Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #7 Processing Crime and Incident Scene September 17, 2008.

Slides:



Advertisements
Similar presentations
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #26 Emerging Technologies.
COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Guide to Computer Forensics and Investigations, Second Edition
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Guide to Computer Forensics and Investigations, Second Edition
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #5 Technology and Services September 9, 2009.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Health Information Technology Basics January 8, 2011 by Leola McNeill adapted from Information Technology Basics by June 2009, Kayla Calhoun & Dr. Frank.
Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #3 Technology August 27, 2007.
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Computer Forensics Principles and Practices
Your Interactive Guide to the Digital World Discovering Computers 2012.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #9 Preserving Digital Evidence; Image Verifications and Authentication.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Introduction to Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #1 Biometrics and Other Emerging Technologies in Applications.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
GCSE Computing: A451 Computer Systems & Programming Topic 3 Software System Software (2) Utility Software.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Digital Forensics and Hand Held Devices Robert Trimble COSC
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Discovering Computers 2012: Chapter 8
Controlling Computer-Based Information Systems, Part II
Guide to Computer Forensics and Investigations Fifth Edition
Introduction to Computer Forensics
Digital Forensics Dr. Bhavani Thuraisingham
PLANNING A SECURE BASELINE INSTALLATION
G061 - Network Security.
Presentation transcript:

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #7 Processing Crime and Incident Scene September 17, 2008

Outline l Review l Processing crime and Incident Scenes l Review Questions l Reference: Chapters 2 and 5 of textbook l End of Part I of Course

Review l Lecture 1: Overview of Digital Forensics (Chapter 1 of textbook) l Lecture 2: Information Security Review l Lecture 3: Data Recovery, Verification, Lab Tour (Chapter 3 of textbook – constructing a forensics lab) l Lecture 4: Data Acquisition: Chapter 4 of textbook l Lecture 5: Malicious Code Detection (e.g., Computer is the Victim of the Crime; applying data mining techniques) l Lecture 6: Digital Forensics Analysis – Part 1

Processing Crime and Incident Scenes l Topics in Chapter 2 - Securing evidence - Gathering evidence - Analyzing evidence l Topics in Chapter 5 - Understanding the rules of evidence - Collecting evidence in private-sector incident scenes - Processing law enforcement crime scenes - Steps to Processing Crime and Incident Scenes - Case study l Other topics - Forensics technologies

Securing Evidence l To secure and catalog evidence large evidence bags, tapes, tags, labels, etc. may be used l Tamper Resistant Evidence Security Bags - Example: EVIDENT - “These heavy-duty polyethylene evidence bags require no prepackaging of evidence prior to use. The instantaneous adhesive closure strip is permanent and impossible to open without destroying the seal. A border pattern around the edge of the bag reveals any attempt at cutting or tampering with evidence.” l See also the work of SWDGE (Scientific Working Group on Digital Evidence) and IOCE (International Organization on Computer Evidence)

Gathering Evidence l Bit Stream Copy - Bit by bit copy of the original drive or storage medium - Bit stream image is the file containing the bit stream copy of all data on a disk l Using ProDiscover to acquire a thumb drive - On a thumb drive locate the write protect switch and place drive in write protect model - Start ProDiscover - Click Action, Capture Image from menu - Click Save - Write name of technician - Use hash algorithms for security - Click OK - See also discussion in lecture 4

Analyzing Evidence l Start ProDiscover l Create new file l Click on image file to be analyzed l Search for keywords, patterns and enter patterns to be searched l Click report and export file l Details in Chapter 2

Understanding the Rules of Evidence l Federal rules of evidence; each state also may have its own rules of evidence - l Computer records are in general hearsay evidence unless they qualify as business records - Hearsay evidence is second hand or indirect evidence - Business records are records of regularly conducted business activity such as memos, reports, etc. l Computer records consist of computer generated records and computer stored records l Computer generated records include log files while computer stored records are electronic data l Al computer records must be authentic

Private sector incident scenes l Corporate investigations - Employee termination cases, Attorney-Client privilege investigations, Media leak investigations, Industrial espionage investigations l Private sector incident scenes - Private section includes private corporations and government agencies not involved with law enforcement - They must comply with state public disclosure and federal Freedom of Information act and make certain documents available as public records - Law enforcement is called if needed (if the investigation becomes a criminal investigation)

Law Enforcement crime Scenes l A law enforcement officer may seize criminal evidence only with probable cause - A specific crime was committed - Evidence of the crime exists - Place to searched includes the evidence l The forensics team should know about the terminology used in warrants l To prepare for a search and carry out an investigation the following steps have to be carried out - Identifying the nature of the case, the type of computing system, determine whether computer can be seized, identify the location, determine who is in charge, determine the tools

Steps to processing crime and incident scenes (Details in Chapter 5) l Seizing a computer incident or crime scene l Sizing the digital evidence at crime scene l Storing the digital evidence l Obtaining a digital hash l Conducting analysis and reporting

Case Study (Chapter 5) l Company A (Mr. Jones) gets an order for widgets from Company B. When the order is ready, B says it did not place the order. A then retrieves the sent by B. B states it did not send the . What should A do? l Steps to carry out - Close Mr. Jones Outlook - User windows explorer to locate Outlook PST that has Mr.,. Jones business - Determine the size of PST and connect appropriate media device (e.g. USB) - Copy PST into external USB - Fill out evidence form – date/time etc. - Leave company A and return to the investigation desk and carry out the investigation (see previous lectures)

Other Topics: Forensics technologies l Forensics Technology - Military, Law Enforcement, Business Forensics l Forensics Techniques - Finding Hidden Data, Spyware, Encryption, Data Protection, Tracing, Data Mining l Security Technologies - Wireless, Firewalls, Biometrics

Military Forensics l CFX-2000: Computer Forencis Experiment Information Directorate (AFRL) partnership with NIJ/NLECTC - Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework - Tools included commercial products and research prototypes appb.pdf appb.pdf

Law Enforcement Forensics l Commonly examined systems: Windows NT, Windows 2000, XP and 2003 l Preserving evidence - Mirror image backups: Safe Back technology from New Technologies Inc. l Tools to handle - Trojan Horse programs / File slacks - Data Hiding Techniques l AnaDisk analyzes diskettes l COPYQM duplicates diskettes - E-Commerce investigation: Net Threat Analyzer - Text search: TextSearch Plus tool - Fuzzy logic/data mining tools to identify unknown text l Intelligent Forensics Filter

Business Forensics l Remote monitoring of target computers - Data Interception by Remote Transmission (DIRT) from Codex Data Systems l Creating trackable electronic documents l Theft recovery software for laptops and PCs - PC Phonehome tool - RFID technology

Forensics Techniques l Techniques for finding, preserving and preparing evidence l Finding evidence is a complex process as the forensic expert has to determine where the evidence resides - Evidence may be in files, evidence may be in disks, evidence may be on paper. Need to track all types of evidence l Preserving evidence includes ensuring that the evidence is not tampered with - Involves pre-incident planning and training in incident discovery procedures’ If the machine is turned on, leave it on; do not run programs on that particular computer l Preparing evidence will include data recovery, documentation, etc.

Finding Hidden Data l When files are deleted, usually they can be recovered l The files are marked as deleted, but they are still residing in the disk until they are overwritten l Files may also be hidden in different parts of the disk l The challenge is to piece the different part of the file together to recover the original file l There is research on using statistical methods for file recovery l data---how asp data---how asp l wolfgarten-assignment2.pdf

Spyware/Adware l Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.computer softwarepersonal computerinformed consent l Spyware is mostly advertising supported software (adware) l Shareware authors place ads from media company and get a piece if the revenue l PC surveillance tools that allow a user to nominate computer activity - Keystroke capture, snapshots, logging, chats etc. l Privacy concerns with spyware

Encryption l Popular Encryption techniques - Public key/ Private Key l Owner of the data encrypts with the public key of the receiver; Receiver decrypts with his private key l In some cases owner may encrypt with his private key for multiple receiver. Receiver will decrypt with the owner’s public key l Merkle Hash is a popular method to hash documents; one way hash function l Challenge is to generate unique keys l Issues: Trusted authority to generate keys and credentials

Internet/Web Tracing l Where has the come from - Check IP address - Sender may use fake address by changing fields; sending server may not check this and so the mail is sent l Tracing web activity l Who has logged into the system say from a public web site and modified accounts and grades? l Web/ tracking tools

Wireless Technology Forensics l Forensic Examination of a RIM (BlackBerry) Wireless Device “There are two types of RIM devices within each model class. The Exchange Edition is meant for use in a corporate environment while the Internet Edition works with standard POP accounts. The Exchange Edition employs Triple-DES encryption to send and receive but the Internet Edition communicates in clear text. Neither employs an encrypted files system” l Relevance of RIM forensics - “The RIM device shares the same evidentiary value as any other Personal Digital Assistant (PDA). As the investigator may suspect of most file systems, a delete is by no means a total removal of data on the device. However, the RIM’s always-on, wireless push technology adds a unique dimension to forensic examination. Changing and updating data no longer requires a desktop synchronization. In fact, a RIM device does not need a cradle or desktop connection to be useful. The more time a PDA spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. Thus, the RIM’s currently unsurpassed portability is the examiner’s greatest ally”

Wireless Technology Forensics - 2 l The Hardware - The RIM device is designed around an Intel 32-bit i386 processor, a low power embedded version of the same processor that used to power a desktop PC. Each unit has 512 KB of SRAM and 4 or 5 MB of Flash RAM, depending on the model. The RIM’s SRAM is analogous to the RAM on a desktop and the Flash memory is the “disk space” used to store the Operating System (OS), applications, and the file system. The RIM’s OS is a single executable named PAGER.EXE and the applications are DLL’s. l Toolbox - BlackBerry Desktop Software available free at BlackBerry C++ Software Development Kit v2.1 available free at Hex editor; Text editor; AA batteries; Spare BlackBerry Cradleswww.blackberry.com - The examination PC should meet the minimum requirements for the BlackBerry Software Development Kit (SDK) and have two available external 9-pin RS232 serial ports. Disk space required for evidence gathering is minimal: space equal to the amount of Flash RAM in the RIM units being investigated.

Firewall Forensics l seen.html seen.html l Analyzing firewall logs, especially what port numbers etc. mean?. May use this information to help figure out what hackers are up to. - What does destination port number ZZZZ mean? What does destination port number ZZZZ mean? - What does this ICMP info mean? What does this ICMP info mean? - What do these IP addresses indicate? What do these IP addresses indicate? - Stuff doesn't work Stuff doesn't work - What are some typical signatures of well-known programs? What are some typical signatures of well-known programs? - What do these other logs mean? What do these other logs mean? - How do I configure filters? How do I configure filters? - Packet Zen Packet Zen - What's the deal with NetBIOS (UDP port 137)? What's the deal with NetBIOS (UDP port 137)?

Biometrics Forensics: Richard Vorder Bruegge l l 20September%2021/Tue_Ballroom%20B/1%20DOJ%20Session/Vorderbruegg e_Presentation.pdf 20September%2021/Tue_Ballroom%20B/1%20DOJ%20Session/Vorderbruegg e_Presentation.pdf l It often happens that people confuse biometrics and forensics. After all, television and movies make it look like automated biometrics databases can be used to identify and convict people all the time. Isn't that what forensics is all about? Unfortunately, this can have an adverse affect on the development of forensic tools which utilize biometric features, because those in position to make funding decisions may not understand the distinction between the two. This presentation will attempt to provide the audience with a better understanding of the relationship between biometrics and forensics from the standpoint of a forensic scientist.

Biometrics Forensics: Richard Vorder Bruegge l Advances in the field of biometrics offers great potential for the field of forensics. Biometric databases offer the promise of enabling law enforcement and the intelligence community to rapidly identify questioned individuals if they are present in the queried database. However, obtaining a "hit" in a biometric database is a far cry from an identification in the world of forensic science. The standard of proof to which forensic scientists in the United States are held is "beyond a reasonable doubt". That "reasonable doubt" criteria, coupled with standards for scientific and technical evidence elucidated in the "Daubert" and "Kumho Tire" cases, require that conclusions offered by forensic scientists be supported at beyond that offered by current biometric systems, particularly in the field of facial recognition. l Reviewing Court Approves of Fingerprint Admissibility

Review Questions (Lectures 1, 3-7) l Describe what is meant by digital forensics l Describe the steps for a forensic investigation l Describe how Data is Acquired in a Forensics Investigation l Describe the process of constructing a forensic lab l Describe data recovery in a forensic investigation l Describe verification aspects of a forensic investigation l Describe for malicious code may be detected in a machine l Describe techniques for digital forensics analysis l Describe the steps involved in processing a crime scene l Describe the rules of evidence l Describe forensics technologies