Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
CYBER CRIMES IN E-BUSINESS. What is E-Business E-business (electronic business), is the conduct of business on the Internet, not only buying and selling.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Chapter 14: Computer and Network Forensics
Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Capturing Computer Evidence Extracting Information.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Test Review. What is the main advantage to using shadow copies?
13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Phases of Computer Forensics 1 Computer Forensics BACS Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005,
PART THREE E-commerce in Action Norton University E-commerce in Action.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
BUSINESS B1 Information Security.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Dr Richard Overill Department of Informatics King’s College London Cyber Sleuthing or the Art of the Digital Detective.
Digital Crime Scene Investigative Process
Policies and Procedures. 2 Introduction In this chapter, you will be introduced to best practices generally accepted guidelines and procedures used by.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Computer Forensics Principles and Practices
Introduction to Digital Forensics Florian Buchholz.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
Types of Electronic Infection
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Topic 5: Basic Security.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Chap1: Is there a Security Problem in Computing?.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein FORENSIC SCIENCE AND.
Computer Security By Duncan Hall.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Any criminal action perpetrated primarily through the use of a computer.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael JonesDigital Forensic Investigations2.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Data Acquisition Chao-Hsien Chu, Ph.D.
Secure Software Confidentiality Integrity Data Security Authentication
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
Faculty of Science IT Department By Raz Dara MA.
Digital Forensics CJ
Chapter 18 FORENSIC SCIENCE ON THE INTERNET
Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.
Presentation transcript:

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search and Analysis 8/24/06 Learning by Doing Theory  Practice

Computer Forensics Procedure Documentation Acquisition Authentication Presentation Analysis Verify Legal authority Search warrants Photographing Documentation Forensically wipe storage drive Bit-stream Imaging Documentation Chain of custody Hash verification CRC/MD5/SHA1 Documentation Retain the integrity Filtering out irrelevant data What could/could not have happened Be objective and unbiased Documentation Interpret and report Present and defend The Defensible Approach Location, date, time, witnesses System information, status Physical evidence collected

Steps in Forensic Examination Verify Legal Authority: - Search warrant - Scope of the search Collect Preliminary Data Determine the Environment for the Investigation – on or off site? Secure and Transport Evidence - Document the evidence - Tag the evidence - Bag the evidence - Transport the evidence Acquire the evidence Examine and Analyze the evidence Report on the Investigation

Effective Data Searches Interview members of the IT staff to learn how and where data has been stored, if applicable. Confirm or define the objective of the investigation. Identify relevant time periods and the scope of the data to be searched. Identify the relevant types of data. Identify search terms for data filtering, particularly words, names, or unique phrases to help locate relevant data and filter out what is irrelevant. Metadata can be invaluable to the filtering process. Find out usernames and passwords for network and accounts, to the extent possible. Check for other computers or devices that might contain relevant evidence.

Data Types to be Searched Active data. The information readily available and accessible to users via file manager. Deleted files Hidden, Encrypted, and Password-Protected Files. Automatically Stored Data and Instant Messages Background Information – computer and network logs, caches, cookies.

Acquiring Volatile Data The data that is held in temporary storage in the system’s memory is called volatile data. The memory is dependant upon electrical power. When the power is shut off the memory is disrupted. Order of volatility: –Registers and Cache –Routing tables, ARP cache, process tables, kernel statistics –Contents of system memory –Temporary file systems –Data on disk

Acquiring Volatile Data Commands –Nestat –an (-rn) –lsof –Ifconfig –Ipconfig –pslist –Nbtstat –Top –Prstat –Arp -a

Structure of EnCase

Logical Examination Pyramid Investigation Foundation File system details, directory structure, operating system norms, partition information, and other operating systems Hash analysis, file header/extension analysis, and obvious files of interest Password-protected, encrypted, compressed, and link files Unallocated space and file slack Data for analysis Degree of complexity and difficulty

The Art of File Analysis File contents Metadata Application files Operating system file types Directory / folder structure Patterns User configurations Time frame analysis - Creation date/time - Modified date/time - Accessed date/time

The Art of Data Hiding Analysis Password-protected files Compressed files Compress files + password protection Encrypted files Steganography

Common Cyber Criminal Tools Nuker: Software used by intruders to destroy system log trails. Anonymous R ers: Tools used by intruders to mask their identities. These devices are configured to receive and re-send Internet traffic by replacing the original (actual) source address of the sender with the address of the anonymous re- mailer machines. Password Cracker: Software used to break encrypted password files, often stolen from a victim's network server. Scanner: Software used to identify services that are running on a network so that those services can be exploited to gain unauthorized access to the network. Spoofer: Software used to impersonate someone else to hide the identity of the actual sender of the . Steganography: Steganography is the science of hiding messages in messages. The point of it is to hide data or the existence of the message; that is, to hide the fact that the parties are communicating anything other than innocuous graphics or audio files. Steganography has been used by terrorists or intruders to spy, steal, or communicate information via electronic “dead drops,” typically Web pages. Trojan horse: Malicious software disguised as a legitimate computer file or program. Trojan horses are used to create backdoors into networks to gain unauthorized access to the network.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.