Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer & Network Forensics

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer & Network Forensics"— Presentation transcript:

1 91.580.203 Computer & Network Forensics
Xinwen Fu Chapter 1 Computer Forensics and Investigations as a Profession

2 Outline Understand computer forensics
Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct Dr. Xinwen Fu

3 Understanding Computer Forensics
Computer forensics involves obtaining and analyzing digital information from individual computers for use as evidence in civil, criminal, or administrative cases Network forensics yields information about how a perpetrator or hackers gained access to a network The Fourth Amendment to the U.S. Constitution protects everyone’s rights to be secure in their person, residence, and property from search and seizure What happened in O.J. Simpson’s case? Dr. Xinwen Fu

4 Understanding Computer Forensics (continued)
When preparing to search for evidence in a criminal case, include the suspect’s computers and its components in the search warrant Computer forensics is a very complicated process; there are legal, political, business and technical factors that will shape every investigation Prison Break - politics a mere hope for secrecy is not a legally cognizable expectation of privacy. Dr. Xinwen Fu

5 CSIRT: Computer Security Incident Response Team
Manage investigations and conduct forensic analysis of systems Draw on resources from those involved in vulnerability assessment risk management network intrusion detection incident response Resolve or terminate all case investigations Michael Scofield Lincoln Burrows Dr. Xinwen Fu

6 Components of CSIRT Vulnerability assessment and risk management
Computer investigations & network intrusion detection Incident response Computer CSIRT Dr. Xinwen Fu

7 Vulnerability Assessment and Risk Management
Test and verify the integrity of standalone workstations and network servers Examine physical security of systems and the security of operating systems (OSs) and applications Test for known vulnerabilities of OSs Launch attacks on the network, workstations, and servers to assess vulnerabilities Dr. Xinwen Fu

8 Computer Investigations
Involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court The evidence can be inculpatory or exculpatory – Duke lacrosse team rape charge Objective is different from that of data recovery or disaster recovery Investigating computers includes: Securely collecting/searching computer data Examining suspect data to determine details such as origin and content Presenting computer-based information to courts Applying laws to computer practice Former Duke Lacrosse 'Rape' Prosecutor Charged With Withholding Evidence, Misleading Court RALEIGH, N.C. —  Former Duke lacrosse rape prosecutor Mike Nifong has been slapped with additional ethics charges by the state bar association, which has accused him of withholding DNA evidence and making misleading statements to the court. Dr. Xinwen Fu

9 Network Intrusion Detection and Incident Response Functions
Detect intruder attacks using automated tools and monitoring network firewall logs manually Track, locate, and identify the intruder Deny further access to the network Collect evidence for civil or criminal litigation against the intruders Dr. Xinwen Fu

10 Implement Security Measures
Course Outline CSIRT: Computer Security Incident Response Team Incident occurs: Point-in-Time or Ongoing Investigate the incident pre-incident preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Reporting Pre-incident preparation: Take actions to prepare the organization and CSIRT before an incident occurs Detection of incident: Identify a potential computer security incident Initial response: Perform an initial investigation, recording the basic details surrounding the incident, assembling the incident response team, and notifying the individuals who need to know about the incident Formulate response strategy: Based on the results of all the known facts, determine the best response and obtain management approval. Determine what civil, criminal, administrative, or other actions are appropriate to take, based on the conclusions drawn from the investigation Investigate the incident: perform a thorough collection of data. Review the data collected to determine what happened, when it happened, who did it, and how it can be prevented in the future. Reporting: Accurately report information about the investigation in a manner useful to decision makers. Resolution: Employ security measures and procedural changes, record lessons learned, and develop long-term fixes for any problems identified. Resolution Recovery Implement Security Measures Dr. Xinwen Fu

11 A Brief History of Computer Forensics
Mainframe era Well-known crimes ― one-half cent $12.234 PC era By the early 1990s, specialized tools for computer forensics were available ASR Data created the tool Expert Witness for the Macintosh Recover deleted files and file fragments EnCase by one member of ASR Data FTK (Access Data's Forensic Toolkit) iLook (reading disk images) Dr. Xinwen Fu

12 Outline Understand computer forensics
Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct Dr. Xinwen Fu

13 Computer Investigations and Forensics
Public investigations Target criminal cases Conducted by government agencies Follow the law of search and seizure/enforcement Private or corporate investigations Target civil cases Conducted by private companies/lawyers Follow private or corporate policies Dr. Xinwen Fu

14 Outline Understand computer forensics
Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct Dr. Xinwen Fu

15 Understanding Enforcement Agency Investigations
Understand local city, county, state, and federal laws on computer-related crimes Until 1993, laws defining computer crimes did not exist States have added specific language to their criminal codes to define crimes that involve computers "Computers and networks are only tools that can be used to commit crimes and are, therefore, no different from the lockpick a burglar uses to break into a house" Possible computer crimes: data theft, child molestation images, drug transaction information on a hard disk Dr. Xinwen Fu

16 Legal Process for Computer Crimes
A criminal case follows three stages: Complaint Someone files a complaint Investigation A specialist investigates the complaint Prosecution Prosecutor collects evidence and builds a case Complaint Investigation Prosecution Dr. Xinwen Fu

17 Levels of Law Enforcement Expertise for a Police (CTIN)
Level 1 (street police officer) Acquiring and seizing digital evidence Level 2 (detective) Managing high-tech investigations Teaching the investigator what to ask for Understanding computer terminology What can and cannot be retrieved from digital evidence Level 3: (computer forensics expert) Specialist training in retrieving digital evidence Computer Technology Investigators Network Dr. Xinwen Fu

18 Typical Affidavit of Search Warrant for Seizing Evidence
Dr. Xinwen Fu

19 Outline Understand computer forensics
Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct Dr. Xinwen Fu

20 Understanding Corporate Investigations
Business must continue with minimal interruption from your investigation Investigation is secondary to stopping the violation and minimizing the damage or loss to the business Can Microsoft shutdown their servers for forensics purposes? Dr. Xinwen Fu

21 Establishing Company Policies
Company policies are built in order to avoid litigation Without defined policies, a business risks exposing itself to litigation by current or former employees Policies provide: Rules for using company computers and networks Dr. Xinwen Fu

22 Displaying Policy Warning Banners
Avoid litigation displaying a warning banner on computer screens A banner: Informs users that the organization can inspect computer systems and network traffic at will Voids right of privacy Establishes authority to conduct an investigation Dr. Xinwen Fu

23 Displaying Warning Banners (continued)
Dr. Xinwen Fu

24 Displaying Warning Banners (continued)
Types of warning banners: For internal employee access (intranet Web page access) External visitor accesses (Internet Web page access) Dr. Xinwen Fu

25 Displaying Warning Banners (continued)
Examples of warning banners: Access to this system and network is restricted Use of this system and network is for official business only Systems and networks are subject to monitoring at any time by the owner Using this system implies consent to monitoring by the owner Unauthorized or illegal users of this system or network will be subject to discipline or prosecution Dr. Xinwen Fu

26 Banner Example in Reality
Recall: why do we need policies and warning banners? Courts have ruled that company-owned equipment does not contain any “personal information” Without them, your authority to inspect might conflict with the user's expectation of privacy, and a court might have to determine the issue of authority to inspect Dr. Xinwen Fu

27 Mercury.cs.uml.edu Banner
Dr. Xinwen Fu

28 Texas A&M CS Department Banner
Dr. Xinwen Fu

29 SSHD Banner By default sshd server turns off this feature
Login as root user; then create your login banner file Edit /etc/ssh/sshd-banner Edit /etc/sshd/sshd_config and add Banner /etc/ssh/sshd-banner Save file and restart the sshd server /etc/init.d/sshd restart Dr. Xinwen Fu

30 Linux Console Login Banner
File /etc/issue, default information Fedora Core release 3 (Heidelberg) Kernel \r on an \m \r – OS release such as “Kernel ” \m – Machine such as “i686” Dr. Xinwen Fu

31 Windows XP Logon Warning Message
Click Start/Control Panel Double-click Administrative Tools / Local Security Policies / Security Options Set Interactive Logon: Message text for users attempting to log on Set Interactive Logon: Message title for users attempting to log on Logoff/Logon to test Dr. Xinwen Fu

32 Designating an Authorized Requester
Not everyone should be an investigator Establish a line of authority Specify an authorized requester who has the power to conduct investigations Groups who can request investigations: Corporate Security Investigations Corporate Ethics Office Corporate Equal Employment Opportunity Office Internal Auditing The general counsel or legal department Dr. Xinwen Fu

33 Conducting Security Investigations
Public investigations search for evidence to support criminal allegations Private investigations search for evidence to support allegations of abuse of a company’s assets and criminal complaints Abuse or misuse of corporate assets abuse/Malicious Excessive private Internet abuse Employee company startup Porn site Dr. Xinwen Fu

34 Employee Abuse of Computer Privilege
Dr. Xinwen Fu

35 Distinguishing Personal and Company Property
PDAs and personal notebook computers Employee hooks up his PDA device to his company computer Company gives PDA to employee as bonus What is your opinion of company policies on those items? Dr. Xinwen Fu

36 Outline Understand computer forensics
Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct Dr. Xinwen Fu

37 Maintaining Professional Conduct
Professional conduct determines credibility Ethics Morals Standards of behavior Conduct with integrity Maintain objectivity and confidentiality Enrich technical knowledge Dr. Xinwen Fu

38 Maintaining Objectivity
Sustain unbiased opinions of your cases Avoid making conclusions about the findings until all reasonable leads have been exhausted you considered all the available facts Ignore external biases to maintain the integrity of the fact-finding in all investigations Dr. Xinwen Fu

39 Keep the Case Confidential
Until you are designated as a witness or required to release a report at the direction of the attorney or court Dr. Xinwen Fu

40 Enrich Technical Knowledge
Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools Learn about the latest investigation techniques that can be applied to the case Record fact-finding methods in a journal Include dates and important details that serve as memory triggers Develop a routine of regularly reviewing the journal to keep past achievements fresh Dr. Xinwen Fu

41 Enrich Technical Knowledge (continued)
Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers Monitor the latest book releases and read as much as possible about computer investigations and forensics Computer Technology Investigators Northwest (CTIN) High Technology Crime Investigation Association (HTCIA) LISTSERV or Majordomo: mailing lists Certificate: EC-Council - CHFI Computer Hacking Forensic Investigator Dr. Xinwen Fu

Download ppt "Computer & Network Forensics"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.

COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
COS/PSA 413 DAY 1. Guide to Computer Forensics and Investigations, 2e2 Agenda Roll Call Introduction WebCT Overview Syllabus Review Introduction to eMarketing.

COS/PSA 413 DAY 1. Guide to Computer Forensics and Investigations, 2e2 Agenda Roll Call Introduction WebCT Overview Syllabus Review Introduction to eMarketing.
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
COS/PSA 413 Day 10. Agenda Lab 4 Write-ups are in –Will have corrected by next class Lab 5 write-ups due Oct 19 Assignment 3 posted (due Oct 21) Capstone.

COS/PSA 413 Day 10. Agenda Lab 4 Write-ups are in –Will have corrected by next class Lab 5 write-ups due Oct 19 Assignment 3 posted (due Oct 21) Capstone.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics Day 1

Computer Forensics Day 1
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.

Similar presentations

Ads by Google