Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Bhavani Thuraisingham The University of Texas at Dallas

Published byJacob Patrick Modified over 6 years ago

Similar presentations

Presentation on theme: "Dr. Bhavani Thuraisingham The University of Texas at Dallas"— Presentation transcript:

1 Dr. Bhavani Thuraisingham The University of Texas at Dallas
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #3 Computer Forensics Data Recovery and Evidence Collection and Preservation August 31, 2009

2 Data Recovery What is Data Recovery? Role of Backup in Data Recovery
Data Recovery Solution Hiding and Recovering Hidden Data

3 What is Data Recovery Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis

4 Role of Backup in Data Recovery
Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state Challenge to backup petabyte sized databases/files Obstacles for backing up Backup window, network bandwidth, system throughout Current trends Storage cost decreasing, systems have to be online 24x7 Next generation solutions Multiple backup servers, optimizing storage space

5 Data Recovery/Backup Solution
Develop a plan/policy for backup and recovery Develop/Hire/Outsource the appropriate expertise Develop a system design for backup/recovery Three tier architectures, caches, backup servers Examine state of the art backup/recovery products and tools Implement the backup plan according to the policy and design

6 Recover Hidden Data Hidden data
Files may be deleted, but until they are overwritten, the data may remain Data stored in diskettes and stored insider another disk Need to get all the pieces and complete the puzzle Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle Reference: ntfs

7 Evidence Collection and Data Seizure
What is Evidence Collection Types of Evidence Rules of Evidence Volatile Evidence Methods of Collection Steps to Collection Controlling Contamination

8 What is Evidence Collection
Collecting information from the data recovered for further analysis Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited Collect evidence for analysis or monitor the intruder Obstacles Difficult to extract patterns or useful information from the recovered data Difficult to tie the extracted information to a person

9 Types of Evidence Testimonial Evidence
Evidence supplied by a witness; subject to the perceived reliability of the witness Word processor documents written by a witness as long as the author states that he wrote it Hearsay Evidence presented by a person who is not a direct witness Word processor documents written by someone without direct knowledge of the incident

10 Rules of Evidence Admissible Evidence must be able to be used in court
Authentic Tie the evidence positively to an incident Complete Evidence that can cover all perspectives Reliable There should be no doubt that proper procedures were used Believable Understandable and believable to a jury

11 Additional considerations
Minimize handling and corruption of original data Account for any changes and keep detailed logs Comply with the 5 basic rules Do not exceed your knowledge – need to understand what you are doing Follow the security policy established Work fast / however need to be accurate Proceed from volatile to persistent evidence Do not shut down the machine before collecting evidence Do not run programs on the affected machine

12 Volatile Evidence Types Cached data Routing tables Process table
Kernel statistics Main memory What to do next Collect the volatile data and store in a permanent storage device

13 Methods of Collection Freezing the scene
Taking a snapshot of the system and its compromised state Recover data, extract information, analyze Honeypotting Create a replica system and attract the attacker for further monitoring

14 Steps to Collection Find the evidence; where is it stored
Find relevant data - recovery Create order of volatility Remove external avenues of change; no tampering Collect evidence – use tools Good documentation of all the actions

15 Controlling Contamination
Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques Maintain a chain of custody, who owns the data, data provenance techniques Analyze the evidence Use analysis tools to determine what happened Analyze the log files and determine the timeline Analyze backups using a dedicated host Reconstruct the attack from all the information collected

16 Duplication and Preservation of Evidence
Preserving the Digital Crime Scene First task is to make a compete bit stream backup of all computer data before review or process Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups. Make sure that the legal requirements are met and proper procedures are followed

17 Digital Evidence Process Model
The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.

18 Standards for Digital Evidence
The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross- disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies.

19 Verifying Digital Evidence
Encryption techniques Public/Private key encryption Certification Authorities Digital ID/Credentials Owner signs document with his private key, the Receiver decrypts the document with the owner’s public key Owner signs document with the receiver’s public key, Receiver decrypts the document with his private key Standards for Encryption Export/Import laws %20exploring%20validation,%20verification%20and%20certification.pdf

20 Conclusion - I Data must be backed up using appropriate policies, procedures and technologies Once a crime ahs occurred data ahs to be recovered from the various disks and commuters Data that is recovered has to be analyzed to extract evidence Evidence has to analyzed to determine what happened Use log files and documentations to establish the timeline Reconstruct the attack

21 Conclusion - II Standards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand Need to make it a scientific discipline

22 Links Data Recovery http://www.datatexcorp.com/
Digital Evidence entations/IAW pdf /pg_1 Presentations/DigitalEvidence.pdf

23 Links: Preserving Digital Evidence
(standards) (process) ing_digital_evidence.asp (hard drive duplication) investigator.net/admissibilityofdigital.html (digital photographs) (US Patent) rwirth2004.pdf (survey) (bit stream backup)

24 Links: Verifying Digital Evidence
tions/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20 certification.pdf (verification and validation) (accreditation, parts 1 and 2)

Download ppt "Dr. Bhavani Thuraisingham The University of Texas at Dallas"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #26 Emerging Technologies.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #26 Emerging Technologies.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Dr. Bhavani Thuraisingham The University of Texas at Dallas

Dr. Bhavani Thuraisingham The University of Texas at Dallas
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

Similar presentations

Ads by Google