What is Computer Forensics? (Some definitions) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is.

Slides:



Advertisements
Similar presentations
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Advertisements

Security and Control Soetam Rizky. Why Systems Are Vulnerable ?
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Auditing Computer-Based Information Systems
Evidence Collection & Admissibility Computer Forensics BACS 371.
Auditing Computer Systems
We’ve got what it takes to take what you got! NETWORK FORENSICS.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.
Forensic Analysis By Mrs. T. Hemalatha, Associate Professor Department of Computer Science & Engineering 7/2/20151.
Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Session 3 – Information Security Policies
Computer Forensics Mr.PRAWEE PROMPONMUANG M.Sc(Forensic Science) NO
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date:
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
National Smartcard Project Work Package 8 – Security Issues Report.
Guide to Computer Forensics and Investigations, Second Edition
The Social Context of Computing Foundation Computing Never underestimate the power of human stupidity.
Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Digital Forensics
Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
 An orderly analysis, investigation, inquiry, test, inspection, or examination along a “paper trail” in the search for fraud, embezzlement, or hidden.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
Information Systems Security Operational Control for Information Security.
Computer Forensics Principles and Practices
Fraud Examination Evidence III: Forensic Science and Computer Forensics McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© Sapphire 2006 Computer Misuse in the Workplace You only get one chance..... David Horn You only get one chance...
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Deloitte Forensic Forensic Technology Conference of Regulatory Officers - CORO November 2012.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
每时每刻 可信安全 1 Since disks and other magnetic media are only copies of the actual or original evidence, what type of evidence are they are often considered.
Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
 It is a branch of FORENSIC SCIENCE for legal evidence found in computer  It refers to detail investigation of the computers to carry out required tasks.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
By: Megan Guild and Lauren Moore. Concept Map Mountain Stream Co. OS Active wear Computer Security Their Questions Details Examples Computer Forensics.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
ONLINE COURSES - SIFS FORENSIC SCIENCE PROGRAMME - 2 Our online course instructors are working professionals handling real-life cases related to various.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Welcome to the ICT Department Unit 3_5 Security Policies.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
INFORMATION SYSTEMS SECURITY AND CONTROL.
Computer Forensics 1 1.
APPLICATION RISK AND CONTROLS
Managing the IT Function
Introduction to Computer Forensics
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Introduction to Digital Forensics
Presentation transcript:

What is Computer Forensics? (Some definitions) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable. ” (McKemmish, 1999) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable. ” (McKemmish, 1999) “ Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system. ” (Farmer & Vennema,1999) “ Gathering and analyzing data in a manner as freedom distortion or bias as possible to reconstruct data or what has happened in the past on a system. ” (Farmer & Vennema,1999) Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court ( ) Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court ( )

What will Computer Forensics do? Computer forensics, innovators of image copying technology, defined the principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law. Computer forensics, innovators of image copying technology, defined the principles of the science of computer forensics and formalized an approved and accepted methodology to COLLECT, ANALYSE and PRESENT suspect data to a Court of Law. Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Computer forensics evidence is frequently sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system. Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system. Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier. Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier. Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation. Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.

Some areas of Computer Forensics Image Capture - The Imaging process is fundamental to any computer investigation. Image Capture - The Imaging process is fundamental to any computer investigation. Image Processing - The processing software consists of two modules, GenX and GenText, running automatically to index and extract text from all areas of the target image. Image Processing - The processing software consists of two modules, GenX and GenText, running automatically to index and extract text from all areas of the target image. Investigation - Once the processing has taken place full searches of all areas of the disk takes only seconds. Investigation - Once the processing has taken place full searches of all areas of the disk takes only seconds.

Case study of Computer Forensics (what is computer forensics look like?) Hacker Hacker Human resources Human resources Money on disk Money on disk Hidden bits Hidden bits Disk swap Disk swap Tapes rarely lie... Tapes rarely lie... Narcotics Narcotics Fraud Fraud Theft Theft Corporate or University internal investigation Corporate or University internal investigation FBI or (unlikely) Sheriff investigation FBI or (unlikely) Sheriff investigation Computer Security Research Computer Security Research Post Mortem or Damage Assessment Post Mortem or Damage Assessment Child Pornography Child Pornography Espionage & Treason Espionage & Treason Corporate or University Policy Violation Corporate or University Policy Violation …

The broad tests for evidence ( from Sherlock Holmes to current forensic scientist ) authenticity - does the material come from where it purports? authenticity - does the material come from where it purports? reliability - can the substance of the story the material tells be believed and is it consistent? In the case of computer-derived material are there reasons for doubting the correct working of the computer? reliability - can the substance of the story the material tells be believed and is it consistent? In the case of computer-derived material are there reasons for doubting the correct working of the computer? completeness - is the story that the material purports to tell complete? Are there other stories which the material also tells which might have a bearing on the legal dispute or hearing? completeness - is the story that the material purports to tell complete? Are there other stories which the material also tells which might have a bearing on the legal dispute or hearing? conformity with common law and legislative rules - acceptable levels of freedom from interference and contamination as a result of forensic investigation and other post-event handling conformity with common law and legislative rules - acceptable levels of freedom from interference and contamination as a result of forensic investigation and other post-event handling

Elements of Computer Forensics well-defined procedures to address the various tasks well-defined procedures to address the various tasks an anticipation of likely criticism of each methodology on the grounds of failure to demonstrate authenticity, reliability, completeness and possible contamination as a result of the forensic investigation an anticipation of likely criticism of each methodology on the grounds of failure to demonstrate authenticity, reliability, completeness and possible contamination as a result of the forensic investigation the possibility for repeat tests to be carried out, if necessary by experts hired by the other side the possibility for repeat tests to be carried out, if necessary by experts hired by the other side check-lists to support each methodology check-lists to support each methodology an anticipation of any problems in formal legal tests of admissibility an anticipation of any problems in formal legal tests of admissibility the acceptance that any methods now described would almost certainly be subject to later modification the acceptance that any methods now described would almost certainly be subject to later modification

Four steps of forensic process Acquisition Acquisition Identification – Technical Analysis Identification – Technical Analysis Evaluation – What the Lawyers Do Evaluation – What the Lawyers Do Presentation Presentation

Divergences from conventional forensic investigation the main reason is the rate of change of computer technology the main reason is the rate of change of computer technology a key feature of computer forensics is the examination of data media a key feature of computer forensics is the examination of data media computer architectures have show profound change in the same short period computer architectures have show profound change in the same short period computer peripherals keep on changing as well computer peripherals keep on changing as well wide area telecoms methods are being used more and more. wide area telecoms methods are being used more and more. the growth of the growth of the growth of client / server applications, the software outcome of the more complex hardware architectures. the growth of client / server applications, the software outcome of the more complex hardware architectures. the greater use of EDI and other forms of computer-based orders, bills of lading, payment authorizations, etc. the greater use of EDI and other forms of computer-based orders, bills of lading, payment authorizations, etc. computer graphics computer graphics the greater use of computer-controlled procedures the greater use of computer-controlled procedures the methods of writing and developing software have changed also the methods of writing and developing software have changed also

Computer Forensics Situations documents - to prove authenticity; alternatively to demonstrate a forgery. documents - to prove authenticity; alternatively to demonstrate a forgery. reports, computer generated from human input. reports, computer generated from human input. real evidence - machine readable measurements, etc. real evidence - machine readable measurements, etc. reports, generated from machine readable measurements, etc. reports, generated from machine readable measurements, etc. electronic transactions - to prove that a transaction took place - or to demonstrate that a presumption that it had taken place was incorrect. electronic transactions - to prove that a transaction took place - or to demonstrate that a presumption that it had taken place was incorrect. conclusions reached by "search “ - programs which have searched documents, reports, etc. conclusions reached by "search “ - programs which have searched documents, reports, etc. event reconstruction- to show a sequence of events or transactions passing through a complex computer system. event reconstruction- to show a sequence of events or transactions passing through a complex computer system. liability in situations where CAD designs have relied on auto- completion or filling in by a program conclusions of computer "experts" - the results of expert systems. liability in situations where CAD designs have relied on auto- completion or filling in by a program conclusions of computer "experts" - the results of expert systems.

Some litigations Civil Matters Civil Matters Breach of Contract Breach of Contract Asset recovery Asset recovery Tort, including negligence Tort, including negligence Breach of Confidence Breach of Confidence Defamation Defamation Breach of securities industry legislation and regulation and /or Companies Acts Breach of securities industry legislation and regulation and /or Companies Acts Employee disputes Employee disputes Copyright and other intellectual property disputes Copyright and other intellectual property disputes Consumer Protection law obligations (and other examples of no-fault liability) Consumer Protection law obligations (and other examples of no-fault liability) Data Protection law legislation Data Protection law legislation

Criminal Matters Theft Acts, including deception Theft Acts, including deception Criminal Damage Criminal Damage Demanding money with menaces Demanding money with menaces Companies Law, Securities Industry and banking offences Companies Law, Securities Industry and banking offences Criminal offences concerned with copyright and intellectual property Criminal offences concerned with copyright and intellectual property Drug offences Drug offences Trading standards offences Trading standards offences Official Secrets Official Secrets Computer Misuse Act offences Computer Misuse Act offences

Computer Forensics Methods (1) safe seizure of computer systems and files, to avoid contamination and/or interference safe seizure of computer systems and files, to avoid contamination and/or interference safe collection of data and software safe collection of data and software safe and non-contaminating copying of disks and other data media safe and non-contaminating copying of disks and other data media reviewing and reporting on data media reviewing and reporting on data media sourcing and reviewing of back-up and archived files sourcing and reviewing of back-up and archived files recovery / reconstruction of deleted files - logical methods recovery / reconstruction of deleted files - logical methods recovery of material from "swap" and "cache" files recovery of material from "swap" and "cache" files recovery of deleted / damaged files - physical methods recovery of deleted / damaged files - physical methods

Computer Forensics Methods (2) core-dump: collecting an image of the contents of the active memory of a computer at a particular time core-dump: collecting an image of the contents of the active memory of a computer at a particular time estimating if files have been used to generate forged output estimating if files have been used to generate forged output reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc. reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc. proving / testing of reports produced by complex client / server applications proving / testing of reports produced by complex client / server applications reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc. reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc. review of system / program documentation for: design methods, testing, audit, revisions, operations management. review of system / program documentation for: design methods, testing, audit, revisions, operations management.

Computer Forensics Methods(3) reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc. reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc. identification and examination of audit trails identification and examination of audit trails identification and review of monitoring logs identification and review of monitoring logs telecoms call path tracing (PTTs and telecoms utilities companies only) telecoms call path tracing (PTTs and telecoms utilities companies only) reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services) reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services) reviewing and assessment of access control services - quality of security management reviewing and assessment of access control services - quality of security management reviewing and assessment of encryption methods - resilience and implementation reviewing and assessment of encryption methods - resilience and implementation

Computer Forensics Methods (4) setting up of pro-active monitoring in order to detect unauthorised or suspect activity setting up of pro-active monitoring in order to detect unauthorised or suspect activity monitoring of monitoring of use of special "alarm" or "trace" programs use of special "alarm" or "trace" programs use of "honey pots" use of "honey pots" inter-action with third parties, e.g. suppliers, emergency response teams, law enforcement agencies inter-action with third parties, e.g. suppliers, emergency response teams, law enforcement agencies reviewing and assessment of measuring devices, etc. and other sources of real evidence, including service logs, fault records, etc. reviewing and assessment of measuring devices, etc. and other sources of real evidence, including service logs, fault records, etc. use of routine search programs to examine the contents of a file use of routine search programs to examine the contents of a file use of purpose-written search programs to examine the contents of a file use of purpose-written search programs to examine the contents of a file

Computer Forensics Methods (5) reconciliation of multi-source files reconciliation of multi-source files examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties event reconstruction event reconstruction complex computer intrusion complex computer intrusion complex fraud complex fraud system failure system failure disaster affecting computer driven machinery or process disaster affecting computer driven machinery or process review of "expert" or rule-based systems review of "expert" or rule-based systems reverse compilation of suspect code reverse compilation of suspect code use of computer programs which purport to provide simulations or animations of events: review of accuracy, reliability and quality use of computer programs which purport to provide simulations or animations of events: review of accuracy, reliability and quality

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.