CIT 180 Security Fundamentals Computer Forensics.

Slides:



Advertisements
Similar presentations
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Developing a Records & Information Retention & Disposition Program:
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Computer Forensics Principles and Practices
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
PMI Inventory Tracker™
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.
Security Equipment Equipment for preventing unauthorised access to data & information.
Chapter 7 Working with Files.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Storage Hardware Chapter 4 Preserving Data and Information © The McGraw-Hill Companies, Inc., 2000.
Digital Crime Scene Investigative Process
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Computer Forensics Principles and Practices
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Types of Electronic Infection
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
ISO/IEC 27001:2013 Annex A.8 Asset management
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
CHAIN OF CUSTODY AND EVIDENCE HANDLING
Storage Hardware Chapter 4 Preserving Data and Information Computer Components & Networks, 2002.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Computer Forensics By: Chris Rozic.
Chapter 7: Investigating Theft Acts
Forensic and Investigative Accounting
Computer Forensics 1 1.
11-2 Evidence Collection Jeopardy
Guide to Computer Forensics and Investigations Fifth Edition
Computer Forensics Discovery and recovery of digital evidence
Introduction to Computer Forensics
Digital Forensics CJ
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Presentation transcript:

CIT 180 Security Fundamentals Computer Forensics

Outline Introduction Rules and types of evidence Collection of evidence Preservation of evidence Viable chain of custody Steps in ivestigating computer crime or policy violation

Introduction Forensics is the application of scientic knowledge to solving legal problems. Involves preservation, identification, documentation, and interpretation of computer data Can be performed in three steps: investigating and analyzing computer systems as related to violation of laws investigating and analyzing computer systems for compliance with an organization's policies investigating computer systems that have been remotely attacked

Evidence The documents, verbal statements, and material objects admissible in a court of law Critical to convincing management, juries, judges, or other authorities that a violation occured Submission of computer evidence challenging because people involved may not be technically savvy Additional challenge due to computer data being in bits not readilly readable form Good auditing techniques are encouraged

Types of evidence Direct evidence: oral testimony that proves a specif fact. Example is eyewitness account Real evidence: also known as associative or physical evidence, includes physical objects tha prove or disprove a fact Documentary evidence: business records, printouts, manuals, etc Demonstrative evidence: aids the jury and can be in the form of a model, experiment, chart, etc, offered to illustrate that an event occured or did not occur

Three rules regarding evidence Best evidence rule: use original evidence rather than a copy to ensure no alteration occured Exclusionary rule: any evidence collected through illegal search and seizure or in violation privacy laws is not admissible. Wiretapping an employee's communication should be consented to by the employee. Heresy rule: computer-generated evidence is considered heresy or second-hand evidence in that it is not gathered from the personal knowledge of the witness

Collecting evidence – aquiring evidence Collect as much information before whoever is committing the crime starts hiding information secure diskettes, CDs, memory cards, USB drives, tapes, etc Use judgement whether to turn-off computer or not. Pro: preserve the state of the computer Con: may lose memory data and corrupt files

Collecting evidence – identifying evidence Mark evidence correctly as it is being collected. Keep a log book identifying each piece of evidence Some facts to record include who discovered the evidence, case number, date, time, location of discovery, reason for collecting evidence There is need for a second person to be present when collecting evidence

Acquiring evidence – other considerations protect the collected evidence any evidence that need to be transported in or out of storage locations should be recorded and ensure no tampering occurs in transit store evidence in a low traffic evidence room

Acquiring evidence – conducting the investigation Analyze a copy of the system not the original May use Live CD to boot the system to recreate a malicious event Following image backup process is a good example: remove one component at a time to avoid corruption remove hard disk and label it identify disk type (IDE, SCSI) and write the capacity, cylinders, heads, tracks make three or four copies of the disk check disk image to ensure there are no errors generate a message digest of the disk inventory all files and document system date and time

Chain of custody The following are critical steps in chain of custody: Record each item collected as evidence Record who collected the evidence with date and time Write a description of the evidence Put the evidence in containers and tag the containers with case numbers Record all message digests Securely transport the evidence to a protected facility Obtain signatures from person accepting the evidence Provide controls to prevent access and compromise Securely transport to court shouln need arise

Free space versus Slack space When a file on storage medium is deleted, the physical data is not deleted rather a pointer to the location where the data is located is removed from the file allocation table Free space refers to the cluster on disk that holds data that has no pointer in the file allocation table. Looking at free space might reveal some useful data a user thought was deleted. Slack space is space that is taken up due to the block size allocation of data but not used for actual data. For example when writing oen character the operating system allocates a block of 512 bytes. Therefore, 511 bytes are unused and are slack space. Savvy users may hide malicious code in slack space

Message digest A value generated by a mathematical algorithm by applying a key to the data. The mathematical operation cannot be reversed meaning that it is not possible to get the data back from the message digest. Used for ensuring that data was not modified (Integrity). To check that data was not modified, input the data into the mathematical function using the same key and compare the output to the value that was obtained the first time the digest was generated. If they are the same data did not change otherwise it changed

Analysis Check recycle bin Check web browser history Check cookie files Check profiles Check Temporary Internet files Search files for suspect character strings Search free and slack space

Secure recovery You have the option of contracting a company that provides secure recovery sites Such a company provides either offices or via Internet services where restoration services can be conducted Data is important in either the physical or remote approach so ensure confidentiality and integrity

High availability and Fault Tolerance High availability means data and processing power are available despite a disrupting event. Fault tolerance means that there is uninterrupted access to data and services even in cases where a “fault” occurs. Mirroring ensures fault tolerance. Avoid a single point of failure by building duplication or redundancy in your system