Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

Published byLeona Manning Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September."— Presentation transcript:

1 Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September 12, 2007

2 Outline l Agenda for next several lectures l Review of Part 1 l Data Recovery l Evidence Collection and Data Seizure l Useful Links and discussions l Reference: Part II of Text Book: Chapters 5 and 6

3 Agenda for Lectures until October 8, 2007 l September 17, 2007 - Chapters 7 and 8; Example programming projects l September 19, 2007 - Chapters 9, 10, 11 l September 24, 2007 - Guest Lecture: Richardson Police Department l September 26, 2007 - Chapter 12: Network Forensics l October 1, 2007 - Guest Lecture: FBI North Texas l October 3, 2007 - Selected Paper Discussions l October 8, 2007 - Begin Part IV of book

4 Review of Part 1 l Lecture 1: Introduction l Lecture 2: Fundamentals l Lecture 3: Forensics Technologies l Lecture 4: Botnets l Lecture 5: Forensics Systems l Lecture 6: Forensics Services l Lecture 7: Malicious Code Detection

5 Data Recovery l What Data Recovery? l Role of Backup in Data Recovery l Data Recovery Solution l Hiding and Recovering Hidden Data

6 What is Data Recovery l Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered l In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis

7 Role of Backup in Data Recovery l Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state l Challenge to backup petabyte sized databases/files l Obstacles for backing up - Backup window, network bandwidth, system throughout l Current trends - Storage cost decreasing, systems have to be online 24x7 l Next generation solutions - Multiple backup servers, optimizing storage space

8 Data Recovery/Backup Solution l Develop a plan/policy for backup and recovery l Develop/Hire/Outsource the appropriate expertise l Develop a system design for backup/recovery - Three tier architectures, caches, backup servers l Examine state of the art backup/recovery products and tools l Implement the backup plan according to the policy and design

9 Recover Hidden Data l Hidden data - Files may be deleted, but until they are overwritten, the data may remain - Data stored in diskettes and stored insider another disk l Need to get all the pieces and complete the puzzle l Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle l Reference: - http://www.forensicfocus.com/hidden-data-analysis- ntfs http://www.forensicfocus.com/hidden-data-analysis- ntfs

10 Evidence Collection and Data Seizure l What is Evidence Collection l Types of Evidence l Rules of Evidence l Volatile Evidence l Methods of Collection l Steps to Collection l Controlling Contamination

11 What is Evidence Collection l Collecting information from the data recovered for further analysis l Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited l Collect evidence for analysis or monitor the intruder l Obstacles - Difficult to extract patterns or useful information from the recovered data - Difficult to tie the extracted information to a person

12 Types of Evidence l Testimonial Evidence - Evidence supplied by a witness; subject to the perceived reliability of the witness - Word processor documents written by a witness as long as the author states that he wrote it l Hearsay - Evidence presented by a person who is not a direct witness - Word processor documents written by someone without direct knowledge of the incident

13 Rules of Evidence l Admissible - Evidence must be able to be used in court l Authentic - Tie the evidence positively to an incident l Complete - Evidence that can cover all perspectives l Reliable - There should be no doubt that proper procedures were used l Believable - Understandable and believable to a jury

14 Additional considerations l Minimize handling and corruption of original data l Account for any changes and keep detailed logs l Comply with the 5 basic rules l Do not exceed your knowledge – need to understand what you are doing l Follow the security policy established l Work fast / however need to be accurate l Proceed from volatile to persistent evidence l Do not shut down the machine before collecting evidence l Do not run programs on the affected machine

15 Volatile Evidence l Types - Cached data - Routing tables - Process table - Kernel statistics - Main memory l What to do next - Collect the volatile data and store in a permanent storage device

16 Methods of Collection l Freezing the scene - Taking a snapshot of the system and its compromised state - Recover data, extract information, analyze l Honeypotting - Create a replica system and attract the attacker for further monitoring

17 Steps to Collection l Find the evidence; where is it stored l Find relevant data - recovery l Create order of volatility l Remove eternal avenues of change; no tampering l Collect evidence – use tools l Good documentation of all the actions

18 Controlling Contamination l Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques l Maintain a chain of custody, who owns the data, data provenance techniques l Analyze the evidence - Use analysis tools to determine what happened l Analyze the log files and determine the timeline l Analyze backups using a dedicated host l Reconstruct the attack from all the information collected

19 Conclusion l Data must be backed up using appropriate policies, procedur4es and technologies l Once a crime ahs occurred data ahs to be recovered from the various disks and commuters l Data that is recovered has to be analyzed to extract evidence l Evidence has to analyzed to determine what happened l Use log files and documentations to establish the timeline l Reconstruct the attack

20 Links l Data Recovery - http://www.datatexcorp.com/ http://www.datatexcorp.com/ - http://www.forensicfocus.com/hidden-data-analysis-ntfs http://www.forensicfocus.com/hidden-data-analysis-ntfs l Digital Evidence - http://faculty.ncwc.edu/toconnor/426/426lect06.htm http://faculty.ncwc.edu/toconnor/426/426lect06.htm - http://www.itoc.usma.edu/Workshop/2006/Program/Pres entations/IAW2006-07-1.pdf http://www.itoc.usma.edu/Workshop/2006/Program/Pres entations/IAW2006-07-1.pdf - http://www.e-evidence.info/index.html http://www.e-evidence.info/index.html - http://www.digital-evidence.org/ http://www.digital-evidence.org/ - http://findarticles.com/p/articles/mi_m2194/is_3_73/ai_n 6006624/pg_1 http://findarticles.com/p/articles/mi_m2194/is_3_73/ai_n 6006624/pg_1 - http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/ Presentations/DigitalEvidence.pdf http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/ Presentations/DigitalEvidence.pdf

Download ppt "Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.

Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Review for Final Exam November 19, 2010.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Review for Final Exam November 19, 2010.
Dr. Bhavani Thuraisingham The University of Texas at Dallas

Dr. Bhavani Thuraisingham The University of Texas at Dallas
 Known by many names  forensic analysis  electronic discovery  electronic evidence discovery  digital discovery  data recovery  data discovery.

 Known by many names  forensic analysis  electronic discovery  electronic evidence discovery  digital discovery  data recovery  data discovery.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course January.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course January.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Similar presentations

Ads by Google