Computer Forensics - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Computer Forensics

Description:

Incident: any security relevant adverse event that might threaten the security ... An event must have observable and ... The grep utility (UNIX and Windows NT) ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 22
Provided by: ioannakan
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics


1
Computer Forensics
  • The Legal Side of Incident Response
  • Ioanna Kantzavelou
  • Technological Educational Institution - TEI of
    Athens
  • Department of Informatics
  • Symposium on Innovation of Computer Science
    Curriculum in Higher Education
  • February 2004

2
Outline at a Glance
  • The Incident Response area
  • Computer Forensics
  • Definition and meaning
  • Main principles
  • Requirements
  • Roadmap
  • Conclusion and Future Work
  • Resources

3
Incidents
  • Incident any security relevant adverse event
    that might threaten the security of a computer
    system or a network.
  • An event must have observable and recordable
    characteristics
  • the connection to a system via a network,
  • the file access,
  • a system shutdown, etc.
  • Adverse events
  • system crashes,
  • packet flooding within a network,
  • unauthorized use of another user's account,
  • defacement of a web page,
  • execution of malicious code,
  • floods, fires, electrical outages, etc.

4
Types of Incidents
  • Most incidents point towards
  • Confidentiality,
  • Integrity, or
  • Availability.
  • Different types of incidents
  • reconnaissance,
  • repudiation,
  • harassment,
  • extortion,
  • pornography trafficking,
  • organized crime activity,
  • subversion,
  • hoaxes, etc.

5
Incident Response
  • Incident Response is a new field with similar
    goals as IT Security.
  • Scope to negate or minimize the impact of an
    incident, reacting by taking certain actions.
  • It can be used to restore confidentiality,
    integrity, and availability.
  • A particular important part of the legal side of
    incident response is the area of forensics.

6
Computer Forensics meaning
  • Forensic (adj.)
  • belonging to courts of law and it is used in law
    pleading.
  • It relates to sciences or scientists connected
    with legal investigations.
  • Forensics (n.)
  • the art or study of public debate.
  • Forensics
  • any systematic or scientific examination of
    evidence in the investigation of a crime.
  • Computer forensics
  • (cyber-forensics), is the detailed examination of
    computer systems in an investigation.

7
CF scope and characteristics
  • Scope The collection and search of specific data
    that will serve as acceptable evidence in a court
    of law.
  • Computer Forensics deals with
  • storage media (e.g. hard disks),
  • the examination and analysis of network logs.
  • The most repeatable and scientific process.
  • An expert follows a step-by-step methodology,
    preserving the integrity of the evidence.
  • This methodology does not vary substantially
    between different investigations and technologies.

8
Main Principles
  • Scope To protect the investigator, the evidence,
    and the accused party and his/her rights.
  • Principles regarding Ethics
  • The investigator must have the authority to seize
    and search a computer.
  • The search should have clearly defined goals.
  • Principles regarding the process
  • A set of rules eliminates the possibility of
    tampering with evidence.
  • Guidelines assist the maintenance of these rules.

9
Rules to prevent tampering with evidence
  • Rule 1. The examination should never be performed
    on the original media.
  • Rule 2. The copy is made onto forensically
    sterile media. New media should always be used if
    available.
  • Rule 3. The copy of the evidence must be an
    exact, bit-by-bit copy.
  • Rule 4. The computer and the data on it must be
    protected during the acquisition of the media to
    ensure that the data is not modified.
  • Rule 5. The examination must be conducted in such
    a way as to prevent any modification of the
    evidence.
  • Rule 6. The chain of the custody of all evidence
    must be clearly maintained to provide an audit
    log of whom might have accessed the evidence and
    at what time.

10
CF Requirements
  • An Incident Response team (Computer Incident
    Advisory Capability - CIAC, Computer Emergency
    Response Team Coordination Center - CERT/CC,
    etc.), or an individual expert.
  • trained in the use of a wide range of such tools,
  • clearly understand the scope of the
    investigation, and
  • plan the examination step-by-step.
  • Hardware
  • Build a forensics machine from scratch, or
  • To buy a ready-made machine from vendors.
  • Software (generally accepted software tools)
  • Media acquisition tools
  • Searching tools
  • Integrated suites

11
Roadmap
  • Data Acquisition
  • Examination
  • Conducts technical analysis to identify objects.
  • Evaluates for content as evidence.
  • Determines relevance (the chain of custody
    problems).
  • Results Presentation ? Evidence

12
Media Acquisition Tools
  • Acquisition objectives
  • the software must have an exact copy, bit-by-bit
    copy, and
  • the software must not modify the original data in
    any way.
  • Hardware-copying devices
  • Disk-cloning software (e.g. DriveCopy,
    www.powerquest.com)
  • Safeback (www.forensics-inintl.com), certifies
    that the copy is an exact, bit-by-bit copy of the
    original.

13
Searching Tools
  • Searching Requirements
  • A capable search tool that do not modify data.
  • A careful plan on what to search for.
  • File Viewers (e.g. Norton Utilities).
  • Dedicated File Viewers (e.g. QuickView Plus).
  • Disk Editors (e.g. Norton Disk Editor).
  • Hex Editors.
  • The file search capability within Windows.
  • The grep utility (UNIX and Windows NT).
  • Specialized search tools for law enforcement use
    to search and categorize images (pornography on
    seized systems).
  • DiskSearch Pro (www.forensics-intl.com), a text
    search program.

14
Integrated Suites
  • Integrated software suites provide the
    capability
  • To acquire data
  • To perform searches
  • To produce reports
  • Byte Back (www.toolsthatwork.com)
  • DriveSpy (www.digitalintel.com)
  • EnCase (www.guidancesoftware.com)
  • Expert Witness (www.asrdata.com)

15
Data Acquisition
  • The U.S. Justice Department has defined
    guidelines for search and seizure of electronic
    evidence.
  • The basic rules are
  • Document everything that the investigator does.
  • Take all appropriate steps to ensure that the
    evidence itself is not compromised in any way
    during the acquisition.
  • (cont.)

16
Data Acquisition
  • Steps to preserve the evidence and provide the
    investigator with any required data
  • Secure the physical area
  • Shut down the system
  • Secure the system
  • Prepare the system
  • Examine the system
  • Prepare the system for acquisition
  • Connect the target media
  • Copy the media
  • Secure the evidence

17
Examination
  • Examining the evidence is not straightforward.
  • Plan what items to search for.
  • Narrow the search to an acceptable scope.
  • Define what constitutes a successful (or
    unsuccessful) conclusion.
  • Recover deleted files because data might be found
    in file fragments or file slack.
  • Image files which are often highly compressed,
    are especially difficult to reconstruct.
  • Certain OS might contain crucial evidence (e.g.
    the Windows Registry, event log files).

18
Limitations
  • A forensics examination can, at best, identify
    the computer involved in an incident.
  • Placing a specific person at that computer is
    extremely difficult without additional evidence.
  • Finding evidence that a computer was used to
    access other systems, is much more difficult.
  • A forensics examination that does not also
    involve other corroborating evidence source
    cannot be conclusive.
  • A skilful user makes the examiners job
    difficult, if not impossible.

19
Conclusion and Future Work
  • Forensics is an extremely valuable tool in the
    investigation of computer security incidents.
  • Considerable legal issues arise when
    investigating computer systems.
  • Intrusion Detection might support Computer
    Forensics in the future, and vice versa.

20
Resources
  • Computer Crime Investigation Forensic Tools and
    Technology, edited by Eoghan Casey, Academic
    Press, 2002.
  • E. Eugene Schultz and Rusell Shumway. Incident
    Response - A Strategic Guide to Handling System
    and Network Security Breaches. New Riders, 2002.
  • Warren G. Kruse II and Jay G. Heiser, Computer
    Forensics Incident Response Essentials,
    Addison-Wesley, 2001.
  • Mohay G., Anderson A., Collie B., Oliver de Vel,
    and McKemmish R., Computer and Intrusion
    Forensics, Computer Security Series, Artech House
    Publishers, 2003.
  • Searching and Seizing Computers and Obtaining
    Electronic Evidence, U.S. Justice Department,
    www.usdoj.gov/criminal/cybercrime/searchmanual.htm

21
Thank you very much !
Write a Comment
User Comments (0)
About PowerShow.com