Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search.

Published byGiles Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search."— Presentation transcript:

1

2 Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Search and Analysis 8/24/06 Learning by Doing Theory  Practice

3 Computer Forensics Procedure Documentation Acquisition Authentication Presentation Analysis Verify Legal authority Search warrants Photographing Documentation Forensically wipe storage drive Bit-stream Imaging Documentation Chain of custody Hash verification CRC/MD5/SHA1 Documentation Retain the integrity Filtering out irrelevant data What could/could not have happened Be objective and unbiased Documentation Interpret and report Present and defend The Defensible Approach Location, date, time, witnesses System information, status Physical evidence collected

4 Steps in Forensic Examination Verify Legal Authority: - Search warrant - Scope of the search Collect Preliminary Data Determine the Environment for the Investigation – on or off site? Secure and Transport Evidence - Document the evidence - Tag the evidence - Bag the evidence - Transport the evidence Acquire the evidence Examine and Analyze the evidence Report on the Investigation

5 Effective Data Searches Interview members of the IT staff to learn how and where data has been stored, if applicable. Confirm or define the objective of the investigation. Identify relevant time periods and the scope of the data to be searched. Identify the relevant types of data. Identify search terms for data filtering, particularly words, names, or unique phrases to help locate relevant data and filter out what is irrelevant. Metadata can be invaluable to the filtering process. Find out usernames and passwords for network and e-mail accounts, to the extent possible. Check for other computers or devices that might contain relevant evidence.

6 Data Types to be Searched Active data. The information readily available and accessible to users via file manager. Deleted files Hidden, Encrypted, and Password-Protected Files. Automatically Stored Data E-Mail and Instant Messages Background Information – computer and network logs, caches, cookies.

7 Acquiring Volatile Data The data that is held in temporary storage in the system’s memory is called volatile data. The memory is dependant upon electrical power. When the power is shut off the memory is disrupted. Order of volatility: –Registers and Cache –Routing tables, ARP cache, process tables, kernel statistics –Contents of system memory –Temporary file systems –Data on disk

8 Acquiring Volatile Data Commands –Nestat –an (-rn) –lsof –Ifconfig –Ipconfig –pslist –Nbtstat –Top –Prstat –Arp -a

9 Structure of EnCase

10 Logical Examination Pyramid Investigation Foundation File system details, directory structure, operating system norms, partition information, and other operating systems Hash analysis, file header/extension analysis, and obvious files of interest Password-protected, encrypted, compressed, and link files Unallocated space and file slack Data for analysis Degree of complexity and difficulty

11 The Art of File Analysis File contents Metadata Application files Operating system file types Directory / folder structure Patterns User configurations Time frame analysis - Creation date/time - Modified date/time - Accessed date/time

12 The Art of Data Hiding Analysis Password-protected files Compressed files Compress files + password protection Encrypted files Steganography

13 Common Cyber Criminal Tools Nuker: Software used by intruders to destroy system log trails. Anonymous Remailers: Tools used by intruders to mask their identities. These devices are configured to receive and re-send Internet traffic by replacing the original (actual) source address of the sender with the address of the anonymous re- mailer machines. Password Cracker: Software used to break encrypted password files, often stolen from a victim's network server. Scanner: Software used to identify services that are running on a network so that those services can be exploited to gain unauthorized access to the network. Spoofer: Software used to impersonate someone else to hide the identity of the actual sender of the e-mail. Steganography: Steganography is the science of hiding messages in messages. The point of it is to hide data or the existence of the message; that is, to hide the fact that the parties are communicating anything other than innocuous graphics or audio files. Steganography has been used by terrorists or intruders to spy, steal, or communicate information via electronic “dead drops,” typically Web pages. Trojan horse: Malicious software disguised as a legitimate computer file or program. Trojan horses are used to create backdoors into networks to gain unauthorized access to the network.

Download ppt "Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Search."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
CYBER CRIMES IN E-BUSINESS. What is E-Business E-business (electronic business), is the conduct of business on the Internet, not only buying and selling.

CYBER CRIMES IN E-BUSINESS. What is E-Business E-business (electronic business), is the conduct of business on the Internet, not only buying and selling.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Similar presentations

Ads by Google