Thomas Schwarz, S.J. SCU Comp. Eng. 2004 COEN 252 Collection of Evidence.

Slides:



Advertisements
Similar presentations
1 Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/
Advertisements

Hart District Acceptable Use Policy Acceptable Use Policy.
Breaking Down the Double Helix: A Crime Lab Perspective on Post-Conviction DNA Testing Dean M. Gialamas President, American Society of Crime Laboratory.
Forensic Science FORENSIC SCIENCE The History When Did Forensics First Get Started?
Gathering digital evidence by the EU Commission in inspections
Something to Think About
COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.
Crime Scene Basics Forensic Science.
Guide to Computer Forensics and Investigations, Second Edition
Introduction and History of Forensic Science “Your Entire Being is a Matrix of Evidence Waiting to Be Left Behind…”
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Forensic Geology Professor Lori Weeden. Forensic Geology: That branch of the earth sciences that uses rocks, minerals, fossils, soils, and a variety.
Collection of Evidence Computer Forensics 152/252.
By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics
COEN 152 Computer Forensics Introduction to Computer Forensics.
THE CASE: An individual works with the police to identify criminals. Her/his help is invaluable even when she/he hasn’t witnessed a crime. Many of the.
History of Forensic Science
Analytical Forensic Science The adventure Begins Now.
A BRIEF History of Forensic Science
Computer Forensics Principles and Practices
Analytical Forensic Science The adventure Begins Now.
Please take notes you will have a quiz on these notes next class.
I’ll get a good education along the way. I’ll get to help people. I’ll make $30-60,000 a year And mainly because I like mysteries!!
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
COEN 250 Computer Forensics Windows Life Analysis.
Fibers “Wherever he steps, whatever he touches, whatever he leaves even unconsciously, will serve as silent witness against him. Not only his fingerprints.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Physical Evidence. Class characteristics: Evidence can only be associated with a group and not a unique source Individual characteristics: Evidence can.
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
COEN 250 Computer Forensics Windows Life Analysis.
Do Now: get handout and paper bag Take out HW Work on the Q’s below: Agenda: Collection of evidence Types of Evidence HW: Sock prelab Prep lab notebook.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Forensic Geology Professor Lori Weeden. There is no required text for the class, however, you will need to read an electronic text for $0.99
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Chapter 6: Fibers “Wherever he steps, whatever he touches, whatever he leaves even unconsciously, will serve as silent witness against him. Not only his.
Do Now: 1. What is forensic science? When/where is forensic science used? 2. Looking at this picture, what evidence could be collected and used to solve.
Warm Up Quiz Keep only your notebook on your desk for the Quiz. Everything else under your desk.
Secondary Storage. WHAT IS SECONDARY STORAGE  SECONDARY STORAGE IS THE STORAGE THAT IS NON- VOLATILE. RAM IS VOLATILE AND SHORT TERM AND FORGETS EVERYTHING.
Evidence.  States that when a person comes into contact with an object or another person, a cross- transfer of physical evidence can occur  The material.
Criminalist Chelsea Igou Chelsea Igou. “ Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as silent evidence.
Physical Security Concerns for LAN Management By: Derek McQuillen.
Chapter 6: Fibers “Wherever he steps, whatever he touches, whatever he leaves even unconsciously, will serve as silent witness against him. Not only his.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Crime Science – Caroline Springs College – Lakeview Campus Introduction Brief History of forensics Some famous scientists Mistakes that have been made.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
10. Mobile Device Forensics Part 2. Topics Collecting and Handling Cell Phones as Evidence Cell Phone Forensic Tools GPS (Global Positioning System)
Forensic Geology GEOL.2150 Professor Lori Weeden
Introduction to Forensic Science
Chapter 3 First Response.
THE CASE: An individual works with the police to identify criminals. Her/his help is invaluable even when she/he hasn’t witnessed a crime. Many of the.
Introduction to Forensics
COMPUTER MEMORY & DATA STORAGE
COMPUTER MEMORY & DATA STORAGE
Forensic Geology GEOL.2150 Professor Lori Weeden
Edmond Locard “Father of the Crime Lab”
An Introduction to Forensic Science
Do Now 9/24 Take out your questions for “The Bone Collector” and finish the last two. Forensic Science: Fundamentals & Investigations, Chapter 2.
Analytical Forensic Science
A BRIEF History of Forensic Science
Chapter 2 Crime Scene Investigation and Evidence Collection By the end of this chapter you will be able to: summarize Locard’s exchange principle.
Presentation transcript:

Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence

Thomas Schwarz, S.J. SCU Comp. Eng Principles of Evidence Locard’s exchange principle  "Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value." -- Professor Edmond Locard

Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Expectations of Privacy  Stems from the customs of the society.  Is an ethical right.  Is legally protected.  Can be modified or removed by company policy.

Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Stated monitoring policy  Removes most legal and ethical problems.  Can explain the reasons behind the policy.  Can be formulated and discuss instead of a reaction in the heat of the moment.  Can be (or its existence can be) advertised on login banners that apply even to intruders through the indirect consent doctrine.

Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Monitoring and logging:  Results in computer records that are probably business records, which makes it easy to admit them directly into evidence.  If we only log during the incident, the records themselves might not be admissible, however, system administrators could testify based on them.

Thomas Schwarz, S.J. SCU Comp. Eng Evidence Computer Evidence must be Admissible. Authentic. Complete. Reliable. Believable and Understandable.

Thomas Schwarz, S.J. SCU Comp. Eng Evidence Dynamics Preservation  Digital evidence is fragile  First responder rule for LE: If you see a computer on, leave it on. If you see a computer that is turned off, do not turn it on. Exception: Cell phones Identification  Identification in a device  Identification of the device: USB drives, CD back-up Collection  LE: Ideally: Bag and tag the physical devices

Thomas Schwarz, S.J. SCU Comp. Eng Logging Its cheap and easy. Intruders are not always successful in erasing their traces. Log records become business records and are easier admitted into evidence. Ideally, logs are on write once, read many devices. In reality, one can come close to WORM.

Thomas Schwarz, S.J. SCU Comp. Eng Volatility Volatility: evidence can degrade Example: Evidence in RAM does not survive a power-off. Example: network status changes when connections are closed and new ones opened.

Thomas Schwarz, S.J. SCU Comp. Eng Volatility Degrees of Volatility 1. Memory 2. Running processes 3. Network state 4. Permanent Storage Devices

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Plan  What evidence are you looking for.  Where can it be found.  How do you get it.

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Unplug the power-plug (battery)  Destroys volatile evidence.  Preserves completely stored evidence at the point of seizure.

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Graceful shutdown  Destroys volatile evidence.  Alters system files.  Allows for clean-up software to run.

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Unplug Network Cable  Removes access of an intruder to a system.  Alerts the intruder.  Dead Man Switch programs can destroy evidence.

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Life Examination  Intruder with root privileges can watch.  System tools can be trojaned incl. booby- trapped  Use forensics tools on floppy / CD. Does not work if system is root-kitted

Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Know the trade-offs. No good reasons for a graceful shutdown. If life-investigation, then monitor network first.

Thomas Schwarz, S.J. SCU Comp. Eng Documentation and Chain of Custody Document each step in a forensics procedure.  Best, if automatically generated. Use forensically sound tools. “Two Pair of Eyes” integrity rule for data gathering. Best: Clear Procedural Policy.

Thomas Schwarz, S.J. SCU Comp. Eng Do Not Alter Evidence Evidence can be easily and inadvertently altered by the forensics procedure: Use of improper tools like tar that alter file access times. Trojaned system utilities. Dead Man Switch an intruder tool that changes files when the computer is no longer connected to the internet System Shutdown and Reboot.

Thomas Schwarz, S.J. SCU Comp. Eng Do Not Alter Evidence Natural Forces:  Electro-magnetic fields  Electro-static damage  Material degeneration Equipment Forces:  Tools  Interactions with a mounted drive Write Protection