Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMPUTER FORENSICS Intro video. 2 Digital Forensic Science The scientific examination and analysis of digital evidence in such a way that the information.

Published byCandice Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "COMPUTER FORENSICS Intro video. 2 Digital Forensic Science The scientific examination and analysis of digital evidence in such a way that the information."— Presentation transcript:

1 COMPUTER FORENSICS Intro video

2 2 Digital Forensic Science The scientific examination and analysis of digital evidence in such a way that the information can be used as evidence in a court of law. “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS) video

3 Introduction Computers have permeated society and are used in countless ways with innumerable applications. Similarly, the role of electronic data in investigative work has realized exponential growth in the last decade. The usage of computers and other electronic data storage devices leaves the footprints and data trails of their users.

4 Introduction Computer forensics involves the preservation, acquisition, extraction, and interpretation of computer data. Personal data and information is accessed through computers on an ever increasing frequency. This becomes a liability when criminals steal and use the data against you. In today’s world of technology, many devices are capable of storing data and could thus be grouped into the field of computer forensics.

5 5 Communities There at least 3 distinct communities within Digital Forensics Law Enforcement Military Business & Industry Possibly a 4 th – Academia

6 6 Digital Forensic Science

7 The Basics Before getting into the nuts and bolts of computers, the important distinction between hardware and software must be established. Hardware comprises the physical and tangible components of the computer. The software is the computer code written to tell the hardware what to do with the information the software produces.

8 8 Cyber Forensic Activities Cyber forensics activities commonly include: the secure collection of computer data the identification of suspect data the examination of suspect data to determine details such as origin and content the presentation of computer-based information to courts of law the application of a country's laws to computer practice.

9 9 The 3 A’s The basic methodology consists of the 3 As: –Acquire the evidence without altering or damaging the original –Authenticate the image –Analyze the data without modifying it

10 10 Crime Scenes Physical Crime Scenes vs. Cyber/Digital Crime Scenes Overlapping principals The basics of criminalistics are constant across both physical and cyber/digital Locard’s Principle applies “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived”

11 11 Digital Crime Scene Digital Evidence Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator. Digital Crime Scene The electronic environment where digital evidence can potentially exist (Rogers, 2005) Primary & Secondary Digital Scene(s) as well

12 12 Process/Phases Identification Collection Bag & Tag Preservation Examination Analysis Presentation/Report

13 13 Identification The first step is identifying evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple possible crime scenes

14 14 Devices Identification

15 15 Identification Context of the investigation is very important Do not overlook non- electronic sources of evidence Manuals, papers, printouts, etc.

16 16 Collection Care must be taken to minimize contamination Collect or seize the system(s) Create forensic image Live or Static? Do you own the system What does your policy say?

17 17 Collection: Documentation

18 18 Collection: Documentation Take detailed photos and notes of the computer / monitor If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE

19 19 Collection: Documentation Make sure to take photos and notes of all connections to the computer/other devices

20 20 Collection: Imaging Rule of Thumb: make 2 copies and don’t work from the original (if possible) A file copy does not recover all data areas of the device for examination Working from a duplicate image Preserves the original evidence Prevents inadvertent alteration of original evidence during examination Allows recreation of the duplicate image if necessary

21 21 Collection: Imaging Digital evidence can be duplicated with no degradation from copy to copy This is not the case with most other forms of evidence

22 22 Collection: Imaging Forensic Copies (Bitstream) Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.) Often the “smoking gun” is found in the residual data. Imaging from a disk (drive) to a file is becoming the norm Multiple cases stored on same media No risk of data leakage from underlying media Remember avoid working for original Use a write blocker even when examining a copy!

23 Software for Retrieving Data The OS (operating system) is the software that runs the computer normally…. Windows, etc SHA – (Secure Hash Algorithm) is software that runs an inventory on the contents before and after retrieval that proves nothing was changed during the copying. This establishes the Chain of Custody for data content for court. Video Video MD5 (Message Digest 5) is another software package that also runs a pre and post copy inventory like SHA. Competitors. Forensic Image of data: exact copying by different programs: Forensic Toolkit (FTK), Forensic Autopsy, SMART, EnCase. All produce a forensics “fingerprint” of the HD data before and after the copy to prove no changes.

24 24 Imaging: Authenticity & Integrity How do we demonstrate that the image is a true unaltered copy of the original? MD5, SHA 256 A mathematical algorithm that produces a unique value (128 Bit, 512 Bit) Can be performed on various types of data (files, partitions, physical drive) The value can be used to demonstrate the integrity of your data Changes made to data will result in a different value The same process can be used to demonstrate the image has not changed from time-1 to time-n

25 25 Examination Higher level look at the file system representation of the data on the media Verify integrity of image MD5, SHA1 etc. Recover deleted files & folders Determine keyword list What are you searching for Determine time lines What is the time zone setting of the suspect system What time frame is of importance Graphical representation is very useful

26 The Basics of Computers Software, conversely, is a set of instructions compiled into a program that performs a particular task. Software are those programs and applications that carries out a set of instructions on the hardware. Computer Case/Chassis: This is the physical box holding the fixed internal computer components in place.

27 Terminology Motherboard: The main circuit board contained within a computer (or other electronic devices) is referred to as the motherboard. System Bus: Contained on the motherboard, the system bus is a vast complex network of wires that serves to carry data from one hardware device to another.

28 Terminology Read Only Memory (ROM): ROM chips store programs called firmware, used to start the boot process and configure a computer’s components. Random Access Memory (RAM): RAM serves to take the burden off of the computer’s processor and Hard Disk Drive (HDD). This is temporary.

29 Terminology RAM is referred to as volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer. Central Processing Unit (CPU): The CPU, also referred to as a processor, is essentially the brains of the computer. Input Devices: These devices are used to get data into the computer. Keyboards, mouse, touch screens, joy sticks…etc.

30 Terminology Output Devices: Equipment through which data is obtained from the computer. Monitor screens, printers, speakers. The Hard Disk Drive (HDD) is typically the primary location of data storage within the computer. This is permanent storage. Evidence exists in many different locations and in numerous forms on a HDD. The type of evidence can be grouped under two major sub-headings: visible and latent data.

31 Terminology Different operating systems map out (partition) HDDs in different manners. Examiners must be familiar with the file system they are examining. The formatting process initializes portions of the hard drive so that it can store data, and it creates the structure of the file system.

32 Hard Drive Sectors A sector is the smallest unit of data that a hard drive can address. A cluster usually is the minimum space allocated to a file. Clusters are groups of sectors.

33 File Slack - Open area after data Files are created in varying lengths depending on their contents. DOS, Windows and Windows NT-based computers store files in fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack".

34 34 Forensic Principles Digital/ Electronic evidence is extremely volatile! Once the evidence is contaminated it cannot be de-contaminated! The courts acceptance is based on the best evidence principle With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. Chain of Custody is crucial

35 35 Cyber Forensic Principles The 6 Principles are: 1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

36 Processing the Electronic CS Processing the electronic crime scene has a lot in common with processing a traditional crime scene. Warrants Documentation Good Investigation Techniques At this point, a decision must be made as to whether a live acquisition of the data is necessary.

37 Shutdown vs. Pulling the Plug Several factors influence the systematic shutdown vs. pulling the plug decision. When a crime scene is secured there are two possible situations: Safe and secure or needing to get out ASAP for safety. If time allows, a live copying or systematic shutdown is preferred. For example, if encryption is being used and pulling the plug will encrypt the data rendering it unreadable without a password or key, therefore pulling the plug would not be prudent.

38 Shutdown vs. Pulling the Plug Similarly, if crucial evidentiary data exists in RAM and has not been saved to the HDD and thus will be lost with discontinuation of power to the system, another option must be considered. Regardless, the equipment will most likely be seized. Now that the items have been seized, the data needs to be obtained for analysis.

39 Forensic Image Acquisition Throughout the entire process, the computer forensic examiner must adopt the method that is least intrusive. The goal with obtaining data from a HDD is to do so with out altering even one bit of data.

40 Forensic Image Acquisition Because booting a HDD to its operating system changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created. Occasionally, in cases of specialized or unique equipment or systems the image of the HDD must be obtained utilizing the seized computer.

41 Forensic Image Acquisition Regardless, the examiner needs to be able to prove that the forensic image he/she obtained includes every bit of data and caused no changes (writes) to the HDD. To this end, a sort of fingerprint of the drive is taken before and after imaging. This fingerprint is accomplished through the use of a Message Digest 5 (MD5), Secure Hash Algorithm (SHA) or similar validated algorithm. Before imaging the drive the algorithm is run and a 32 character alphanumeric string is produced based on the drive’s contents.

42 Computer Fingerprint It then is run against the resulting forensic image and if nothing changed the same alphanumeric string will be produced thus demonstrating that the image is all-inclusive of the original contents and that nothing was altered in the process.

43 Visible Data Visible data is that data which the operating system is aware of. Consequently this data is easily accessible to the user. From an evidentiary standpoint, it can encompass any type of user created data like: word processing documents spread sheets accounting records databases Pictures or videos

44 Temporary Files and Swap Space Temporary files, created by programs as a sort of “back up on the fly” can also prove valuable as evidence. Finally, data in the swap space (utilized to conserve the valuable RAM within the computer system) can yield evidentiary data. Latent data, on the other hand, is that data which the operating system is not aware of. These are in the form of “Hidden” files that are not shown on a normal inventory exam.

45 Latent Data Evidentiary latent data can exist in both RAM and file slack or swap sectors.

46 Latent Data The constant shuffling of data through deletion, defragmentation, swapping, etc., is one of the ways data is orphaned in latent areas. Finally, when a user deletes files the data typically remains behind. The address is deleted but the data stays until needed space causes overwriting. Deleted files are therefore another source of latent data to be examined during forensic analysis.

47 Cryptography The field of study related to encoded information (comes from Greek word for "secret writing") Encryption The process of converting plaintext into ciphertext Decryption The process of converting ciphertext into plaintext 47 video

48 Cryptography 48 plaintext message ciphertext message Encryption Decryption Encrypted(Information) cannot be read Decrypted(Encrypted(Information)) can be

49 Cryptography Cipher An algorithm used to encrypt and decrypt text Key The set of parameters that guide a cipher Neither is any good without the other 49

50 Internet Cookies To appreciate the value of the “cookie” you must first understand how they get onto the computer and their intended purpose. Cookies are placed on the local hard disk drive by the web site the user has visited. This is, of course, if the particular web browser being used is set to allow this to happen. A cookie is used by the web site to track certain information about its visitors. This information can be anything from history of visits or purchasing habits, to passwords and personal information used to recognize the user for later visits.

51 Bookmarks and Favorite Places Another way users can access websites quickly is to store them in their “bookmarks” or “favorite places.” Like a pre-set radio station, Internet browsers allow a user to bookmark websites for future visits. A lot can be learned from the bookmarked sites of a person. Perhaps you might learn what online news a person is interested in or what type of hobbies he/she has. You may also see that person’s favorite child pornography or computer hacking sites bookmarked.

52 Internet Cache Evidence of Internet web browsing typically exists in abundance on the user’s computer. Most web browsers (Internet Explorer, Netscape, and Firefox) utilize a system of caching to expedite web browsing and make it more efficient. This web browsing Internet cache is a potential source of evidence for the computer investigator. Portions of, and in some cases, entire visited web pages can be reconstructed. Even if deleted, these cached files can often be recovered.

53 Internet History Most web browsers track the history of web page visits for the computer user. This is probably done merely for a matter of convenience. Like the “recent calls” list on a cell phone, the Internet history provides an accounting of sites most recently visited, with some storing weeks worth of visits. Users have the availability to go back and access sites they most recently visited, just by accessing them through the browser’s history. The history file can be located and read with most popular computer forensic software packages.

54 Internet Communications Computer investigations often begin or are centered around Internet communication. It may be: a chat conversation amongst many people, an instant message conversation between just two individuals, or the back and forth of an e-mail exchange. Human communication has long been a source of evidentiary material. Regardless of the type, investigators are typically interested in communication.

55 Value of the IP address In our earlier discussion, it was stated that in order to communicate on the Internet a device needs to be assigned an Internet Protocol (IP) address. The IP address is provided by the Internet Service provider from which the device accesses the Internet. Thus it is the IP address that might lead to the identity of a real person. If an IP address is the link to the identity of a real person, then it would quite obviously be very valuable for identifying someone on the Internet.

56 Hacking Unauthorized computer intrusion, more commonly referred to as hacking, is the concern of every computer administrator. Hackers penetrate computer systems for a number of reasons. Sometimes the motive is corporate espionage and other times it is merely for bragging rights within the hacker community. Most commonly though, it is a rogue or disgruntled employee, with some knowledge of the computer network, who is looking to cause damage. Despite the motivation, Corporate America is frequently turning to law enforcement to investigate and prosecute these cases.

57 Locations of Concentration Generally speaking, when investigating an unauthorized computer intrusion, investigators will concentrate their efforts in three locations: log files volatile memory network traffic

58 Logs Logs will typically document the IP address of the computer that made the connection. Logs can be located in several locations on computer network. Most servers that exist on the Internet track connections made to them through the use of logs. Additionally the router, ( the device responsible for directing data) might possibly contain logs files detailing connections. Similarly, devices known as firewalls might contain log files which list computers that were allowed access to the network or an individual system.

59 Use of Volatile Data Many times, in cases of unlawful access to a computer network, some technique is used by the perpetrator to cover the tracks of his IP address. Advanced investigative techniques might be necessary to discover the true identity. Where an intrusion is in progress the investigator might have to capture volatile data (data in RAM). The data existing in RAM at the time of an intrusion may provide valuable clues into the identity of the intruder, or at the very least the method of attack. In the case of the instant message or chat conversation, the data that exists in RAM needs to be acquired.

60 An Additional Standard Tactic Another standard tactic for investigating intrusion cases is documenting all programs installed and running on a system. By doing this the investigator might discover malicious software installed by the perpetrator to facilitate entry. This is accomplished utilizing specialized software designed to document running processes, registry entries, and any installed files.

61 Live Network Traffic The investigator may want to capture live network traffic as part of the evidence collection and investigation process. Traffic that travels the network does so in the form of data packets. In addition to containing data these packets also contain source and destination IP addresses. If the attack requires two-way communication, as in the case of a hacker stealing data, then it needs to be transmitted back to the hacker’s computer.

62 Knowledge and Skill Computer file systems and data structures are vast and complex. Therefore, areas of forensic analysis are almost limitless and constrained only by the knowledge and skill of the examiner. With a working knowledge of a computer’s function, how they are utilized, and how they store data, an examiner is on his or her way to begin to locate the evidentiary data.

63 Privacy Protection Forensics Ten guidelines: 1.Remove personally identifiable data from storage media 2.Store an identical copy of any evidentiary media given to law enforcement 3.Limit search to goal of investigation 4.Handle time stamped events in strictest confidence 5.On networks, packet acknowledgement be via the use of tokens than IP addresses 63

64 Privacy Protection 6.Safe storage of all internal logs 7.Preservation of event logs in external nodes 8.Put policies in place for actionable items related to attacks 9.Put policies in place for safeguarding backed up data related to an investigation 10.Handle disposal of sensitive data in a secure manner 64

65 Information Security Risk Analysis Determining the nature and likelihood of the risks to key data Planning for information analysis requires risk analysis Goal is to minimize vulnerability to threats that put a system at the most risk 65

66 Preventing Unauthorized Access 66 Authentication credentials Information users provide to identify themselves for computer access User knowledge Name, password, PIN Smart card A card with an embedded memory chip used for identification Biometrics Human characteristics such as fingerprints, retina or voice patterns

67 Preventing Unauthorized Access 67 Guidelines for passwords Easy to remember, hard to guess Don’t use family or pet names Don’t make it accessible Use combination uppercase/lowercase letters, digits and special characters Don’t leave computer when logged in Don’t ever tell anyone Don’t include in an email Don’t use the same password in lots of places

68 Personal Digital Security For YOU! You are growing up in a Digital world and your security online will depend upon how you conduct yourself. How can you stay safe?

69 Preventing Unauthorized Access 69 Typical Password Criteria Contain six or more characters Contain at least one uppercase and one lowercase letter Contain at least one digit Contain at least one special character

70 Good or Bad? 70 nelldale JohnLewis GingerCat Longhorns aatnv.AATNV One2Three 7December1939 red&whIte%blUe7 g&OoD#3PaSs Worst? Acceptable? Marginable? Good?

71 Preventing Unauthorized Access 71 CAPTCHA Software that verifies that the user is not another computer You have to look at a weird set of characters and key them back in. Why does this work? © reCAPTCHA

72 Preventing Unauthorized Access 72 Fingerprint analysis A stronger level of verification © Undergroundarts.co.uk/ShutterStock, Inc.

73 Antivirus Software 73 Software installed to detect and remove malicious code Signature detection recognizes known malware and removes Heuristics are strategies used to identify general patterns

74 Computer Firewall In computing, a firewall is a software or hardware- based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trustedcomputingnetwork security

75 Careers One of the fastest growing job markets! 75

76 Paths to Careers in CF Certifications Associate Degree Bachelor Degree Post Grad Certificate Masters Doctorate 76

Download ppt "COMPUTER FORENSICS Intro video. 2 Digital Forensic Science The scientific examination and analysis of digital evidence in such a way that the information."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
The Fascinating World of Digital Evidence

The Fascinating World of Digital Evidence
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Computer Systems – Hardware

Computer Systems – Hardware
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
17-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ 07458 FORENSIC SCIENCE An Introduction By Richard Saferstein COMPUTER FORENSICS.

17-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein COMPUTER FORENSICS.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ 07458 FORENSIC SCIENCE: An Introduction, 2 nd ed. By Richard Saferstein COMPUTER FORENSICS.

18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE: An Introduction, 2 nd ed. By Richard Saferstein COMPUTER FORENSICS.
Microsoft Office 2010 Introduction to Computers and How to Purchase Computers and Mobile Devices.

Microsoft Office 2010 Introduction to Computers and How to Purchase Computers and Mobile Devices.
Essential Computer Concepts

Essential Computer Concepts

Similar presentations

Ads by Google