Chapter 18 FORENSIC SCIENCE ON THE INTERNET Introduction The - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Chapter 18 FORENSIC SCIENCE ON THE INTERNET Introduction The

Description:

Chapter 18 FORENSIC SCIENCE ON THE INTERNET Introduction The Internet, often referred to as the information superhighway, has opened a medium for people to ... – PowerPoint PPT presentation

Number of Views:304
Avg rating:3.0/5.0
Slides: 24
Provided by: smtaylorO2
Category:

less

Transcript and Presenter's Notes

Title: Chapter 18 FORENSIC SCIENCE ON THE INTERNET Introduction The


1
Chapter 18FORENSIC SCIENCE ON THE INTERNET
2
Introduction
  • The Internet, often referred to as the
    information superhighway, has opened a medium
    for people to communicate and to access millions
    of pieces of information from computers located
    anywhere on the globe.
  • No subject or profession remains untouched by the
    Internet, and this is also true for forensic
    science.
  • A major impact of the Internet will be to bring
    together forensic scientists from all parts of
    the world, linking them into one common
    electronic community.

THE INTERNET
3
A Network of Networks
  • The Internet can be defined as a network of
    networks.
  • A single network consists of two or more
    computers that are connected to share
    information.
  • The Internet connects thousands of these networks
    so all of the information can be exchanged
    worldwide.
  • Connections can be made through a modem, a device
    that allows computers to exchange and transmit
    information through telephone lines.
  • Higher speed broadband connections are available
    through cable lines or through DSL telephone
    lines.

THE INTERNET
4
A Network of Networks
  • Computers can be linked or networked through wire
    or wireless (WI-Fi) connections.
  • Computers that participate in the Internet have a
    unique numerical Internet Provider (IP) address
    and usually a name.

THE INTERNET
5
The World Wide Web
  • The most popular area of the Internet is the
    World Wide Web.
  • It is considered a collection of pages stored in
    the computers connected to the Internet
    throughout the world.
  • Web browsers allow the user to explore
    information stored on the Web and to retrieve Web
    pages the viewer wishes to read.

THE INTERNET
6
The World Wide Web
  • Several directories and indexes on the Internet,
    known as search engines, are available to assist
    the user in locating a particular topic from the
    hundreds of thousands of web sites located on the
    Internet.
  • Commercial Internet service providers connect
    computers to the Internet while offering the user
    an array of options.
  • A keyword or phrase entered into a search engine
    will locate sites on the Internet that are
    relevant to that subject.

THE INTERNET
7
Electronic Mail (e-Mail)
  • The service that is most commonly used in
    conjunction with the Internet is electronic mail
    (e-mail).
  • This communication system can transport messages
    across the world in a matter of seconds.
  • Extensive information relating to forensic
    science is available on the Internet.
  • The types of Web pages range from simple
    explanations of the different fields of forensics
    to intricate details of forensic science
    specialties.

THE INTERNET
8
Forensic Analysis of the Internet
  • It is important from the investigative standpoint
    to be familiar with the evidence left behind from
    a users Internet activity.
  • A forensic examination of a computer system will
    reveal quite a bit of data about a users
    Internet activity.
  • The data described on the next few slides would
    be accessed and examined utilizing the forensic
    techniques outlined in Chapter 17.

THE INTERNET
9
Internet Cache
  • Evidence of Internet web browsing typically
    exists in abundance on the users computer.
  • Most web browsers (Internet Explorer, Netscape,
    and Firefox) utilize a system of caching to
    expedite web browsing and make it more efficient.
  • This web browsing Internet cache is a potential
    source of evidence for the computer investigator.
  • Portions of, and in some cases, entire visited
    web pages can be reconstructed.
  • Even if deleted, these cached files can often be
    recovered.

THE INTERNET
10
Internet Cookies
  • To appreciate the value of the cookie you must
    first understand how they get onto the computer
    and their intended purpose.
  • Cookies are placed on the local hard disk drive
    by the web site the user has visited.
  • This is, of course, if the particular web browser
    being used is set to allow this to happen.
  • A cookie is used by the web site to track certain
    information about its visitors.
  • This information can be anything from history of
    visits or purchasing habits, to passwords and
    personal information used to recognize the user
    for later visits.

THE INTERNET
11
Internet History
  • Most web browsers track the history of web page
    visits for the computer user.
  • This is probably done merely for a matter of
    convenience.
  • Like the recent calls list on a cell phone, the
    Internet history provides an accounting of sites
    most recently visited, with some storing weeks
    worth of visits.
  • Users have the availability to go back and access
    sites they most recently visited, just by
    accessing them through the browsers history.
  • The history file can be located and read with
    most popular computer forensic software packages.

THE INTERNET
12
Bookmarks and Favorite Places
  • Another way users can access websites quickly is
    to store them in their bookmarks or favorite
    places.
  • Like a pre-set radio station, Internet browsers
    allow a user to bookmark websites for future
    visits.
  • A lot can be learned from the bookmarked sites of
    a person. Perhaps you might learn what online
    news a person is interested in or what type of
    hobbies he/she has.
  • You may also see that persons favorite child
    pornography or computer hacking sites bookmarked.

THE INTERNET
13
Internet Communications
  • Computer investigations often begin or are
    centered around Internet communication.
  • It may be
  • A chat conversation amongst many people
  • An instant message conversation between just two
    individuals
  • Or the back and forth of an e-mail exchange
  • Human communication has long been a source of
    evidentiary material.
  • Regardless of the type, investigators are
    typically interested in communication.

THE INTERNET
14
Value of the IP address
  • In our earlier discussion, it was stated that in
    order to communicate on the Internet a device
    needs to be assigned an Internet Protocol (IP)
    address.
  • The IP address is provided by the Internet
    Service provider from which the device accesses
    the Internet.
  • Thus it is the IP address that might lead to the
    identity of a real person.
  • If an IP address is the link to the identity of a
    real person, then it would quite obviously be
    very valuable for identifying someone on the
    Internet.

THE INTERNET
15
IP Address Locations
  • IP addresses are located in different places for
    different mediums of communications.
  • E-Mail will have the IP address in the header
    portion of the mail.
  • This may not be readily apparent and may require
    a bit of configuration to reveal.
  • Each e-mail client is different and needs to be
    evaluated on a case-by-case basis.
  • In the case of an Instant Message or Chat
    session, the particular provider (the one
    providing the mechanism of chatAOL, Yahoo, etc.)
    would be contacted to provide the users IP
    address.

THE INTERNET
16
Difficulty with IP Addresses
  • Finding IP addresses may be difficult.
  • E-mail can be read through a number of clients or
    software programs.
  • Most accounts offer the ability to access e-mail
    through a web-based interface as well.
  • Often the majority of chat and instant message
    conversations are not saved by the parties
    involved.
  • Each application needs to be researched and the
    computer forensic examination guided by an
    understanding of how it functions.

THE INTERNET
17
Hacking
  • Unauthorized computer intrusion, more commonly
    referred to as hacking, is the concern of every
    computer administrator.
  • Hackers penetrate computer systems for a number
    of reasons.
  • Sometimes the motive is corporate espionage and
    other times it is merely for bragging rights
    within the hacker community.
  • Most commonly though, it is a rogue or
    disgruntled employee, with some knowledge of the
    computer network, who is looking to cause damage.
  • Despite the motivation, corporate America is
    frequently turning to law enforcement to
    investigate and prosecute these cases.

THE INTERNET
18
Locations of Concentration
  • Generally speaking, when investigating an
    unauthorized computer intrusion, investigators
    will concentrate their efforts in three
    locations
  • Log files
  • Volatile memory
  • Network traffic

THE INTERNET
19
Logs
  • Logs will typically document the IP address of
    the computer that made the connection.
  • Logs can be located in several locations on
    computer network.
  • Most servers that exist on the Internet track
    connections made to them through the use of logs.
  • Additionally the router, ( the device responsible
    for directing data) might possibly contain logs
    files detailing connections.
  • Similarly, devices known as firewalls might
    contain log files which list computers that were
    allowed access to the network or an individual
    system.

THE INTERNET
20
Use of Volatile Data
  • Many times, in cases of unlawful access to a
    computer network, some technique is used by the
    perpetrator to cover the tracks of his IP
    address.
  • Advanced investigative techniques might be
    necessary to discover the true identity.
  • Where an intrusion is in progress the
    investigator might have to capture volatile data
    (data in RAM).
  • The data existing in RAM at the time of an
    intrusion may provide valuable clues into the
    identity of the intruder, or at the very least
    the method of attack.
  • Like the case of the instant message or chat
    conversation the data that exists in RAM, needs
    to be acquired.

THE INTERNET
21
An Additional Standard Tactic
  • Another standard tactic for investigating
    intrusion cases is documenting all programs
    installed and running on a system.
  • By doing this the investigator might discover
    malicious software installed by the perpetrator
    to facilitate entry.
  • This is accomplished utilizing specialized
    software designed to document running processes,
    registry entries, and any installed files.

THE INTERNET
22
Live Network Traffic
  • The investigator may want to capture live network
    traffic as part of the evidence collection and
    investigation process.
  • Traffic that travels the network does so in the
    form of data packets.
  • In addition to containing data these packets also
    contain source and destination IP addresses.
  • If the attack requires two-way communication, as
    in the case of a hacker stealing data, then it
    needs to be transmitted back to the hackers
    computer.

THE INTERNET
23
The Destination IP Address
  • To get there, the destination IP address is
    needed.
  • Once this is learned, the investigation can focus
    on that system.
  • Moreover, the type of data that is being
    transmitted on the network may be a clue as to
    what type of attack is being launched, if any
    important data is being stolen, or types of
    malicious software, if any, that are involved in
    the attack.

THE INTERNET
Write a Comment
User Comments (0)
About PowerShow.com