COS/PSA 413 Day 5

Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September 30 –Chaps 1-5, Open book, Open notes –20 M/C and 5 essays Lab 1 corrected –2 B’s, 6 C’s and 1 F –RTDQ! Lab 2 w rite-ups due Finish Discussion Processing Crime and incident Scenes Lab 3 in N105 –Hands-on project 5-4 and 5-5 –Follow instructions in

Lab –File listing, contents & memo –Just the facts>>no bias and no conclusions 2-2 –Memo – 25 clusters hits 2-3 –Memo 4 files, 30 clusters for BOOK 1 image files name and where found 2-4 –File listing 2-5 –Prodiscover resport with “deleted and file type” 2-6 –Prodiscover report with proper comments –3 files with the 3 words (one file each) Guide to Computer Forensics and Investigations3

4 Reviewing Background Information for a Case Company called Superior Bicycles –Specializes in creating new and inventive modes of human-driven transportation Two employees, Chris Murphy and Nau Tjeriko, have been missing for several days A USB thumb drive has been recovered from Chris’s office with evidence that he had been conducting a side business using company computers

Guide to Computer Forensics and Investigations5 Identifying the Case Requirements Identify requirements such as: –Nature of the case –Suspect’s name –Suspect’s activity –Suspect’s hardware and software specifications

Guide to Computer Forensics and Investigations6 Planning Your Investigation List what you can assume or know –Several incidents may or may not be related –Suspect’s computer can contain information about the case –If someone else has used suspect’s computer Make an image of suspect’s computer disk drive Analyze forensics copy \\Wallagrass\Software for N105 lab\COS413 Software\Chap05\InChap05\\Wallagrass\Software for N105 lab\COS413 Software\Chap05\InChap05

Guide to Computer Forensics and Investigations7 Conducting the Investigation: Acquiring Evidence with AccessData FTK Functions –Extract the image from a bit-stream image file –Analyze the image

Guide to Computer Forensics and Investigations8

9 Conducting the Investigation: Acquiring Evidence with AccessData FTK (continued)

Guide to Computer Forensics and Investigations10

Guide to Computer Forensics and Investigations11

Guide to Computer Forensics and Investigations12 Conducting the Investigation: Acquiring Evidence with AccessData FTK (continued)

Guide to Computer Forensics and Investigations13

Guide to Computer Forensics and Investigations14 Conducting the Investigation: Acquiring Evidence with AccessData FTK (continued)

Guide to Computer Forensics and Investigations15 Summary Digital evidence is anything stored or transmitted on electronic or optical media Private sector –Contained and controlled area Publish right to inspect computer assets policy Private and public sectors follow same computing investigation rules Criminal cases –Require warrants

Guide to Computer Forensics and Investigations16 Summary (continued) Protect your safety and health as well as the integrity of the evidence Follow guidelines when processing an incident or crime scene –Security perimeter –Video recording As you collect digital evidence, guard against physically destroying or contaminating it Forensic hash values verify that data or storage media have not been altered

Guide to Computer Forensics and Investigations17 Summary (continued) To analyze computer forensics data, learn to use more than one vendor tool You must handle all evidence the same way every time you handle it After you determine that an incident scene has digital evidence, identify the digital information or artifacts that can be used as evidence