Computer Forensics By: Chris Rozic

What is Computer Forensics? The use of Computer Science and engineering principles and practices to investigate unauthorized computer use or the use of a computer to support illegal activities.

What warrants the investigation? The cost/benefit analysis Internet/email Usage Theft of information Child pornography Web page defacement Murder Network used as a jump-off point to attack other networks Cost of the investigation outweighs the benefits, then no investigation needed Internet usage is higher than the a tolerable level. Offencive material sent through email An individual in a company illegaly taking confidentail information and/or individuals obtaining personal information through spoofed web pages, which can result in identity theft Child pornography thrives over the internet, due to this a thorough investigation is needed in order for law enforcement to properly prosecute.

Steps to follow as a Computer Crime investigator Secure the Scene Collect evidence Interview Witnesses Plant sniffers Obtain analysis of collected evidence Turn findings into the proper authority If the attacker is still online, initiate backtrace, as an attempt to obtain the geographical locations. Unplug the system. Document and label every piece taken from the scene as well as photograph if permitted. Establish a chain of command for the transportation of the evidence. This should be well documented. The person or persons that were on the machine at the time of the incident If no intrusion detection system is in place Through special software, the hard drive can be thoroughly searched and analyzed. Encase

Encase Software produced by Guidance Software A forensic data acquisition and analysis program based on the specifications and requirements of law enforcement Allows for a digital snapshot of the storage medium under investigation

MD5 Hash File Integrity: Completely Verified, 0 Errors. Acquisition Hash: 340C8B5EF96DCCEE4B552CE084CCF941 Verification Hash: 340C8B5EF96DCCEE4B552CE084CCF941

Encase Report Example Drive Geometry: Total Size 1.4MB (2,880 sectors) Volume “3” Parameters File System: FAT12 Drive Type: Removable Sectors Per Cluster: 1 Bytes Per Sector: 512 Total Sectors: 2,880 Total Capacity: 1,457,664 bytes (1.4MB) Total Clusters: 2,847 Unallocated: 219,136 bytes (214.0KB) Free Clusters: 428 Allocated: 1,238,528 bytes (1.2MB) Volume Name: NO NAME Volume Offset: 0 OEM Version: *zQ9FIHC Volume Serial #: 1068-7526 Heads: 2 Sectors Per Track: 18 Unused Sectors: 0 Number of FATs: 2 Sectors Per FAT: 9 Boot Sectors: 1 +-0 3 +-0 Hawaii - The Islands of Aloha_files

Example of Search Session 5 Start: 03/28/03 11:43:46AM Stop: 03/28/03 11:45:14AM Time: 0:01:28 Size: 4.0GB processed 4697 Files scanned 127 Signature mismatches detected 0 Hash values computed Hits New Keyword 12 12 campbell\@[a-z0-9]+\[[0-9]\]\.txt (GREP)

Conclusion Computer dependency will continue to grow resulting in more opportunities for crimes to be committed through the use of computers. Software is not for sale to the general public. The retail value of Encase is 3,500 dollars, and specialized versions can cost upwards of 5,000 dollars per liscence.