instead, a pointer in a file allocation table is
    deleted.
  • A second file that is saved in the same area does
    not occupy as many sectors as the first file
    there will be a fragment of the original file.
  • The sector that holds the fragment of this file
    is referred to as free space because the
    operating system marks it usable when needed.
  • When the operating system stores something else
    in this sector, it is referred to as allocated.
  • Unallocated sectors still contain the original
    data until the operating system overwrites them.

22
Free Spack vs Slack Space
  • When a file is saved to a storage media, the
    operating system allocates space in blocks of a
    predefined size, called sectors.
  • The size of all sectors is the same on a given
    system or hard drive.
  • Even if a file contains only 10 characters, the
    operating system will allocate a full sector of
    say 1,024 bytesthe space left over in the sector
    is slack space.

23
Free Space vs Slack Space
  • It is possible for a user to hide malicious code,
    tools, or clues in slack space, as well as in the
    free space.
  • Slack space from files that previously occupied
    that same physical sector on the drive may
    contain information.
  • Therefore, an investigator should review slack
    space using utilities that can display the
    information stored in these areas.

24
Education and Training
  • One of the most cost-effective tools in computer
    security
  • Knowledge of systems documentation
  • Knowledge of security procedures
  • Availability of resources and references
  • Loose lips sink ships
  • Clearly delineate information that may never be
    divulged over the phone

25
Education and Training
  • Require proof of positive identity
  • Purpose of training and awareness program
  • Agency security appointments and contacts
  • Contacts and action in the event of a real or
    suspected security incident
  • Legitimate use of system accounts
  • Access and control of system media

continued
26
Education and Training
  • Destruction and sanitization of media and hard
    copies
  • Security of system accounts (including sharing of
    passwords)
  • Authorization for applications, databases, and
    data
  • Use of the Internet, the Web, and e-mail
Write a Comment
User Comments (0)
About PowerShow.com