Digital Forensics Survey of Information Assurance.

Slides:

Advertisements

Similar presentations

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Advertisements

COEN 252 Computer Forensics

Effective Discovery Techniques In Computer Crime Cases.

Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Crime Scene Investigation Roles 1.0 Describe responsibilities of various personnel involved in crime scene investigations. Examples: police, detectives,

We’ve got what it takes to take what you got! NETWORK FORENSICS.

Unit 18 Data Security 1.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

BACS 371 Computer Forensics

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Guide to Computer Forensics and Investigations Fourth Edition

COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Security Guidelines and Management

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (

Data Acquisition Chao-Hsien Chu, Ph.D.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Capturing Computer Evidence Extracting Information.

Hands-on: Capturing an Image with AccessData FTK Imager

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

An Event-based Digital Forensic Investigation Framework Brian D. Carrier Eugene H. Spafford DFRWS 2004.

TERMS TO KNOW. Programming Language A vocabulary and set of grammatical rules for instructing a computer to perform specific tasks. Each language has.

Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.

Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.

Interdisciplinary Forensics English Language Arts Art Science Social Studies.

7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.

Computer Forensics Iram Qureshi, Prajakta Lokhande.

Digital Crime Scene Investigative Process

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

Tippecanoe 4-H Computer Project Mikel BergerBret Madsen Ed Evans

Computer Forensics Principles and Practices

An Introduction to Computer Forensics Jim Lindsey Western Kentucky University.

Digital Citizenship Created By: Kelli Stinson June 2011.

For more notes and topics visit: eITnotes.com.

Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.

CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.

Viruses Hacking Backups Computer safety... Viruses A computer virus is a piece of program code that makes copies of itself by attaching itself to another.

Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.

1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.

Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.

Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders.

 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.

Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.

Forensics Jeff Wang Code Mentor: John Zhu (IT Support)

ONLINE COURSES - SIFS FORENSIC SCIENCE PROGRAMME - 2 Our online course instructors are working professionals handling real-life cases related to various.

By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.

CIT 180 Security Fundamentals Computer Forensics.

Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.

18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (

Creighton Barrett Dalhousie University Archives

Wright State University

Presented by Steve Abrams, M.S. Charleston, SC / Long Island, NY

CHFI & Digital Forensics [Part.1] - Basics & FTK Imager

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.

Introduction to Digital Forensics

Fourth Amendment: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall.

Ad Hoc Phase Structured Phase Enterprise Phase

Digital Forensics CJ

Presentation transcript:

Digital Forensics Survey of Information Assurance

Agenda What is Digital Forensics? Procedure Identification Acquisition Analysis Presentation Analysis Techniques Techniques Examples Real Action: 0x80 Present and Future

Forensics Forensic science is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action. Ref:

Digital Forensics Computer forensics... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Ref:

Procedures 1. Identification 2. Acquisition 3. Analysis 4. Presentation

Procedures The basic procedure to follow for examination of digital data is as follows: Identification – Answers “WHAT” information is sought, where to obtain it. Acquisition – Obtain forensic copies of all digital data required; including snapshots and live datasets. Analysis – Aggregation, correlation, filtering, transformation and meta-data generation to obtain digital evidence. Presentation – Creating a final report to present the digital evidence.

Procedure Flow IdentificationAcquisitionAnalysisPresentation

Procedure Step #1: Identification Evidence will often be based on scenario. Places to look: For Intrusions Logs Rootkits Hidden files For Illegal graphic images Image files Web history Intelligence Documents s

Procedure Step #2: Acquisition Preserve Evidence Prevent computer state from changing Copy the hard disk bit wise Copy memory before powered off Save state of all network connections Disconnect from network if connected Copying Hard disk Boot hard disk in trusted media e.g. DOS floppy, Linux Live CD Remove the hard disk and place in the trusted system

Procedure Step #3: Analysis Heavily dependant of the skills of Analyst and nature of evidence sought. Aggregation, Correlation, Filtering, Transformation and Meta-Data Generation. Pre-analysis (~ Acquisition) Aggregation + Transformation: Data Recovery and Unification. Meta-Data Generation: Categorization, indexing, hashing… Data to Evidence mapping, isolation & contextualization Difference from data and evidence

Procedure Step #4: Presentation Prepare report of noteworthy evidence. Relate evidence to crime; i.e. explain the role of evidence in given case.

Analysis Techniques 1. Text Analysis 2. Image Analysis 3. Video Analysis 4. Executable Analysis 5. Executable Analysis 6. File Clustering 7. Password Cracking 8. Data Searching

Analysis: General Types Text analysis Unicode normalization Language Identification Named entity extraction Transliteration Image analysis Steganography detection Computer-generated vs. real image Video analysis Executable analysis

Analysis: General Types (2) File clustering / classification Password cracking Data Searching Keyword search File attributes (name, date or creation/access, type etc.) Specific files

Examples Unicode Normalization “In many cases, Unicode allows multiple representations of what is, linguistically, the same string. For example: Capital A with dieresis (umlaut) can be represented either as a single Unicode code point "Ä" (U+00C4) or the combination of Capital A and the combining Dieresis character ("A" + "¨", that is, U+0041 U+0308). ” Ref: Transliteration Ref:

Examples (2) Steganography Ref:

Real Action: An Example The case of Metadata in image

Real Action: 0x80 The Hacker: “0x80” Time: Early 2006 Event: “0x80” chooses to be interviewed in the Washington Post about his alleged violation of federal law. Claim: Having broken into personal computers, these hacked computers or “bots” begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. Ref: dyn/content/article/2006/02/14/AR htmlhttp:// dyn/content/article/2006/02/14/AR html

Real Action: 0x80 (2) Mistake: Allowed The Washington Post to publish several photographs, including a doctored image of himself, face seen partially. How he got Tracked: The images in said article had metadata, indicating towards his location “Roland, Oklahoma” Details: Then it was noticed that retouched pictures showing the obfuscated hacker included meta tags -- information in plain text attached to many photos. This information revealed the name of the photographer, the type of camera used to take it, the time and date it was taken, as well as the fact that the picture was taken in Roland, Oklahoma. The pictures themselves seemed to reveal that the hacker has blond hair -- at least the hair on his arms appears blond in one photo. Ref: Eventually “0x80” was arrested by FBI.

Present and Future

Present and Future - Digital Forensics NowLater… Unorganized Science Treated with skepticism as evidence in cases other than cyber-crimes. Struggling to keep up with staggering amount of data. Lack of clarity on policy and policing. Always a step behind Likely to be formalized May gain acceptance as evidence to crimes other than cyber-crimes Newer and innovative approach needed. Policy could be created in future. Likely to remain so…

References center/forensics/crash-course-in-digital- forensics.pdf center/forensics/crash-course-in-digital- forensics.pdf anography.shtml anography.shtml