© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Computer Forensics.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics
Computer Forensics Principles and Practices
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
PMI Inventory Tracker™
Computer Forensics BACS 371
Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Dr. Bhavani Thuraisingham The University of Texas at Dallas
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
 Known by many names  forensic analysis  electronic discovery  electronic evidence discovery  digital discovery  data recovery  data discovery.
Guide to Computer Forensics and Investigations, Second Edition
Phases of Computer Forensics 1 Computer Forensics BACS Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005,
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Chapter 8 Implementing Disaster Recovery and High Availability Hands-On Virtual Computing.
Digital Crime Scene Investigative Process
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.
Computer Forensics Principles and Practices
Your Interactive Guide to the Digital World Discovering Computers 2012.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
Guide to Computer Forensics and Investigations Fourth Edition
© Sapphire 2006 Computer Misuse in the Workplace You only get one chance..... David Horn You only get one chance...
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Evidence Handling If the evidence is there the case is yours to lose.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Intrusion Detection MIS ALTER 0A234 Lecture 12.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
PhD Oral Exam Presentation
Dr. Bhavani Thuraisingham The University of Texas at Dallas
Dr. Bhavani Thuraisingham The University of Texas at Dallas
Computer Forensics 1 1.
Guide to Computer Forensics and Investigations Fifth Edition
Dr. Bhavani Thuraisingham The University of Texas at Dallas
Exam Information CSI5107 Network Security.
Ad Hoc Phase Structured Phase Enterprise Phase
CIS101B Week 4 Class 1 Chapter 12 Security 12.1 through 12.6
Presentation transcript:

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence

Page 2 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Learning Objective and Key Concepts Learning Objective  Examine the evidence life cycle. Key Concepts  Differences between data and evidence  Types of evidence  Chain of custody requirements  Collection, transportation, and storage of evidence

Page 3 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONCEPTS

Page 4 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. 5 Rules of Evidence Admissibility Evidence must be admissible in court. Authenticity Evidence must relate to the incident. Completeness Evidence must be comprehensive. Reliability Evidence collected must be uncontaminated and consistent. Believability Evidence presented should be clearly understandable and believable by the jury.

Page 5 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: PROCESS

Page 6 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Life Cycle Collect or seize evidence Transport evidence Protect or store evidence Analyze evidence

Page 7 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Collection  Freeze the scene.  Comply with the five rules of evidence.  Minimize handling and corruption of original data.  Proceed from volatile to persistent evidence.  Don’t run any programs on the affected system.

Page 8 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Collection (Continued)  Account for any changes and keep detailed logs of actions.  Do not exceed current knowledge.  Follow local security policy.  Be prepared to testify.  Ensure that actions are repeatable.

Page 9 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Transport  Shut down computer  Document hardware configuration  Document all evidence handling  Pack evidence securely

Page 10 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Transport (Continued)  Photograph or videotape the scene from premises to transport vehicle.  Photograph or videotape the scene from vehicle to lab.  Transport computer to a secure location.

Page 11 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Protection and Storage  Keep evidence in possession or control at all times.  Document movement of evidence between investigators.  Secure evidence appropriately so that it can’t be tampered with or corrupted.  Mathematically authenticate data. (i.e., hash values)

Page 12 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Analysis  Make a list of key search words.  Work on image copies, never originals.  Capture an image of the system that is as accurate as possible, such as bit-stream backup.  Evaluate Windows swap file, file slack, and unallocated space.

Page 13 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Evidence Analysis (Continued)  Identify file, program, storage anomalies  Evaluate program functionality  Document findings Create a case  Retain copies of software used

Page 14 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONTEXTS

Page 15 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Sources for Data of Potential Evidentiary Value Access logsData transmissionsData on hard disks and storage devicesData on mobile devices

Page 16 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Locating Data in Access Logs  Manually review logs, or  Use a log analysis tool

Page 17 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Locating Data in Transmissions  For backed up data: Mirror to removable media with validation by system administrator  For live data: Uses packet sniffer or packet capture tool

Page 18 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Locating Data on Hard Disks and Storage Devices  Mirror to stable media  Use recovery software  Use data reconstruction software

Page 19 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Technical Issues  Life span of data  Collecting data quickly  Collecting bit-level data  Obscured data  Anti-forensics

Page 20 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Types of Potential Evidence  Logs  Windows swap files and file slack  Unallocated space and temporary files  s, word processing documents, and spreadsheets  Network data packets

Page 21 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Summary  Differences between data and evidence, and valid and invalid data  The rules of evidence  Chain of custody requirements in evidence handling  Methods for collection or seizure, transport, protection and storage, and analysis of evidence

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.