Computer Forensics Discovery and recovery of digital evidence Usually post facto Sometimes real time Types of forensic investigations Liturgical Going to court Crimes, etc. Non-Liturgical Administrative adjudication Industry

Skills and Knowledge Be aware of the many types of digital devices and their components and potential contents Develop a Web behavior profile Learn how to seize a computer and other devices Proper handling of digital evidence How to search a computer for evidence Analyze a phishing scam Become more knowledgeable about the digital/information world 06/11/2018

Purpose Prove or disprove criminal activity Prove or disprove policy violation Prove or disprove malicious behavior to or by the computer/user If the evidence is there, the case is yours to lose with very little effort.

Legal and Ethical Issues Computer Forensic Exams are Illegal. Without the cover of Law 4th Amendment You will learn dual use technology. All tools can be used to commit crime All procedures can be used to hide crime It is unethical to breach some ones expectation of privacy. 06/11/2018

Responsibilities Evidence Respect for suspects privacy and rights All of it Emphasis on exculpatory Respect for suspects privacy and rights Beware of collateral damage Be very very careful if you demonstrate what you can do.

Privacy Issues Rights of the suspect Liabilities of the investigator Public versus private storage of information Expectation of privacy

Evidence Forensics is all about evidence. Something that tends to prove or disprove the existence of an alleged fact. Federal Rules of Evidence govern proceedings in the courts of the United States. 06/11/2018

Evidence Admissible Reliable Authentic Complete Believable must be legally obtained and relevant Reliable has not been tainted (changed) since acquisition Authentic the real thing, not a replica Complete includes any exculpatory evidence Believable lawyers, judge & jury can understand it 06/11/2018

Evidence Admissible Reliable Authentic Complete Believable Search Warrant, Wire Tap, NSL Reliable Chain of custody, protected, properly handled Not tainted, not changed, MD5 Authentic Computer data is different Complete Must search entire hard disk Believable Impossible for geeks

Conviction Must Prove: Actus Reaus - The criminal act Mens Rea - The criminal intent 06/11/2018

Intro to WinHex WinHex – A hexadecimal editor for Windows A general purpose forensic analysis tool we will use for this course. Excellent professional grade tool. You can download a trial version. It has limited capability But you can do a lot with it. Then complete your assignments in the lab. The license is good for a limited time.

WinHex Main Screen

Open a File

Navigate to the Desired File

Select and Open What have we done?

WinHex Display of file WinHex displays the entire contents of the file. Extreme left is the offset (position) relative to the beginning of the file. In this display the position is in hexadecimal. We will change this in a little bit. The central panel is the data display in hexadecimal. The far right panel is an attempt to display the file contents in characters, i.e. ASCII characters.

Offset Change Select General Options from the Options menu.

General Options We are interested in offsets. Unselect Hexadecimal offsets.

Magic

View as Text Only

Text

Open an Image File Find an image somewhere Maybe an image from a camera or cell phone Open in WinHex To close right click on tab Choose Close - all gone

Open an Image

Actual Image Data

MAC Information All files carry information about the file itself Metadata This info is contained in the file or in the directory MAC Create time Modify time Access time This information is very important to case development.

MAC & Evidence The MAC time info is changed when the file is opened, viewed or changed. Consequently, when a drive is opened it is changed. Be very careful when handling digital evidence.

MAC Data

More Metadata Pictures from cameras have it Called EXIF data

Exif Data

Exif Cont’d

Search File for Text Offset in decimal, go find the text.

Find Text Position  Go To Offset Type in desired offset. Select OK

JPEG Found JPEG

Physical Media vs. Logical Drives Raw memory No structure No contents – only a stream of data Logical Drives Structured File system Files

Tools Menu

Physical Opened Not Terribly Useful

Opening whatever is on the Drive

Closer Check the Windows Explorer box.

Now We can See Stuff

Double Click on a File Beginning of file.

Cruising Through Deleted Files - Dimmed Interesting $$$

A Closer Look Maybe we have a business!

Computer Forensics Be careful You are Law Enforcement Protect all parties Evidence must be Admissable Reliable Authentic Complete Believable

Lab Play with WinHex Open a device Open a file Open an image Explore Like this presentation