Computer Forensics

1
Computer Forensics

• Campbell, Calvert Boswell, Chapter 17

2
Overview

• Digital evidence
• Forensic process
• Risk management
• Education and training
• Auditing
• Documentation

3
Computer Forensics

• Instances of unauthorized access or use occur
• Forensics provides a structured approach to
  studying system breach extent of damage
• Benefits
• Identify method
• Prevent reoccurrence
• Recover from damages
• Catch culprit
• Prosecute culprit

4
Digital Evidence

• Information stored or transmitted by electronic
  system
• Extremely volatile
• Susceptible to tampering
• Often concealed
• Sometimes time sensitive

5
Principles of Digital Evidence

• Investigation and analysis should not change
  evidence
• Use copy to do analysis
• Leave actual violated data and hardware intact
• Investigator should be competent to perform
  forensic work
• All activities relating to digital evidence must
  be documented

6
Forensic Process

• Prepare evidence
• Collect evidence
• Authenticate evidence
• Examine evidence
• Analysis evidence
• Document and report investigation activities

7
Prepare Evidence

• Before breach happens
• Make investigation easier
• Prepare toolkit, such as data sniffer software,
  ghost, Norton utilities, and numerous other
  backup and analysis software
• Requires experience with
• Network function
• Intrusion detection techniqes
• Logging
• Operating systems configuration

8
Collect Evidence

• Collect real time and stored data
• Take precautions to not loss data at scene
• Document evidence collected

9
Authenticate Evidence

• Generation of mathematical validation codes of
  collected evidence
• Resolves question about accuracy of evidence

10
Examine Evidence

• Helps to make evidence visible
• Explain origin and significance of evidence
• Documents components of captured evidence
• Search evidence that is hidden or obscured

11
Analysis Evidence

• Inspects outcome of examination
• Examines evidence for significance and value

12
Document and Report

• On-going process throughout investigation
• Type and format depends on intended use
• Avoid future breach
• Criminal prosecution

13
Risk Management

• Identify probable effects of breaches
• Mitigate effects of breaches
• Asset identification
• Risk assessment
• Threat identification
• Vulnerabilities

14
Education and Training

• Distribution of information about system and
  potential security risks
• Communication
• User awareness (p.419)

15
Auditing

• Testing security procedures
• Monitoring security procedures effectiveness
• Logging writing auditing information to log

16
Documentation

• Standards and guidelines
• Systems architecture
• Change documents
• Logs and inventories
• Classification and notification
• Retention and storage
• Destruction

17
Summary

• Digital evidence
• Forensic process
• Risk management
• Education and training
• Auditing
• Documentation

18
Questions?