Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 Nov 1, 2005 Computer Forensics (Lab 2 Related)

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

OC RIMS Cyber Safety & Security Incident Response.
 Data Storage  Steganography  Phishing.  How are files stored?  Each file is assigned one or more sectors in the disk.  If the file is small enough,
COEN 252 Computer Forensics
Tan COMPUTER FORENSICS.
Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.
BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.
Overview of Digital Stenography
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Chapter 14: Computer and Network Forensics
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Data Acquisition Chao-Hsien Chu, Ph.D.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Legal and Ethical Issues Lecture 12
TERMS TO KNOW. Programming Language A vocabulary and set of grammatical rules for instructing a computer to perform specific tasks. Each language has.
Forensic and Investigative Accounting
Introduction to Knoppix-STD: Forensic Analysis of a Compromised Linux Harddrive Dana M. Epp Computer Security Software Architect Scorpion Software Corp.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
COEN 252 Computer Forensics
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
What is FORENSICS? Why do we need Network Forensics?
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
1 Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Commonly defined.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Network Services Networking for Home & Small Business.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Coroner’s Toolkit: An Introduction Victor Hazlewood
Component 9 – Networking and Health Information Exchange Unit 1-1 ISO Open Systems Interconnection (OSI) This material was developed by Duke University,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
CS526: Information Security Chris Clifton December 4, 2003 Forensics.
Computer Forensics Principles and Practices
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Linux Networking and Security
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.
1 Intrusion Detection Auditing, Watermarking Dec 7, 2006 Lecture 10 IS 2150 / TEL 2810 Introduction to Security.
Data Communications and Networks
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Chapter 8 Recovering Graphics Files
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Role Of Network IDS in Network Perimeter Defense.
WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Internet Protocol Version4 (IPv4)
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Working at a Small-to-Medium Business or ISP – Chapter 8
Understand the OSI Model Part 2
Visit for more Learning Resources
Encryption, Cryptography, and Steganography:
Presentation transcript:

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 Nov 1, 2005 Computer Forensics (Lab 2 Related)

INFSCI 2935: Introduction to Computer Security2 What is Computer Forensics? Forensics: Forensics:  The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Computer Forensics:  Commonly defined as the collection, preservation, analysis and court presentation of computer- related evidence.  Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a computer system.

INFSCI 2935: Introduction to Computer Security3 What is Computer Forensics? Understand what happened Understand what happened  Proper acquisition and preservation of computer evidence.  Authentication of collected Data for court Presentation  Recovery of all available data, including deleted files  Prevention of future incidents Often similar problems to Audit But audit trail may be inadequate! Often similar problems to Audit But audit trail may be inadequate!  Audit information incomplete/insufficient  Audit trail damaged  We don’t own the computer

INFSCI 2935: Introduction to Computer Security4 What is the Challenge? Audit information incomplete/erased Audit information incomplete/erased  Reconstruct deleted information “Acceptable” state of system unknown “Acceptable” state of system unknown  Need to identify violation in spite of this Goal not obvious Goal not obvious  Transformations may have been applied to data Strong burden of proof Strong burden of proof  Not enough to know what happened  Must be able to prove it

INFSCI 2935: Introduction to Computer Security5 FBI List of Computer Forensic Services Content (what type of data) Content (what type of data) Comparison (against known data) Comparison (against known data) Transaction (sequence) Transaction (sequence) Extraction (of data) Extraction (of data) Deleted Data Files (recovery) Deleted Data Files (recovery) Format Conversion Format Conversion Keyword Searching Keyword Searching Password (decryption) Password (decryption) Limited Source Code (analysis or compare) Limited Source Code (analysis or compare) Storage Media (many types) Storage Media (many types)

INFSCI 2935: Introduction to Computer Security6 The Coroner’s Toolkit (TCT) Overview Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems) Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems) mactimes - report on times of files mactimes - report on times of files ils - list inode info (usually removed files) ils - list inode info (usually removed files) icat - copies files by inode number icat - copies files by inode number unrm - copies unallocated data blocks unrm - copies unallocated data blocks lazarus - create structure from unstructured data lazarus - create structure from unstructured data file - determine file type file - determine file type pcat - copy process memory pcat - copy process memory grave-robber - captures forensic data grave-robber - captures forensic data

INFSCI 2935: Introduction to Computer Security7 Law Enforcement Challenges Many findings will not be evaluated to be worthy of presentation as evidence Many findings will not be evaluated to be worthy of presentation as evidence Many findings will need to withstand rigorous examination by another expert witness Many findings will need to withstand rigorous examination by another expert witness The evaluator of evidence may be expected to defend their methods of handling the evidence being presented. The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.

INFSCI 2935: Introduction to Computer Security8 Broader Picture: What to Do do not start looking through files do not start looking through files start a journal with the date and time, keep detailed notes start a journal with the date and time, keep detailed notes unplug the system from the network if possible unplug the system from the network if possible do not back the system up with dump or other backup utilities do not back the system up with dump or other backup utilities if possible without rebooting, make byte by byte copies of the physical disk if possible without rebooting, make byte by byte copies of the physical disk capture network info capture network info capture process listings and open files capture process listings and open files capture configuration information to disk and notes capture configuration information to disk and notes collate mail, DNS and other network service logs to support host data collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host capture exhaustive external TCP and UDP port scans of the host contact security department or CERT/management/police or FBI contact security department or CERT/management/police or FBI if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented short-term storage short-term storage packaging/labeling packaging/labeling shipping shipping

INFSCI 2935: Introduction to Computer Security9 Well-known ports A port is a number used to identify a network service on an IP network (the Internet) A port is a number used to identify a network service on an IP network (the Internet)  A port in the TCP/UDP header directs packets to the appropriate application in the server.  For the complete list of well-known ports and registered ports, visit The Internet Assigned Numbers Authority (IANA) registers ports 1024 to The Internet Assigned Numbers Authority (IANA) registers ports 1024 to Port numbers from to are private ports Port numbers from to are private ports Some well-known ports are HTTP (80), HTTPS (443), FTP (20, 21), FTPS (989, 990), Telnet (23), SSH (22), DNS (53), Kerberos (88), SMTP (25), POP3 (110), IMAP (143), etc. Some well-known ports are HTTP (80), HTTPS (443), FTP (20, 21), FTPS (989, 990), Telnet (23), SSH (22), DNS (53), Kerberos (88), SMTP (25), POP3 (110), IMAP (143), etc.

INFSCI 2935: Introduction to Computer Security10 Port Redirection Port restrictions are enforced to prevent attacks on well- known ports Port restrictions are enforced to prevent attacks on well- known ports Port redirection is used to overcome port restrictions (shown in the illustration). Port redirection is used to overcome port restrictions (shown in the illustration).

INFSCI 2935: Introduction to Computer Security11 Steganography Art of hiding information in the midst of irrelevant data Art of hiding information in the midst of irrelevant data This is NOT cryptography This is NOT cryptography Useful to hide the existence of secret communication Useful to hide the existence of secret communication

INFSCI 2935: Introduction to Computer Security12 Example of Steganography (Text – page 48) Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. All entry forms and fees forms should be ready for final dispatch to the syndicate by Friday 20 th or at the latest I am told by the 21 st. Admin has improved here though there is room for improvement still; just give us all two or three more years and we will really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours, your your package package ready ready Friday Friday 21 st. 21 st. room room three three Please Please destroy destroy this thisimmediately

INFSCI 2935: Introduction to Computer Security13 Steganography with Bitmapped image Steganography is the mechanism to hide relatively small amount of data in other data files that are significantly larger. Steganography is the mechanism to hide relatively small amount of data in other data files that are significantly larger. Bitmap image (raster image) is representation of a digital image as a matrix of picture elements (pixels). Bitmap image (raster image) is representation of a digital image as a matrix of picture elements (pixels).  Examples: JPEG, GIF, BMP and TIFF formats  The color of each pixel is individually defined as images in the RGB color space, for instance, often consist of colored pixels defined by three bytes—one byte each for red, green and blue.

INFSCI 2935: Introduction to Computer Security14 Data Storage Tracks Tracks  Concentric rings Sectors Sectors  Tracks are divided radially into parts called sectors Files storage Files storage  The minimum space occupied by any file is one sector.  Unused space in the sectors is known as slack space.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.