Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics CJ 520 23.0.

Published byArchibald Harvey Modified over 5 years ago

Similar presentations

Presentation on theme: "Digital Forensics CJ 520 23.0."— Presentation transcript:

1 Digital Forensics CJ 520 23.0

2 “Of, relating to, or used in legal proceedings, or augmentation.”
Forensics “Of, relating to, or used in legal proceedings, or augmentation.” “The applications of principles and findings of science for the purpose of offering evidence that will be accepted in court”

3 MD5 Hash Message Digest Algorithm 5
Creates a unique ID (checksum) for data Used to verify: Disk that will hold copy of data was initially “clean” The copy made of the original data is an exact copy

4 Magnetic Disk Storage Track (A) - concentric circle used to store information Sector (B & C) - pie shaped division of tracks Cluster (D) - collection of track sectors, smallest addressable storage unit on disk

5 Terms Metadata Unallocated space Slack space / file slack
Data about data Name of file, date of creation, ownership, location Unallocated space unused clusters may or may not contain deleted files Slack space / file slack Space from end of a file to end of a cluster

6 Terms Logical copy Physical copy / Mirror image All files are coped
Does not include unallocated or slack space Physical copy / Mirror image Bit for bit copy of storage device Includes unallocated and slack space

7 Forensic Examination 4 Steps
Collection/Acquisition Evidence search, recognition, collection, and documentation Examination Help make evidence visible and explain origin and significance Analysis Determine significance and probative value of evidence to the case Reporting Outlines the examination process and pertinent data recovered by the examination

8 Collection/Acquisition
Take good notes Assist recollection at trial Notes are “discoverable” Document each step taken Analysis never performed on original evidence Evidence must be copied Use wiped disk - verify with MD5 hash DOD - disk must be wiped seven times

9 Collection/Acquisition
Acquire original evidence in a manner that protects and preserves it Document examiner’s hardware and software configurations Verify operation of examiner’s system Identify storage devices to be acquired Internal, external, or both Open case of evidence computer

10 Collection/Acquisition
Document internal storage devices and hardware configurations Drive condition - make model, geometry, size, jumper settings, location, drive interface List internal components - video card, sound card, network card, PCMCIA cards Include MAC address Disconnect storage devices Prevents accidental changes to devices

11 Collection/Acquisition
Get configure information through a controlled boot (Enter Setup) Capture CMOS/BIOS information Record boot sequence May need to change to boot from floppy or CD Record date & time Note any differences between system date/time and actual date/time Power on passwords

12 Collection/Acquisition
Perform a second controlled boot to test the computer’s functionality and the forensic boot disk Make sure power cables are connected to boot drive - either floppy or CD Place forensic boot disk into drive. Boot the computer and insure the computer will boot from the forensic boot disk Power system down

13 Collection/Acquisition
If possible, remove evidence storage device and perform acquisition using examiner’s system May not be possible in the following cases RAID (Redundant Array Independent Disks) Laptop systems Older equipment Network storage

14 Collection/Acquisition
Make sure examiner’s storage device is forensically clean Write protect evidence disk Hardware - WiebeTech Software - Mount disk as read only -”mount -r” Get MD5 hash value for evidence disk Record the geometry of the evidence disk Size, sector, track, format Size of partition tables match physical disk size Capture electronic serial number of drive

15 Collection/Acquisition
Make a forensic copy of evidence storage device on examiner’s disk Stand-alone duplication hardware Forensic analysis software suite Dedicated hardware devices Binary level copy Captures everything on the media Includes slack space, free or unallocated space All partitions Verify acquisition copy using MD5 hash

16 Evidence Examination Done on copy, not the original
Write protect the copy Prepare working directory on separate media to which evidentiary files and data can be recovered Different tools for different OS’s Linux - Penguin Sleuth Kit Windows - Encase, Forensic Toolkit

17 Evidence Examination Know what you are allowed to look for
Scope of warrant or consent Privileged information Two types of extraction Physical Extraction Recovers data across the entire system without regard to the file system Logical Extraction Identifies and recovers files based on the OS, the file system, and/or applications

18 Evidence Examination Physical Extraction Methods Keyword search
Account for data across the physical drive not accounted for by the OS File carving Recovery and extraction of file NOT based on metadata Different types of carving Block based carving, header/footer carving Partition table Identify file systems present Determine if entire size of hard drive is accounted for

19 Evidence Examination Logical Extraction Methods
Extraction of file system information Directory structure, file attributes, file names, date & time stamps, file size, file location Data reduction Identify & eliminate known files by using comparison to known hash values Extraction of files pertinent to case File name, file header, file content, location on drive

20 Evidence Examination Logical Extraction Methods cont.
Recovery of deleted files Extraction of password protected, encrypted, and compressed data Extraction of file slack Extraction of unallocated space

21 Analysis of Data The process of interpreting the extracted data to determine its significance to the case May require: Review of the request for service Legal authority for search of digital evidence Investigative leads Analytical leads

22 Analysis of Data Timeframe analysis Determining when events occurred
Associate computer use with an individual Two methods Review time/date stamps in file system metadata When evidence file last viewed or edited Review system and application logs Error logs, installation logs, connection logs, security logs When user name & password logged on to the system Note differences in BIOS time and actual time

23 Analysis of Data Data hiding analysis Recover hidden data
Aids in establishing knowledge, ownership, & intent Intentional mismatch between file header and file extension Password-protection, encryption, file compression Password may also have evidentiary value Steganography Host-protected area Presence of user data may indicate an attempt to hide data

24 Analysis of Data Application and file analysis
Insight into system capabilities and user’s knowledge May indicate additional extraction & analysis processes

25 Analysis of Data Application and file analysis - examples
Review file names for relevance & patterns Examine file content Number/types of operating systems Correlate files to installed applications Relationship between files Internet history to cached files Identify unknown file types & determine relevance User’s default storage location Alternative locations used? User-configuration settings Analyze metadata

26 Analysis of Data Ownership and possession Knowledgeable possession
Placing subject at computer at particular time Timeframe analysis Files of interest at non-default location Application & file analysis File name may have evidentiary value - may indicate contents Hidden data may indicate knowledge of wrong-doing Hidden data analysis Passwords, may indicate ownership Files may content information specific to a user

27 Documenting and Reporting
Report should be complete and accurate Documentation is an ongoing process through the investigation Accurately record steps taken If any evidence uncovered that is outside of investigation scope Document the evidence Notify case agent Additional search warrants may be required

28 Documenting and Reporting
Examiner’s Notes Maintain a copy of search authority with case notes Maintain initial request for assistance Maintain chain of custody Include dates, times, and actions taken Document irregularities encountered and actions taken Include network topology, list of authorized users, user agreements, and passwords Document changes made in the system of network by law enforcement Document the OS, relevant software versions & current patches Document information at scene regarding remote storage, remote user access, and offsite backups

29 Documenting and Reporting
Examiner’s report Normally burned to a CD May include: Identity of reporting agency Case ID Case investigator Identity of submitter Date of receipt Date of report Descriptive list of items submitted for examination Brief description f steps taken during examination Results/conclusions

30 Documenting and Reporting
Summary of findings Brief summary of results, more information should be in details of findings Supporting materials List of supporting materials including in report, such as printouts of evidence, chain of custody Glossary Maybe included to assist the reader with any technological terms

31 Documenting and Reporting
Details of findings Specific files related to request Other files, including deleted files, that support the findings String searches, keyword searches, and text string searches Internet-related evidence, web traffic analysis, chat logs, cache files, , and newsgroup activity Graphic image analysis Indicators of ownership Data analysis Description of relevant programs on the examined items Techniques used to hide or mask data

Download ppt "Digital Forensics CJ 520 23.0."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Computer Forensics.

Computer Forensics.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.

File System Analysis.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
File Management Systems

File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

Similar presentations

Ads by Google