Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application of data mining to computer forensics

Published byBryan Noah Jordan Modified over 7 years ago

Similar presentations

Presentation on theme: "Application of data mining to computer forensics"— Presentation transcript:

1 Application of data mining to computer forensics

2 Definition What is Computer Forensics??
Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Evidence might be required for a wide range of computer crimes and misuses Multiple methods of Discovering data on computer system Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity

3 Definition (cont) What Constitutes Digital Evidence?
Any information being subject to human intervention or not, that can be extracted from a computer. Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. Computer Forensics Examples Recovering thousands of deleted s Performing investigation post employment termination Recovering evidence post formatting hard drive Performing investigation after multiple users had taken over the system

4 Reasons For Evidence Wide range of computer crimes and misuses
Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: Theft of trade secrets Fraud Extortion Industrial espionage Position of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Forgery Perjury

5 Reasons For Evidence (cont)
Computer related crime and violations include a range of activities including: Business Environment: Theft of or destruction of intellectual property Unauthorized activity Tracking internet browsing habits Reconstructing Events Inferring intentions Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy

6 Who Uses Computer Forensics?
Criminal Prosecutors Rely on evidence obtained from a computer to prosecute suspects and use as evidence Civil Litigations Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) Private Corporations Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases

7 Who Uses Computer Forensics? (cont)
Law Enforcement Officials Rely on computer forensics to backup search warrants and post-seizure handling Individual/Private Citizens Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

8 Handling Evidence Admissibility of Evidence
Legal rules which determine whether potential evidence can be considered by a court Must be obtained in a manner which ensures the authenticity and validity and that no tampering had taken place No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer Preventing viruses from being introduced to a computer during the analysis process Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage

9 Handling Evidence (cont)
Establishing and maintaining a continuing chain of custody Limiting the amount of time business operations are affected Not divulging and respecting any ethically [and legally] client-attorney information that is inadvertently acquired during a forensic exploration

10 Initiating An Investigation
DO NOT begin by exploring files on system randomly Establish evidence custodian - start a detailed journal with the date and time and date/information discovered If possible, designate suspected equipment as “off-limits” to normal activity. This includes back-ups, remotely or locally scheduled house-keeping, and configuration changes Collect , DNS, and other network service logs

11 Initiating An Investigation (cont)
Capture exhaustive external TCP and UDP port scans of the host Could present a problem if TCP is wrapped Contact security personnel [CERT], management, Federal and local enforcement, as well as affected sites or persons

12 Incidence Response Identify, designate, or become evidence custodian
Review any existing journal of what has been done to system already and/or how intrusion was detected Begin new or maintain existing journal Install monitoring tools (sniffers, port detectors, etc.) Without rebooting or affecting running processes, perform a copy of physical disk Capture network information

13 Incidence Response (cont)
Capture processes and files in use (e.g. dll, exe) Capture config information Receipt and signing of data

14 Handling Information Information and data being sought after and collected in the investigation must be properly handled Volatile Information Network Information Communication between system and the network Active Processes Programs and daemons currently active on the system Logged-on Users Users/employees currently using system Open Files Libraries in use; hidden files; Trojans (rootkit) loaded in system

15 Handling Information (cont)
Non-Volatile Information This includes information, configuration settings, system files and registry settings that are available after reboot Accessed through drive mappings from system This information should investigated and reviewed from a backup copy

16 Computer Forensic Requirements
Hardware Familiarity with all internal and external devices/components of a computer Thorough understanding of hard drives and settings Understanding motherboards and the various chipsets used Power connections Memory BIOS Understanding how the BIOS works Familiarity with the various settings and limitations of the BIOS

17 Computer Forensic Requirements (cont)
Operation Systems Windows 3.1/95/98/ME/NT/2000/2003/XP DOS UNIX LINUX VAX/VMS Software Familiarity with most popular software packages such as Office Forensic Tools Familiarity with computer forensic techniques and the software packages that could be used

18 Anti-Forensics Software that limits and/or corrupts evidence that could be collected by an investigator Performs data hiding and distortion Exploits limitations of known and used forensic tools Works both on Windows and LINUX based systems In place prior to or post system acquisition

19 Evidence Processing Guidelines
New Technologies Inc. recommends following 16 steps in processing evidence They offer training on properly handling each step Step 1: Shut down the computer Considerations must be given to volatile information Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) Step 2: Document the Hardware Configuration of The System Note everything about the computer configuration prior to re-locating

20 Evidence Processing Guidelines (cont)
Step 3: Transport the Computer System to A Secure Location Do not leave the computer unattended unless it is locked in a secure location Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks Step 5: Mathematically Authenticate Data on All Storage Devices Must be able to prove that you did not alter any of the evidence after the computer came into your possession Step 6: Document the System Date and Time Step 7: Make a List of Key Search Words Step 8: Evaluate the Windows Swap File

21 Evidence Processing Guidelines (cont)
Step 9: Evaluate File Slack File slack is a data storage area of which most computer users are unaware; a source of significant security leakage. Step 10: Evaluate Unallocated Space (Erased Files) Step 11: Search Files, File Slack and Unallocated Space for Key Words Step 12: Document File Names, Dates and Times Step 13: Identify File, Program and Storage Anomalies Step 14: Evaluate Program Functionality Step 15: Document Your Findings Step 16: Retain Copies of Software Used

22 What is Digital Evidence and How is it Different?
Information and data of investigative value that is stored on or transmitted by an electronic device Can transcend borders quickly via Internet Data in computer systems is highly susceptible to alteration or destruction Caution must be exercised when collecting, transporting, examining and storing this type of evidence to avoid data loss Special training, skills, equipment, and software are needed to retrieve evidence stored within computers and computer media to avoid alteration or destruction Data in computer systems is usually stored in electromagnetic or electronic form. These types of storage are highly susceptible to alteration or destruction. Caution must be exercised when collecting, transporting, examining and storing this type of evidence to avoid the loss of evidence and intellectual property.

23 Digital Evidence at the Crime Scene - Considerations
Search Warrant / Consent to Search Identifying Evidence to be Collected Documentation, Collection, Preservation of Evidence Transporting Evidence to the Laboratory

24 Search Warrant / Consent to Search
DPS Crime Lab Policy is to have copy of the search warrant or consent to search form before examination can begin Specific wording not only to seize the media but also to access data stored within the media…there is a difference This requirement provides protection at the time of trial preventing the examiner of the evidence from unlawful search of the data contained on the items submitted. This is an example of how digital evidence differs from other types of evidence that can be seen “in plain sight”. A search warrant to collect possible evidence of a crime at the scene typically covers the evidence you can walk into a room and see or touch. It is a more intrusive search to get into a laptop, remove the hard drive and examine (search) for evidence of a crime. Go-bys are available from the DPS Lab A common misconception about the search warrant “return” to the issuing Judge: officers often ask if we can begin examination within that return time. When in fact, the evidence merely needs to be submitted to the lab within that return deadline to the Judge. The policy to require a search warrant before examination begins serves as protection from conducting an illegal search and helps to prevent the evidence ascertained from the examination from being kept out of court.

25 Types of electronic devices or MEDIA that may contain digital evidence
Personal computer, laptop External hard drives (USB connection) DVD, CD, floppy disks Flash drives (thumb, USB) Memory sticks Digital cameras SD Cards Personal Data Assistants (PDAs, iPods, Palm) Cellular phones MP3 Players Smart Phones (Blackberry/iPhone/Android) iPads, tablets Many unusual pieces of media

26 Other Items of Evidence at Scene
Computer media relevant to crime Documents surrounding computer Documents in the printer, scanner, trash Web camera (usually on top of monitor) PDA, cell phones with charger/data cable Related software Related cables / power cords / chargers

27 Reference Land.pptx

Download ppt "Application of data mining to computer forensics"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
Dale Stobaugh, Supervisor txdps.state.tx.us Ken Crawford Jennifer LandVeronica Bradshaw Texas Department of Public Safety Crime.

Dale Stobaugh, Supervisor txdps.state.tx.us Ken Crawford Jennifer LandVeronica Bradshaw Texas Department of Public Safety Crime.
Texas Department of Public Safety

Texas Department of Public Safety
Computer Forensics.

Computer Forensics.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
1 COMPUTER SECURITY AND ETHICS Chapter Five. Computer Security Risks 2.

1 COMPUTER SECURITY AND ETHICS Chapter Five. Computer Security Risks 2.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.

Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Similar presentations

Ads by Google