Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Slides:

Advertisements

Similar presentations

Computer Systems Networking. What is a Network A network can be described as a number of computers that are interconnected, allowing the sharing of data.

Advertisements

Chapter 13: Advanced Security and Beyond

By Sarah Brule COMP 1631, Winter 2011 February 2nd, 2011.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Effective Discovery Techniques In Computer Crime Cases.

We’ve got what it takes to take what you got! NETWORK FORENSICS.

Access Control Chapter 3 Part 5 Pages 248 to 252.

Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.

BACS 371 Computer Forensics

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Forensic and Investigative Accounting

Technology for Computer Forensics by Alicia Castro.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Chapter 14: Computer and Network Forensics

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (

By Drudeisha Madhub Data Protection Commissioner Date:

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Architecture of information systems Document managment system Peter Záhorák.

COEN 152 Computer Forensics Introduction to Computer Forensics.

What is FORENSICS? Why do we need Network Forensics?

Computer Forensics Iram Qureshi, Prajakta Lokhande.

Digital Forensics

Undergraduate Technology Programs John Baker Johns Hopkins University Carey Business School

Study of Comparison of Digital Forensic Investigation Models.

Models of Models: Digital Forensics and Domain-Specific Languages Daniel A. Ray and Phillip G. Bradford The University of Alabama Tuscaloosa, AL

Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.

Computer Forensics Principles and Practices

CSCD 434 Network Security Spring 2014 Lecture 1 Course Overview.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 11 09/27/2011 Security and Privacy in Cloud Computing.

Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.

Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #9 Preserving Digital Evidence; Image Verifications and Authentication.

1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.

Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.

An Introduction to Computer Forensics Jim Lindsey Western Kentucky University September 28, 2007.

Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.

James McQuillen. Data protection Act 1998 The main aim of it is to protect people's fundamental rights and freedom to a particular right to privacy of.

By: Megan Guild and Lauren Moore. Concept Map Mountain Stream Co. OS Active wear Computer Security Their Questions Details Examples Computer Forensics.

Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.

Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders.

Computer Security Fundamentals by Chuck Easttom Chapter 14 Introduction to Forensics.

1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 

 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.

Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Security and Ethics Safeguards and Codes of Conduct.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

Computer Systems Networking. What is a Network A network can be described as a number of computers that are interconnected, allowing the sharing of data.

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.

18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (

Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.

Models of Models: Digital Forensics and Domain-Specific Languages

PhD Oral Exam Presentation

Digital Forensics Dr. Bhavani Thuraisingham

Introduction to Computer Forensics

Firewalls and Security

1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.

Threats to Privacy in the Forensic Analysis of Database Systems

Presentation transcript:

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google Scholar) Presentation by Bryan Pass

Significance “Forensic Science Communications is a peer- reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists.” “Forensic Science Communications is a peer- reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists.” An overview of Computer Forensic methods from the forensics authority, the FBI. An overview of Computer Forensic methods from the forensics authority, the FBI. Not really new, more of an overview of current methods and thinking Not really new, more of an overview of current methods and thinking

Outline Significance Significance Open Research Topics Open Research Topics Computer Forensics for Traditional Crimes Computer Forensics for Traditional Crimes Computer Forensics for Computer Crimes Computer Forensics for Computer Crimes Who are we dealing with? Who are we dealing with? Data Recovery Data Recovery BackTracker BackTracker S-TLA + S-TLA +

Open Research Topics Education – How to better educate forensics and computer students about computer security and forensic methods Education – How to better educate forensics and computer students about computer security and forensic methods Honeypots / Honeynets – Setting up networks to attract hackers in order to study how they operate Honeypots / Honeynets – Setting up networks to attract hackers in order to study how they operate Automated log examination – Filtering raw data to lower the amount of information that a human has to review Automated log examination – Filtering raw data to lower the amount of information that a human has to review Data Recovery – Recovering data from physically damage media as well as recovering intentionally deleted information Data Recovery – Recovering data from physically damage media as well as recovering intentionally deleted information

Computer Forensics for Traditional Crimes Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Computer evidence is becoming more and more common place in investigations of traditional crimes. Computer evidence is becoming more and more common place in investigations of traditional crimes. Focus on extracting text, spreadsheets, human readable information Focus on extracting text, spreadsheets, human readable information Computer Forensics relies on extracting only useful information. Unlike traditional forensics which attempts to gather all information from a piece of evidence. Computer Forensics relies on extracting only useful information. Unlike traditional forensics which attempts to gather all information from a piece of evidence. 12 GB of printed text data would create a stack of paper 24 stories high. 12 GB of printed text data would create a stack of paper 24 stories high.

Traditional Crimes (cont.) Constantly adapting to changing technology instead of static techniques Constantly adapting to changing technology instead of static techniques Finger printing, DNA Analysis, etc. Finger printing, DNA Analysis, etc. Set procedures and guidelines are difficult or impossible to follow because of the variation in equipment used Set procedures and guidelines are difficult or impossible to follow because of the variation in equipment used Operating System, File System, Physical Medium, and Application Operating System, File System, Physical Medium, and Application Can make copies of the original evidence Can make copies of the original evidence Verification of copy Verification of copy Privacy / Legality Concerns Privacy / Legality Concerns Attorney’s data protected by confidentiality Attorney’s data protected by confidentiality or File servers with many users or File servers with many users

A Three-Level Hierarchical Model for Developing Guidelines for Computer Forensic Evidence

Computer Forensics for Computer Crimes Focus on analyzing log data from computer systems Focus on analyzing log data from computer systems Often one attack impacts multiple applications, physical systems, and even companies Often one attack impacts multiple applications, physical systems, and even companies Logs from applications on the target machine Logs from applications on the target machine Logs from other affected machines Logs from other affected machines Logs from routers, edge routers, firewalls, etc Logs from routers, edge routers, firewalls, etc

Computer Crimes (cont.) Different crimes could result in very different kinds of evidence Different crimes could result in very different kinds of evidence DDoS could produce router logs and packet captures DDoS could produce router logs and packet captures Defacement could produce application logs, router logs, and more traditional evidence (linguistics, etc) Defacement could produce application logs, router logs, and more traditional evidence (linguistics, etc) Routinely create legal nightmares of crossed borders and innocent participants Routinely create legal nightmares of crossed borders and innocent participants Data recovery techniques Data recovery techniques Encryption schemes and export laws Encryption schemes and export laws

Who are we dealing with? Determining the sophistication of the suspects Determining the sophistication of the suspects Tamper alarms, and traps Tamper alarms, and traps Must appear like a normal user to the device Must appear like a normal user to the device Cutting the power might not be a good idea Cutting the power might not be a good idea Information in volatile memory even the user didn’t know was there Information in volatile memory even the user didn’t know was there

Data Recovery Physical damage Physical damage It might be harder than you think to destroy a medium beyond partial reconstruction It might be harder than you think to destroy a medium beyond partial reconstruction Clean rooms Clean rooms Expensive and time consuming – is it worth it for the crime being investigated? Expensive and time consuming – is it worth it for the crime being investigated? Using Magnetometers to reconstruct disk images Using Magnetometers to reconstruct disk images How to really erase something How to really erase something Overwrite with 0, with random, with patterns, with compliment Overwrite with 0, with random, with patterns, with compliment

BackTracker Backtracking Intrusions Backtracking Intrusions Log access to other processes, files, sockets, etc Log access to other processes, files, sockets, etc Construct a timeline of what happens after the initial intrusion Construct a timeline of what happens after the initial intrusion (filtered dependency graph for bind attack)

S-TLA + A formal logic-based language for computer forensics investigations A formal logic-based language for computer forensics investigations Describes evidence, helps construct and test hypotheses for hacking scenarios Describes evidence, helps construct and test hypotheses for hacking scenarios S-TLAC – automated formal verification tool S-TLAC – automated formal verification tool Doesn’t seem to really be useful at all Doesn’t seem to really be useful at all

References “Recovering and Examining Computer Forensic Evidence.” Noblett et al. Forensic Science Communications. October ( /computer.htm) (Cited by 13). “Recovering and Examining Computer Forensic Evidence.” Noblett et al. Forensic Science Communications. October ( /computer.htm) (Cited by 13). /computer.htmhttp:// /computer.htm “Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. February (Cited by 29). “Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. February (Cited by 29). “A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Boudriga ACM Symposium on Applied Computing. “A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Boudriga ACM Symposium on Applied Computing.