Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #9 Preserving Digital Evidence; Image Verifications and Authentication.

Published bySteven Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #9 Preserving Digital Evidence; Image Verifications and Authentication."— Presentation transcript:

1 Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #9 Preserving Digital Evidence; Image Verifications and Authentication September 17, 2007

2 Outline l Review of Lecture #8 l Duplications and Preservation of Digital Evidence l Image Verification l Honey pots Overview: Mehdy Masud

3 Review of Lecture #8 l Data Recovery l Digital Evidence Collection l Links and Discussions l Chapter 7 and 8 of Text Book

4 Duplication and Preservation of Evidence l Preserving the Digital Crime Scene - First task is to make a compete bit stream backup of all computer data before review or process - Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups.sectorsambient data storage areas - http://www.forensics-intl.com/def2.html l Make sure that the legal requirements are met and proper procedures are followed - Details in Chapter 7 of text book

5 Digital Evidence Process Model l The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - l 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. l 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. l 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. l 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation. l https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf

6 Standards for Digital Evidence l The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross- disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. l The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. l http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm

7 Verifying Digital Evidence l Encryption techniques - Public/Private key encryption - Certification Authorities - Digital ID/Credentials l Standards for Encryption - Export/Import laws l Course in Cryptography - Details in Chapter 8

8 Verification/Validation/Certification: Standards l Digital forensic teams and laboratories are now common place within Australia, particularly associated with law enforcement and intelligence agencies. The digital forensics discipline is rapidly evolving to become a scientific practice with domain-specific guideline. These guidelines are still under discussion in an attempt to progress the discipline so as to become as solid and robust in its scientific underpinnings as other forensic disciplines. l Influential players, practitioners and observers all agree that rigorous standards need to be adopted to align this science with other forensic sciences. How does one assess the scientific nature of digital forensics with so many independent computing and IT elements combined, and what are the outcomes of each assessment method? Solutions are proposed regularly justifying their use but to date no one international or national standard exists. l This paper does not propose a solution but rather explores the concept of Validation and Verification (V&V) with particular respect to digital forensic tools. The paper also explores ISO17025 “General requirements for the competence of testing and calibration laboratories” and develops the testing process to satisfy this standard to allow for Australian digital forensic laboratories to be eligible for certification. l http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20certification.pdf http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20certification.pdf

9 Conclusion l Standards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence l Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand l Need to make it a scientific discipline

10 Links: Preserving Digital Evidence l Preserving Digital Evidence - http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (standards) http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm - https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf (process) https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf - http://www.logicube.com/logicube/articles/cybersleuth_collect ing_digital_evidence.asp (hard drive duplication) http://www.logicube.com/logicube/articles/cybersleuth_collect ing_digital_evidence.asp - http://www.crime-scene- investigator.net/admissibilityofdigital.html (digital photographs) http://www.crime-scene- investigator.net/admissibilityofdigital.html - http://faculty.ncwc.edu/toconnor/426/426lect06.htm http://faculty.ncwc.edu/toconnor/426/426lect06.htm - http://www.freepatentsonline.com/7181560.html (US Patent) http://www.freepatentsonline.com/7181560.html - http://www.mediasec.com/downloads/veroeffentlichungen/tho rwirth2004.pdf (survey) http://www.mediasec.com/downloads/veroeffentlichungen/tho rwirth2004.pdf - http://www.forensics-intl.com/def2.html (bit stream backup) http://www.forensics-intl.com/def2.html

11 Links: Verifying Digital Evidence l Verifying Digital Evidence - http://esm.cis.unisa.edu.au/new_esml/resources/publica tions/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20 certification.pdf (verification and validation) http://esm.cis.unisa.edu.au/new_esml/resources/publica tions/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20 certification.pdf - http://www.forensicmag.com/articles.asp?pid=21 http://www.forensicmag.com/articles.asp?pid=21 - http://www.forensicmag.com/articles.asp?pid=28 (accreditation, parts 1 and 2) http://www.forensicmag.com/articles.asp?pid=28

12 Honey pots: Mehdy Masud l Honey pots are traps set to attract the adversary l Real world examples include “Catch a Predator” show on NBC l Special processes in the computer are set up so that the hacker is attracted. l Once the hacker enters the system, then its less difficult to determine who he is she is l It is part of digital forencis; - rather than taking the system down and examining and analyzing the evidence where it may be difficult to determine who the hacker is, it may be less difficult to determine who the hacker is using honey pots

Download ppt "Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #9 Preserving Digital Evidence; Image Verifications and Authentication."

Similar presentations

Chapter 13: Advanced Security and Beyond

Chapter 13: Advanced Security and Beyond
DIGITAL EVIDENCE María del Pilar Jácome August 2012.

DIGITAL EVIDENCE María del Pilar Jácome August 2012.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.

Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Applications with Warrants In Mind. The Law  Why are there laws specifically for computer crimes?  A persons reasonable right to privacy  The nature.

Applications with Warrants In Mind. The Law  Why are there laws specifically for computer crimes?  A persons reasonable right to privacy  The nature.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Certified Business Process Professional (CBPP®)

Certified Business Process Professional (CBPP®)
Certified Business Process Professional (CBPP®) Exam Overview

Certified Business Process Professional (CBPP®) Exam Overview
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas File Systems and Forensics Tools September 20, 2013.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas File Systems and Forensics Tools September 20, 2013.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.

Similar presentations

Ads by Google