Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics BACS 371

Published byRuth Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics BACS 371"— Presentation transcript:

1 Computer Forensics BACS 371
Evidentiary Methods I: Incident Response

2 What is an “Incident” A computer “incident” is any situation or occurrence in which you, as the digital forensic expert, are called in to perform forensic services. Some incidents may involve situations where the evidence has already been collected while others may involve live acquisition. As a professional, you should be ready for any and all professional challenges related to the incident.

3 What is an “Incident” Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network. For Example: Theft of trade secrets spam or harassment Unlawful or unauthorized intrusion into computing systems Embezzlement Possession or dissemination of child pornography Denial-of-service (DoS) attacks Tortuous interference of business relations Extortion Any unlawful action when the evidence of such action may be stored on computer media such as fraud, threats, and traditional crimes

4 Characteristics of “Incidents”
Violations of public law These can be actionable in criminal or civil proceedings They can have grave impact on an organization’s reputation and its business operations Commonly involve intense pressure, time, and resource constraints

5 Goals of Incident Response
Confirms or dispels whether incident occurred Establishes controls for handling evidence, cohesive response Protects privacy rights Minimizes disruptions to business, protects reputation and assets Allows for criminal and civil action Provides reports and recommendations Minimizes compromise of proprietary data Promotes rapid detection and/or prevention of future incidents

6 Components of Incident Response

7 Seven Major Components of Incident Response
Pre-incident preparation Detection of incidents Initial response Formulate response strategy Investigate the incident Data collection Data Analysis Reporting Resolution

8 Components of Incident Response
Pre-incident preparation Proactive measures before incident to ensure assets and information are protected Detection of incidents Report by end user Report by system administrator Internal Detection System Incident response checklist

9 Incident Response Checklist

10 Components of Incident Response
Initial Response Interviewing System administrator Personnel Suspect Review Internal Detection System report Network logs Access control Formulate a Response Strategy

11 Investigate the Incident
Data Collection Sound forensic methods Host-Based Information System date/time Applications currently running Open network connections and ports Applications listening on ports Initial live response – volatile data In-depth response – log files Full live response – live forensic analysis

12 Live acquire, Power down, or Unplug?
If a PC is running, you need to decide if you want to perform a live acquisition or power it down. A live acquisition captures the data on a running system. This can be very valuable evidence. If you decide to power it down, you need to do it properly. If you use the standard shutdown procedure, valuable evidence may be lost. This can include temporary files, log files, and date/timestamps. If a live acquisition is not appropriate, the current best practice is to unplug the PC from its power source. Explain here the importance of the decision to power down the computer or unplug it. If using the OS to properly shut down the machine, you run the risk of losing temporary files.

13 The Nature of Digital Evidence
“Evidence is what distinguishes a hypothesis from a groundless assertion.” Remember: Digital evidence is different from traditional evidence in several ways Too much potential evidence (terabytes) Evidence is easily contaminated Contaminating some evidence may ruin all evidence It can be copied and the copy is an “original” (if done properly) There are numerous ways to hide it that aren’t easily detectable

14 In Practice: Write Blocking and Protection
Once digital evidence is collected, never turn on a PC or plug in the data device without having write- blocking software or hardware in place. Write-blocking mechanisms prevent any writes to a drive such as may occur when simply turning on a system. If you don’t use write-blocking mechanisms, you will compromise the evidence. If possible, construct an in-class activity that would enable students to see how a write-blocker works. Discuss this with the students.

15 Create a Drive Image Original data must be protected from any type of alteration. To protect original data, perform all analysis from a forensic copy of the original drive or device. Ways to make forensic copies: Drive imaging or mirror imaging Sector-by-sector or bit-stream imaging Bit-Stream is the preferred method. Discuss the importance of imaging a drive with the proper software in order to make a valid forensic copy of the drive and preserve any evidence that might be found on the computer.

16 Acquiring a Forensic Copy
Use a forensically clean hard drive for copying. This is one that has been “forensically wiped.” Simply using the operating system format command does not meet acceptable or best practices Verify the accuracy of the copy: Cyclic redundancy check (CRC) Cryptographic hash verification Message digest (MD5) Discuss the proper way to prepare a hard drive for a forensic copy. Also discuss ways that the copy can be verified to maintain its integrity. Mention the “legal duty” that parties of a case have to “utilize the method which would yield the most complete and accurate results” (Gates Rubber Co. v. Bando Chemical Industries) This is in relation to computer forensics investigations.

17 Request for Forensic Examination
This form is from the Rocky Mountain Regional Computer Forensic Laboratory. It is used to request official help on a case.

18 Performing Forensic Analysis

19 Forensic Analysis Reviewing all data collected Techniques include
Log files System configuration files Trust relationships Web browser history files messages Installed applications Graphics files Techniques include Software analysis Review time/date stamps Keyword searches Review free space, deleted files, slack space

20 Components of Incident Response
Reporting Document immediately Write concisely and clearly Use a standard format Employ technical editors Resolution Prevent further damage Return to secure, healthy operational status Apply countermeasures and update security standards

21 The Five Mistakes of Incident Response
Not having a plan Failing to increase monitoring and surveillance Being unprepared for a court battle Putting it back the way it was Not learning from mistakes

22 Basic Forensic Methodology
Acquire the evidence – maintain chain of custody Authenticate that it is the same as the original Analyze the data without modifying it The key is to have a well defined set of procedures that you follow.

23 Evidence Handling Process

24 NYC Police Forensic Procedures
Stage Tools Discussion Seizing the computer None Computer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC). Backup Safeback, Expert Witness, Snapback Backup is done using one of the listed tools. A case file is created on an optical disk (CD). Evidence extraction Expert Witness The FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence.

25 NYC Police Forensic Procedures (Cont.)
Stage Tools Discussion Case creation Expert Witness The case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media. Case analysis None Investigators use experience and training to search the computer evidence for documents, deleted files, images, , slack space, etc., that will help in the case. Correlation of computer events Timeline, order of events, related activities, and contradictory evidence are the components of this stage.

26 NYC Police Forensic Procedures (Cont.)
Stage Tools Discussion Correlation of noncomputer events None Phone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated. Case presentation Standard Office Finally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury.

27 Documentary Evidence1 Chain of custody of documents
Marking of evidence Organization of documentary evidence Rules concerning original versus copies of documents 1Albrecht, Albrecht, Albrecht, Fraud Examination 2e, Thompson South-Western, 2006, p. 226

28 Chain of Custody Procedures
Record of Evidence Lot Release Dates recorded Access to Evidence restricted Original Hard Drive placed in Locker or safe All analysis performed on bit stream copies

29 Chain of Custody Document

30 Admissibility of Computer Forensic Evidence
A forensic examiner’s qualifications can be challenged or the tools or methodologies used in a forensic investigation can be objected to. Whether the theory or technique has been tested Whether it has been subjected to peer review and publication The known or potential error The general acceptance of the theory in the scientific community Whether the proffered testimony is based upon the expert’s special skill

31 Maintaining a Defensible Approach
Performed in accordance with forensic science principles Based on standards or current best practices Conducted with verified tools Conducted by individuals who are certified Documented thoroughly

32 Problems with Poorly Collected Evidence1
If evidence is not collected and handled according to the proper standards, the judge may deem the evidence inadmissible when it is presented. If the evidence is admitted, the opposing attorney will attack its credibility during questioning of the witnesses who testify regarding it. Such an attack can create doubt in the jury members’ mind. 1Scene of the Cybercrime, Shinder & Tittel, p.546

33 Evidence Disposition Initial Disposition Final Disposition
After final report completed Dispose of working copies Maintain “best evidence” Final Disposition 5 years from date case was opened Unless… Unless there is a chance that the case may be re-opened (appeal, …). If you do keep it, you have to ensure that it is secure and not available for inspection by anyone else (potential privacy issues).

34 Remember… Computer forensics is the discipline of acquiring, preserving, retrieving, and presenting electronic evidence. Three C’s of evidence: Care Control Chain of Custody

Download ppt "Computer Forensics BACS 371"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
OC RIMS Cyber Safety & Security Incident Response.

OC RIMS Cyber Safety & Security Incident Response.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Computer Forensics.

Computer Forensics.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

Similar presentations

Ads by Google