Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Slides:



Advertisements
Similar presentations
Configuration management
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.
COEN 252 Computer Forensics
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Identifying & Collecting Physical Evidence
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Chapter 14: Computer and Network Forensics
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Guide to Computer Forensics and Investigations, Second Edition
Phases of Computer Forensics 1 Computer Forensics BACS Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005,
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Information Systems Security Computer System Life Cycle Security.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
JavaScript, Fourth Edition
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Digital Crime Scene Investigative Process
Computer Forensics Principles and Practices
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
© Sapphire 2006 Computer Misuse in the Workplace You only get one chance..... David Horn You only get one chance...
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Evidence Handling If the evidence is there the case is yours to lose.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Abstract Evidence can be the key to convicting someone of a crime, or acquitting a person of charges brought against them. To make sure evidence is carefully.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
ISO/IEC 27001:2013 Annex A.8 Asset management
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
CHAIN OF CUSTODY AND EVIDENCE HANDLING
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Why do I need a Chain of Custody (COC)? Presentation to: KWWOA Department for Environmental Protection Energy & Environment Cabinet To Protect and Enhance.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Computer Forensics 1 1.
Guide to Computer Forensics and Investigations Fifth Edition
BASIC AUDITING CONCEPTS: MATERIALITY, RISK ASSESSMENT, AND EVIDENCE
LATIHAN MID SEMINAR AUDIT hiday.
Packaging Evidence Essential Question: How do we demonstrate the proper techniques for collecting and packaging physical evidence found at the crime scene?
Computer Forensics Discovery and recovery of digital evidence
Acquisition and Examination of Forensic Evidence
Introduction to Computer Forensics
Bethesda Cybersecurity Club
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Evidence Collection, Tagging and Storage
CIS101B Week 4 Class 1 Chapter 12 Security 12.1 through 12.6
Presentation transcript:

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Computer Forensics Chapter 23

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionObjectives Identify the rules and types of evidence. Collect evidence. Preserve evidence. Maintain a viable chain of custody. Investigate a computer crime or policy violation.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms Best evidence rule Competent evidence Demonstrative evidence Direct evidence Documentary evidence Evidence Exclusionary rule Forensics Free space Hearsay rule Real evidence Relevant evidence Slack space Sufficient evidence

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Computer Forensics The preservation, identification, documentation, and interpretation of computer data Reasons to perform computer forensics –Investigate systems as related to violation of laws –Ensure compliance with organization’s policies –Investigate systems victimized by remote attacks Be aware of legal implications and seek counsel when needed

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Incident Response Cycle Discover and report –Administer an incident response reporting process Confirm –Specialists review incident report and confirm occurrence Investigate –Response team investigates incident in detail Recover –Systems and applications returned to operational status Lessons learned –Action items to correct weaknesses and make improvements

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Incident Response Cycle (continued)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionEvidence Documents, verbal statements, and material objects are admissible in a court of law. Computer evidence must be evaluated through a filter since the actual data cannot be seen. Concerns auditors who prefer to access the original data.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Standards of Evidence Sufficient evidence –Must be convincing or measure up without question Competent evidence –Must be legally qualified and reliable Relevant evidence –Must be material to the case or have bearing on the matter at hand

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Types of Evidence Direct evidence –Knowledge is gained through direct observation. Real evidence –Tangible objects that prove or disprove a fact. Documentary evidence –Business records, printouts, manuals, etc. Demonstrative evidence –Models, charts, experiments used to aid a jury.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Rules Pertaining to Evidence Best evidence rule –Original evidence preferred over duplicates Exclusionary rule –Must have been gained in accordance with all laws Hearsay rule –Second-hand evidence may not be allowed –Important as most computer-generated evidence is classified as second-hand

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Collecting Evidence Credibility of evidence relies on proper –Acquisition –Identification –Protection against tampering –Transportation –Storage

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Acquiring Evidence Data should be gathered as quickly as possible. –Attacker may attempt to cover their tracks. –Data may be tampered with or destroyed.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Volatility of Data From most volatile to most persistent –CPU storage (registers/cache) –System storage (RAM) –Kernel tables –Fixed media –Removable media –Output/hardcopy

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Investigative Method Rigor

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Investigative Method Rigor (continued)

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Identifying Evidence Must be properly marked when collected –Be methodical. –Work in teams rather than individually. –Keep thorough logs during seizure and analysis. Characteristics of proper record keeping –Labels are difficult to remove and match log book. –Identifies the who, what, when, where, and why related to the collected evidence.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Protecting Evidence Safeguard evidence from tampering and extremes in –Temperature –Humidity –Magnetic fields –Vibration

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Transporting Evidence Properly log in and out of controlled storage. Chain of custody must be maintained. Ensure evidence is properly packaged.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Storing Evidence Evidence –Static-free bags –Foam packing material –Cardboard boxes Evidence room –Restricted access –Entry-logging capability –Camera monitoring

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Conducting the Investigation Never analyze the original target system. –Make multiple images of original to be used to analyze and authenticate the data. Keep thorough and precise notes of all actions. –Notes may become evidence in case. Control the environment of the investigation.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chain of Custody Accounts for all persons who handled or had access to the data Answers the following evidence questions: –Who collected it? –When and from where was it collected? –Where and how it was stored? –Who had control or possession of it?

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Steps in Chain of Custody 1.Record each item collected as evidence. 2.Write a description of it in the documentation. 3.Store evidence in labeled containers. 4.Record all hash values in the documentation. 5.Securely transport evidence to storage facility. 6.Obtain signature of the person who accepts it. 7.Provide controls to prevent access to it. 8.Securely transport evidence to court.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Free Space Memory cluster marked as usable by the OS –May contain fragment of previously deleted file –Is allocated when OS overwrites with new data

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Slack Space Unused space within a cluster –Attacker may hide malicious code or tools within it. –May contain data from previous files not overwritten by new files.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Message Digest and Hash Applies a mathematical operation to data. –Creates a unique number (hash) based on the data. Hash should be applied to each file and log. –Should be written to write-once media. –Provides ability to “bag and tag” evidence. –Proves whether data has been changed or not.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionAnalysis Check the Recycle Bin for deleted files. Check the web browser history files. Check the address bar history. Check the web browser cookie files. Check the Temporary Internet Files folders. Search slack and free space for suspect character strings.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Remediation After an Attack 1.Place the system behind a firewall. 2.Reload the OS. 3.Run virus/malware scanners. 4.Install security software. 5.Remove unneeded services and applications. 6.Apply all patches. 7.Restore the system from backup.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chapter Summary Identify the rules and types of evidence. Collect evidence. Preserve evidence. Maintain a viable chain of custody. Investigate a computer crime or policy violation.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.