Guide to Computer Forensics and Investigations Fifth Edition

Slides:



Advertisements
Similar presentations
COEN 252 Computer Forensics
Advertisements

Copyright 2004 Foreman Architects Engineers School Security From Common Sense to High Tech.
Network+ Guide to Networks, Fourth Edition
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations, Second Edition
Security Controls – What Works
Guide to Computer Forensics and Investigations Fifth Edition
COS/PSA 413 Day 6.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Guide to Computer Forensics and Investigations Fourth Edition
Computer Security: Principles and Practice
Guide to Computer Forensics and Investigations, Second Edition
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Guide to Computer Forensics and Investigations, Second Edition
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
Guide to Computer Forensics and Investigations Fourth Edition
SUMMER BRIDGE PROGRAM DR. HWAJUNG LEE DR. ASHLEY PODHRADSKY Computer Forensics.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Guide to Computer Forensics and Investigations Fifth Edition
Training and Certification. Who needs digital forensic training and professional certification? Forensic examiners Investigators Crime scene specialists.
12015/10/20 Muhammad Salman University of Indonesia.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
CPS ® and CAP ® Examination Review OFFICE ADMINISRATION, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall Upper.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Chapter 6 Enhancing Security Through Procedural Controls.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 3 The Investigator’s Office and Laboratory.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 2 Securing Network Server and User Workstations.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Cmpe 471: Personnel and Legal Issues. Personnel Crime is a human issue not a technological one Hiring On-going management Unauthorised access Redundancy.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Texas Law Enforcement Best Practices Mid Year Training Conference.
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Physical Security Concerns for LAN Management By: Derek McQuillen.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Ron Enger Southern Oregon Educational Service District Medford, Oregon Cliff Ehlinger Grant Wood Area Education Agency Cedar Rapids, Iowa December, 2006.
UNIT V Security Management of Information Technology.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Blackboard Security System
Introduction The Regional Computer Forensics Laboratory (RCFL) National Program Office created this toolkit to help law enforcement executives assess.
Guide to Computer Forensics and Investigations Fifth Edition
Data Compromises: A Tax Practitioners “Nightmare”
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Guide to Computer Forensics and Investigations Fourth Edition
IT INFRASTRUCTURES Business-Driven Technologies
County HIPAA Review All Rights Reserved 2002.
Security of Data  
Network+ Guide to Networks, Fourth Edition
IS4680 Security Auditing for Compliance
Managing the IT Function
PLANNING A SECURE BASELINE INSTALLATION
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 2 The Investigator’s Office and Laboratory.
Presentation transcript:

Guide to Computer Forensics and Investigations Fifth Edition Chapter 2 The Investigator’s Office and Laboratory Chapter 2 The Investigator’s Office and Laboratory

Understanding Forensics Lab Certification Requirements Digital forensics lab Where you conduct your investigation Store evidence House your equipment, hardware, and software American Society of Crime Laboratory Directors (ASCLD) offers guidelines for: Managing a lab Acquiring an official certification Auditing lab functions and procedures Understanding Forensics Lab Certification Requirements Digital forensics lab Where you conduct your investigation Store evidence House your equipment, hardware, and software American Society of Crime Laboratory Directors (ASCLD) offers guidelines for: Managing a lab Acquiring an official certification Auditing lab functions and procedures Guide to Computer Forensics and Investigations, Fifth Edition

Acquiring Certification and Training Update your skills through appropriate training Thoroughly research the requirements, cost, and acceptability in your area of employment International Association of Computer Investigative Specialists (IACIS) Created by police officers who wanted to formalize credentials in computing investigations Candidates who complete the IACIS test are designated as a Certified Forensic Computer Examiner (CFCE) Acquiring Certification and Training Update your skills through appropriate training Thoroughly research the requirements, cost, and acceptability in your area of employment International Association of Computer Investigative Specialists (IACIS) Created by police officers who wanted to formalize credentials in computing investigations Candidates who complete the IACIS test are designated as a Certified Forensic Computer Examiner (CFCE) Guide to Computer Forensics and Investigations, Fifth Edition

Acquiring Certification and Training ISC² Certified Cyber Forensics Professional (CCFP) Requires knowledge of Digital forensics Malware analysis Incident response E-discovery Other disciplines related to cyber investigations Acquiring Certification and Training ISC² Certified Cyber Forensics Professional (CCFP) Requires knowledge of Digital forensics Malware analysis Incident response E-discovery Other disciplines related to cyber investigations Guide to Computer Forensics and Investigations, Fifth Edition

Acquiring Certification and Training High-Tech Crime Network (HTCN) Certified Computer Crime Investigator, Basic and Advanced Level Certified Computer Forensic Technician, Basic and Advanced Level EnCase Certified Examiner (EnCE) Certification Open to the public and private sectors Is specific to use and mastery of EnCase forensics analysis Candidates are required to have a licensed copy of EnCase Acquiring Certification and Training High-Tech Crime Network (HTCN) Certified Computer Crime Investigator, Basic and Advanced Level Certified Computer Forensic Technician, Basic and Advanced Level EnCase Certified Examiner (EnCE) Certification Open to the public and private sectors Is specific to use and mastery of EnCase forensics analysis Candidates are required to have a licensed copy of EnCase Guide to Computer Forensics and Investigations, Fifth Edition

Acquiring Certification and Training AccessData Certified Examiner (ACE) Certification Open to the public and private sectors Is specific to use and mastery of AccessData Ultimate Toolkit The exam has a knowledge base assessment (KBA) and a practical skills assessment (PSA) Other Training and Certifications EC-Council SysAdmin, Audit, Network, Security (SANS) Institute Defense Cyber Investigations Training Academy (DCITA) Acquiring Certification and Training AccessData Certified Examiner (ACE) Certification Open to the public and private sectors Is specific to use and mastery of AccessData Ultimate Toolkit The exam has a knowledge base assessment (KBA) and a practical skills assessment (PSA) Other Training and Certifications EC-Council SysAdmin, Audit, Network, Security (SANS) Institute Defense Cyber Investigations Training Academy (DCITA) Guide to Computer Forensics and Investigations, Fifth Edition

Acquiring Certification and Training Other training and certifications (cont’d) International Society of Forensic Computer Examiners (ISFCE) High Tech Crime Consortium Computer Technology Investigators Network (CTIN) Digital Forensics Certification Board (DFCB) Consortium of Digital Forensics Specialists (CDFS) Federal Law Enforcement Training Center (FLETC) National White Collar Crime Center (NW3C) Acquiring Certification and Training Other training and certifications (cont’d) International Society of Forensic Computer Examiners (ISFCE) High Tech Crime Consortium Computer Technology Investigators Network (CTIN) Digital Forensics Certification Board (DFCB) Consortium of Digital Forensics Specialists (CDFS) Federal Law Enforcement Training Center (FLETC) National White Collar Crime Center (NW3C) Guide to Computer Forensics and Investigations, Fifth Edition

Determining the Physical Requirements for a Computer Forensics Lab Most of your investigation is conducted in a lab Lab should be secure so evidence is not lost, corrupted, or destroyed Provide a safe and secure physical environment Keep inventory control of your assets Know when to order more supplies Determining the Physical Requirements for a Computer Forensics Lab Most of your investigation is conducted in a lab Lab should be secure so evidence is not lost, corrupted, or destroyed Provide a safe and secure physical environment Keep inventory control of your assets Know when to order more supplies Guide to Computer Forensics and Investigations, Fifth Edition

Identifying Lab Security Needs Secure facility Should preserve integrity of evidence data Minimum requirements Small room with true floor-to-ceiling walls Door access with a locking mechanism Secure container Visitor’s log People working together should have same access level Brief your staff about security policy Identifying Lab Security Needs Secure facility Should preserve integrity of evidence data Minimum requirements Small room with true floor-to-ceiling walls Door access with a locking mechanism Secure container Visitor’s log People working together should have same access level Brief your staff about security policy Guide to Computer Forensics and Investigations, Fifth Edition

Conducting High-Risk Investigations High-risk investigations demand more security than the minimum lab requirements TEMPEST facilities Electromagnetic Radiation (EMR) proofed http://nsi.org/Library/Govt/Nispom.html TEMPEST facilities are very expensive You can use low-emanation workstations instead Conducting High-Risk Investigations High-risk investigations demand more security than the minimum lab requirements TEMPEST facilities Electromagnetic Radiation (EMR) proofed http://nsi.org/Library/Govt/Nispom.html TEMPEST facilities are very expensive You can use low-emanation workstations instead Guide to Computer Forensics and Investigations, Fifth Edition

Using Evidence Containers Known as evidence lockers Must be secure so that no unauthorized person can easily access your evidence Recommendations for securing storage containers: Locate them in a restricted area Limited number of authorized people to access the container Maintain records on who is authorized to access each container Containers should remain locked when not in use Using Evidence Containers Known as evidence lockers Must be secure so that no unauthorized person can easily access your evidence Recommendations for securing storage containers: Locate them in a restricted area Limited number of authorized people to access the container Maintain records on who is authorized to access each container Containers should remain locked when not in use Guide to Computer Forensics and Investigations, Fifth Edition

Using Evidence Containers If a combination locking system is used: Provide the same level of security for the combination as for the container’s contents Destroy any previous combinations after setting up a new combination Allow only authorized personnel to change lock combinations Change the combination every six months or when required Using Evidence Containers If a combination locking system is used: Provide the same level of security for the combination as for the container’s contents Destroy any previous combinations after setting up a new combination Allow only authorized personnel to change lock combinations Change the combination every six months or when required Guide to Computer Forensics and Investigations, Fifth Edition

Using Evidence Containers If you’re using a keyed padlock: Appoint a key custodian Stamp sequential numbers on each duplicate key Maintain a registry listing which key is assigned to which authorized person Conduct a monthly audit Take an inventory of all keys Place keys in a lockable container Maintain the same level of security for keys as for evidence containers Change locks and keys annually Using Evidence Containers If you’re using a keyed padlock: Appoint a key custodian Stamp sequential numbers on each duplicate key Maintain a registry listing which key is assigned to which authorized person Conduct a monthly audit Take an inventory of all keys Place keys in a lockable container Maintain the same level of security for keys as for evidence containers Change locks and keys annually Guide to Computer Forensics and Investigations, Fifth Edition

Using Evidence Containers Container should be made of steel with an internal cabinet or external padlock If possible, acquire a media safe When possible, build an evidence storage room in your lab Keep an evidence log Update it every time an evidence container is opened and closed Using Evidence Containers Container should be made of steel with an internal cabinet or external padlock If possible, acquire a media safe When possible, build an evidence storage room in your lab Keep an evidence log Update it every time an evidence container is opened and closed Guide to Computer Forensics and Investigations, Fifth Edition

Considering Physical Security Needs Enhance security by setting security policies Enforce your policy Maintain a sign-in log for visitors Anyone that is not assigned to the lab is a visitor Escort all visitors all the time Use visible or audible indicators that a visitor is inside your premises Visitor badge Install an intrusion alarm system Hire a guard force for your lab Considering Physical Security Needs Enhance security by setting security policies Enforce your policy Maintain a sign-in log for visitors Anyone that is not assigned to the lab is a visitor Escort all visitors all the time Use visible or audible indicators that a visitor is inside your premises Visitor badge Install an intrusion alarm system Hire a guard force for your lab Guide to Computer Forensics and Investigations, Fifth Edition

Auditing a Digital Forensics Lab Auditing ensures proper enforcing of policies Audits should include inspecting the following facility components and practices: Ceiling, floor, roof, and exterior walls of the lab Doors and doors locks Visitor logs Evidence container logs At the end of every workday, secure any evidence that’s not being processed in a forensic workstation Auditing a Digital Forensics Lab Auditing ensures proper enforcing of policies Audits should include inspecting the following facility components and practices: Ceiling, floor, roof, and exterior walls of the lab Doors and doors locks Visitor logs Evidence container logs At the end of every workday, secure any evidence that’s not being processed in a forensic workstation Guide to Computer Forensics and Investigations, Fifth Edition

Determining Floor Plans for Digital Forensics Labs Small labs usually consist of: One or two forensic workstations A research computer with Internet access A workbench (if space allows) Storage cabinets Determining Floor Plans for Digital Forensics Labs Small labs usually consist of: One or two forensic workstations A research computer with Internet access A workbench (if space allows) Storage cabinets Guide to Computer Forensics and Investigations, Fifth Edition

Determining Floor Plans for Digital Forensics Labs Figure 2-2 Small or home-based lab Guide to Computer Forensics and Investigations, Fifth Edition

Determining Floor Plans for Digital Forensics Labs Figure 2-3 Mid-size digital forensics lab Guide to Computer Forensics and Investigations, Fifth Edition

Determining Floor Plans for Digital Forensics Labs State law enforcement or the FBI usually runs most large or regional digital forensics labs Have a separate evidence room One or more custodians might be assigned to manage and control traffic in and out of the evidence room Should have at least two controlled exits and no windows Determining Floor Plans for Digital Forensics Labs State law enforcement or the FBI usually runs most large or regional digital forensics labs Have a separate evidence room One or more custodians might be assigned to manage and control traffic in and out of the evidence room Should have at least two controlled exits and no windows Guide to Computer Forensics and Investigations, Fifth Edition

Determining Floor Plans for Digital Forensics Labs Figure 2-4 Regional digital forensics lab Guide to Computer Forensics and Investigations, Fifth Edition

Stocking Hardware Peripherals Any lab should have in stock: IDE cables Ribbon cables for floppy disks Extra USB 3.0 or newer cables and SATA cards SCSI cards, preferably ultrawide Graphics cards, both PCI and AGP types Assorted FireWire and USB adapters Hard disk drives At least two 2.5-inch Notebook IDE hard drives to standard IDE/ATA or SATA adapter Computer hand tools Stocking Hardware Peripherals Any lab should have in stock: IDE cables Ribbon cables for floppy disks Extra USB 3.0 or newer cables and SATA cards SCSI cards, preferably ultrawide Graphics cards, both PCI and AGP types Assorted FireWire and USB adapters Hard disk drives At least two 2.5-inch Notebook IDE hard drives to standard IDE/ATA or SATA adapter Computer hand tools Guide to Computer Forensics and Investigations, Fifth Edition

Maintaining Operating Systems and Software Inventories Maintain licensed copies of software like: Microsoft Office (current and older version) Quicken Programming languages (Visual Basic and Visual C++) Specialized viewers (Quick View) LibreOffice, OpenOffice, or Apache OpenOffice Peachtree and QuickBooks accounting applications Maintaining Operating Systems and Software Inventories Maintain licensed copies of software like: Microsoft Office (current and older version) Quicken Programming languages (Visual Basic and Visual C++) Specialized viewers (Quick View) LibreOffice, OpenOffice, or Apache OpenOffice Peachtree and QuickBooks accounting applications Guide to Computer Forensics and Investigations, Fifth Edition

Using a Disaster Recovery Plan A disaster recovery plan ensures that you can restore your workstation and investigation files to their original condition Recover from catastrophic situations, virus contamination, and reconfigurations Includes backup tools for single disks and RAID servers Configuration management Keep track of software updates to your workstation Using a Disaster Recovery Plan A disaster recovery plan ensures that you can restore your workstation and investigation files to their original condition Recover from catastrophic situations, virus contamination, and reconfigurations Includes backup tools for single disks and RAID servers Configuration management Keep track of software updates to your workstation Guide to Computer Forensics and Investigations, Fifth Edition

Using a Disaster Recovery Plan For labs using high-end RAID servers: You must consider methods for restoring large data sets Large-end servers must have adequate data backup systems in case of a major failure or more than one drive Using a Disaster Recovery Plan For labs using high-end RAID servers: You must consider methods for restoring large data sets Large-end servers must have adequate data backup systems in case of a major failure or more than one drive Guide to Computer Forensics and Investigations, Fifth Edition