IT430 Information Assurance

1
IT430Information Assurance

• Lesson 20 Digital Forensics

2
Digital Forensics

• Application of scientific techniques for
  investigating, finding, preserving and exploiting
  information stored or transported on computers
• Identification, extraction, documentation,
  interpretation
• Automate as much as possible, but you still need
  the human in the loop

3
Digital Forensics

• Isnt it amazing, that CSI can identify and solve
  the case in less than an hour and still have time
  for commercials?

Digital Forensics Tedious Work
4
Why Digital Forensics?

• Crimes
• Identify, Solve and Most Importantly Prosecute
• Traffic Identification
• Log / Application / Traffic Analysis
• What were they doing on that computer?

5
Computer Crimes

• Two Categories
• Computer used to conduct the crime
• Child Pornography, Threatening Letters, Fraud,
  Embezzlement, Theft of Intellectual Property
• Computer as the target of the crime
• Incident Response
• Security Breach

6
What is Digital Evidence?

• Bytes
• Files
• Present
• Deleted
• Encrypted
• Fragments of Files
• Words, Sentences

7
Where do we find it

• Storage Media
• RAM
• Log Files

8
Process

• Acquire
• Chain of Custody
• Authenticate
• Prove the evidence is indeed what the criminal
  left behind
• Analyze
• Whats the goal?

9
Things to Look For

• Logs / Traffic Analysis
• Use Patterns
• Encrypted Files
• Temp Files
• Documents, Pictures
• Steganography
• No, not stenography!

10
? Nothing Tedious Here ?

• Digital Forensics Made to Look Cool