COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Computer Forensics Infosec Pro Guide
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition
Slides by Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802
Guide to Computer Forensics and Investigations, Second Edition
Computer & Network Forensics
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups due Capstone Proposals due Oct 7 –See guidelines in WebCT Lab Today N105 –Using Accessdata’s ForensicsToolKit.
Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Lab 5. Agenda Lab 3 Corrected –Only got 9 out of 10 3 A’s, 3 B’s,1 C, amd 1 D –Some of you are putting may too much effort and some not enough.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
1 System Software “Background software”, manages the computer’s internal resources.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 corrected –Everyone failed this assignment! –Read the questions! Provide answers to THIS case not generic.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics
Guide to Computer Forensics and Investigations, Second Edition
SOFTWARE.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Digital Crime Scene Investigative Process
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Computer Forensics Principles and Practices
Your Interactive Guide to the Digital World Discovering Computers 2012.
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Guide to Computer Forensics and Investigations Fourth Edition
XP Practical PC, 3e Chapter 6 1 Protecting Your Files.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 4 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with.
AJ 104 Crime Scene Evidence, Experiments, and Models.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Digital Literacy: Computer Basics
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
RECORDS MANAGEMENT Judith Read and Mary Lea Ginn Chapter 12 Electronic Media and Image Records 1 © 2016 Cengage Learning ®. May not be scanned, copied.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Discovering Computers 2012: Chapter 8
Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Third Edition
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Guide to Computer Forensics and Investigations Third Edition
Thursday April 19, 2018 (Discussion – Storing and Retrieving Data, Processing the Electronic Crime Scene)
Presentation transcript:

COS/PSA 413 Lab 4

Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so far Discussion on Digital Evidence Controls –Chap 7 in 1e Chap 6 in 2e (pretty much the same)

Lab Write –up’s Due Oct 12 (Lab 4 done on Oct 5) –For Project 4-1 and 4-2 provide a one page document in which you tell what you have learned and the conclusion you drew from these projects. – For Project 4-3 Provide the sector information the project requires you document –For Project 4-4 Turn in the answer to part 12 Due Oct 17 (Lab 5 to be done on Oct 6) –For Project 4-5 Turn in the answer to Part 17 –For Project 4-6 Turn in the answer to Part 21

Digital Evidence Controls Chapter 7

Learning Objectives Identify Digital Evidence Secure Digital Evidence at an Incident Scene Catalog Digital Evidence Store Digital Evidence Obtain a Digital Signature

Identifying Digital Evidence Evidence stored or transmitted in digital form Courts accept digital evidence as physical Groups –Scientific Working Group on Digital Evidence (SWGDE) –International Organization on Computer Evidence (IOCE) A group that sets standards for recovering, preserving, and examining digital evidence.

Identifying Digital Evidence (continued) Working with digital evidence –Identify potential digital evidence –Collect, preserve, and document the evidence –Analyze, identify, and organize the evidence –Verify results can be reproduced Systematic job Use standardized forms for documentation

Understanding Evidence Rules Handle all evidence consistently Always apply same security controls Evidence for a criminal case can be used on a civil litigation Keep current on the latest rulings and directives –Check the DoJ website – Check with your attorney on how to handle evidence

Understanding Evidence Rules (continued) Bit-stream copies are considered physical evidence Other electronic evidence –It can be changed more easily –Hard to distinguish a duplicate from the original Computer records are hearsay evidence –Secondhand or indirect evidence –Not admissible in a court trial

Understanding Evidence Rules (continued) Business-record exception –Records must have been created by suspect –Records are original Computer records are admissible if they qualify as business-records –Computer-generated records –Computer-stored records

Understanding Evidence Rules (continued) Use known processes and tools when handling evidence Printouts qualify as original evidence Bit-stream copies also qualify as original evidence Use the original evidence when possible

Identify Digital Evidence General Investigation Tasks -Identify digital information or artifacts that can be used as evidence. -Collect, preserve, and document the evidence. -Analyze, identify, and organize the evidence. -Rebuild evidence or repeat a situation to verify that you can obtain the same results every time.

Identify Digital Evidence

Computer-Generated Records – Data that is generated by the computer such as system log files or proxy server logs. Computer-Stored Records – Digital files that are generated by a person.

Secure Digital Evidence at an Incident Scene Before obtaining the evidence, ask the following: -Do you need to take the entire computer, all peripherals, and media in the immediate area? Do you need to protect the computer or media while transporting it to your lab? -Is the computer powered on when you arrive to take control of the digital evidence? -Is the suspect you are investigating in the immediate area of the computer? Is it possible that the suspect damaged or destroyed the computer and its media?

Secure Digital Evidence at an Incident Scene

Use the following to preserve digital evidence: -Use anti-static evidence bags for small pieces of evidence such as disks and magnetic tapes, and use adhesive seals to secure the opening on the computer cabinet. -Look for manuals and software such as the operating system and application programs at the scene. Collect these items as part of the evidence.

Secure Digital Evidence at an Incident Scene Use the following to preserve digital evidence: -Determine whether the environment is safe for your evidence. If you have to take the computer outside, freezing or very hot temperatures can damage digital media. If you are transporting digital media, make sure your vehicle is heated or air conditioned as appropriate for the weather. Also determine whether electrical transformers are located near your digital evidence. They can interfere with the magnetic disk coating and damage evidence.

Secure Digital Evidence at an Incident Scene Guidelines to Catalog Digital Evidence 1.Identify the type of computer you are working with, such as a Windows PC or laptop, a UNIX workstation, or a Macintosh. Do not turn on a suspects computer if it is turned off. Recall that various operating systems overwrite files as a standard part of their boot process.

Secure Digital Evidence at an Incident Scene Guidelines to Catalog Digital Evidence 2.Use a digital camera to photograph all cable connections, and then label the cables with evidence tags. Photograph or videotape the scene, and create a detailed diagram, noting where items are located. 3.Assign one person to collect and log all evidence. Minimize the number of people handling the evidence overall to ensure its integrity

Secure Digital Evidence at an Incident Scene Guidelines to Catalog Digital Evidence 4.Tag all the evidence you collect with the current date and time, serial numbers, or unique features, make and model, and the name of the person who collected it. 5.Maintain two separate logs of collected evidence to use as a backup checklist to verify everything you have collected. 6.Maintain constant control of the collected evidence and the crime or incident scene.

Secure Digital Evidence at an Incident Scene

Guidelines to Follow if a Computer is Powered On 1. If practical, copy any application data displayed on the screen, such as text or a spreadsheet document. Save this RAM data to removable media such as a floppy disk, Zip, or Jaz disk, using the Save As command. If this is not possible, take a close-up photograph of the scene. Close the application without saving the data.

Secure Digital Evidence at an Incident Scene Guidelines to Follow if a Computer is Powered On 2.After you copy the RAM data, you can safely shut down the computer. Use the manufacturer’s appropriate shutdown method. If you are not familiar with the method, find someone who is.

Secure Digital Evidence at an Incident Scene Guidelines to Follow if a Computer is Powered On 3.To access the suspect system, use an alternate operating system to examine the hard disk data. On Intel computers, use a specifically configured boot disk. For UNIX workstations, remove the drive and inspect the hard drive from another UNIX or Linux system. 4.Acquire the suspect drive with bit-streaming imaging tools. 5.Verify the integrity of your bit-stream image copy of the original disk.

Secure Digital Evidence at an Incident Scene Processing and Handling Digital Evidence 1.Copy all bit-stream image files to a large disk drive. 2.Start your desired forensic tool to analyze the evidence. 3.Run an MD5 hash check on the bit-stream image files. 4.When you finish copying bit-stream image file to the larger disk, secure the original media in an evidence locker.

Secure Digital Evidence at an Incident Scene Message Digest version 5 (MD5) hash – A mathematical algorithm that translates a file into a unique hexadecimal code value.

Storing Digital Evidence 4-mm DAT – Magnetic tapes that store about 4 GB of data, but like the CD-Rs, are slow to read and write data.

Storing Digital Evidence

Documenting Evidence Evidence forms serve the following purposes: -Identifies the evidence. -Identifies who has handled the evidence. -List the dates and times the evidence was handled.

Documenting Evidence

Obtaining a Digital Signature Cyclic Redundancy Check (CRC) – A mathematical algorithm that translates a file into a unique hexadecimal code value. Digital Signature – A unique value that identifies a file. Secure Hash Algorithm, version 1 (SHA-1) – A new digital signature method developed by the NIST. It is slowly replacing MD5 and CRC.

Obtaining a Digital Signature Non-Keyed Hash Set – A hash set used to identify files or viruses. Keyed Hash Set – A value created by an encryption utility’s secret key.

Obtaining a Digital Hash (continued) Example: –Create a file with Notepad –Obtain its hash value with DriveSpy –Modify the file –Recompute its hash value –Compare hash values

Create a File

DriveSpy

Computing Hash Value

Computing Hash Value (continued)

Obtaining a Digital Signature 4.Save the file by using the file menu. 5.Exit from the edit screen.

Chapter Summary -Digital evidence is anything that is stored or transmitted on electronic or optical media. It is extremely fragile and easily altered. -To work with digital evidence, start by identifying digital information or artifacts that can be used as evidence. Collect, preserve, document, analyze, identify, and organize the evidence.

Chapter Summary -You must consistently handle all evidence the same way every time you handle it. Apply the same security and accountability controls for evidence in a civil lawsuit as for evidence obtained at a major crime scene to comply with your state’s rules of evidence or with the Federal Rules of Evidence.

Chapter Summary -After you determine that an incident scene has digital evidence to collect, you visit the scene. First you need to catalog it, or to document the evidence you find. Your goal is to preserve evidence integrity, which means that you do not modify the evidence as you collect and catalog it. An incident scene should be photographed and sketched, and then each item labeled and put in an evidence bag, if possible.

Chapter Summary -The media you use to store digital evidence usually depends on how long you need to keep the evidence. The ideal media on which to store digital data are CD-Rs or DVDs. You can also use magnetic tape to preserve evidence data, such as 4-mm DAT and DLT magnetic tapes. -Digital evidence needs to be copied using bit- stream imaging to make sure that sector-by- sector mapping takes place.

Chapter Summary -Digital signatures should be used to make sure that no changes have been made to the file or storage device. The current standards are CRC,MD5, and SHA-1.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.