Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMPUTER FORENSICS By Jason Ford and Anthony Kniffin.

Published byWarren Russell Modified over 8 years ago

Similar presentations

Presentation on theme: "COMPUTER FORENSICS By Jason Ford and Anthony Kniffin."— Presentation transcript:

1 COMPUTER FORENSICS By Jason Ford and Anthony Kniffin

2 Overview What is Computer Forensics? What is Computer Forensics? The need for Computer Forensics. The need for Computer Forensics. Examples of Crimes. Examples of Crimes. Methods Attackers use. Methods Attackers use. What an Investigator must know and do. What an Investigator must know and do.

3 What is Computer Forensics? By Definition: Computer Forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded. By Definition: Computer Forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded. The objective of Computer Forensics is usually to provide digital evidence of a specific or general activity. The objective of Computer Forensics is usually to provide digital evidence of a specific or general activity.

4 Computer Forensics Computer Forensics Experts: Computer Forensics Experts: 1. Identify sources of documentary or other digital evidence. 2. Preserve the evidence. 3. Analyze the evidence. 4. Present the findings. 4. Present the findings.

5 Computer Forensics Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists: Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists: –Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, and child pornography. –Civil litigations can readily make use of personal and business records found on computer systems that bear on: fraud, divorce, discrimination, and harassment cases. –Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases. –Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal/confidential information. –Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment. –Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.

6 What is Digital Evidence? Definition: Digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. Definition: Digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. Categories: Categories: –Text files –Audio files –Video files –Image files

7 Why is Computer Forensics needed? Employee internet abuse (common, but decreasing) Employee internet abuse (common, but decreasing) Unauthorized disclosure of corporate information and data (accidental and intentional) Unauthorized disclosure of corporate information and data (accidental and intentional) Industrial espionage Industrial espionage Damage assessment (following an incident) Damage assessment (following an incident) Criminal fraud and deception cases Criminal fraud and deception cases More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly) More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly)

8 Some Examples: Former Chief Computer Program Designer Arraigned for Alleged $10 Million Computer Software Bomb: Former Chief Computer Program Designer Arraigned for Alleged $10 Million Computer Software Bomb: –Timothy Lloyd sentenced to 41 months in prison. –Launched a programming bomb on Omega Engineering Corp.’s network that resulted in $10 million in damages. –Lost all design and production software used by the U.S. Navy and NASA, and led to 80 jobs lost. –The Evidence: The logic bomb itself The logic bomb itself Date and time the file was created Date and time the file was created Username of the file creator Username of the file creator

9 Another Example: Hacker pleads guilty to illegally accessing New York Time computer network Hacker pleads guilty to illegally accessing New York Time computer network –Adrian Lamo hacked into the New York Times and accessed over 3,000 contributors accounts, including Rush Limbaugh and former President Jimmy Carters. –Investigators found he added an entry for himself too and listed his phone number as 505-HACK. –He also created five fake accounts and ran up a $300,000 bill from the New York Times. –He now faces a maximum of 15 years in prison and $500,000 fine.

10 Methods Attackers use Some things that an attacker might do to enter your system or cover his tracks: Some things that an attacker might do to enter your system or cover his tracks: –Key Loggers (www.keykatcher.com) www.keykatcher.com –Cracking your password –Hide incriminating files. –And more…

11 Key Loggers Key loggers can either be a program or piece of hardware Key loggers can either be a program or piece of hardware Designed to log every keystroke made by the user. Including, Emails, Usernames, and Passwords. Designed to log every keystroke made by the user. Including, Emails, Usernames, and Passwords. Can store up to 4mb of data and include data and time stamps. Can store up to 4mb of data and include data and time stamps. If a user does not realize that a key logger is attached to his system, the attacker can get any information the user types. If a user does not realize that a key logger is attached to his system, the attacker can get any information the user types.

12 Cracking Passwords An attacker can use a variety of password cracking techniques: An attacker can use a variety of password cracking techniques: –Password Guessing If you know a lot about the user then this could be easier then you would think. If you know a lot about the user then this could be easier then you would think. –Dictionary-Based Attacks –Brute-Force Attacks –Default Passwords How many people have changed the BIOS password on your computer? How many people have changed the BIOS password on your computer?

13 Hiding Files If an attacker has incriminating files on his computer and wants to hid them, it can be pretty simple. If an attacker has incriminating files on his computer and wants to hid them, it can be pretty simple. File Signatures: File Signatures: –A file signature is a sequence of characters located within the first 20 bytes of a file. –Files has signatures corresponding to what type of file it is. –If you are hiding a picture file, change the files signature to a text file.

14 Methods the Computer Forensic Analyst could use Again, Key Loggers Again, Key Loggers Methods of finding hidden files. Methods of finding hidden files. Tracking attackers through Email Tracking attackers through Email Preserving Evidence Preserving Evidence

15 Key Loggers Key Loggers can also be used to help find attackers Key Loggers can also be used to help find attackers Corporations use them to help keep track of what their employees are typing on their computers Corporations use them to help keep track of what their employees are typing on their computers They can also use them as a monitoring device for detecting unauthorized access. They can also use them as a monitoring device for detecting unauthorized access. Computer Forensic Analyst can use these loggers as evidence if the attacker used a machine with one on it. Computer Forensic Analyst can use these loggers as evidence if the attacker used a machine with one on it.

16 Finding hidden files To find a file that has been hidden by the attacker changing it signature, a investigator might run a Perl Script that will compare the files signature with a list of correct signatures. To find a file that has been hidden by the attacker changing it signature, a investigator might run a Perl Script that will compare the files signature with a list of correct signatures. If the attacker changed the name of the file and the extension of the file, trying to hide it, but forgot to change the signature to the corresponding extension, the script will find the file and let you know something is not right about it. If the attacker changed the name of the file and the extension of the file, trying to hide it, but forgot to change the signature to the corresponding extension, the script will find the file and let you know something is not right about it.

17 Tracking attackers through Emails How can you find out who is sending Email that could be blackmailing you or incriminating you or your business. How can you find out who is sending Email that could be blackmailing you or incriminating you or your business. You can use a program (like NeoTrace), which will visually show you were the Email originated from. You can use a program (like NeoTrace), which will visually show you were the Email originated from. Email Headers: Email Headers: –Investigators can examine Email headers to determine who sent the Email and where the Email was sent from. –Can also find out where the Email has travel in order to get to its destination

18 Email Header Example Return-path: abc@isp.com abc@isp.com Received: from mx.ankit.com ([202.159.212.9]) by pop.ankit.com (iPlanet Messaging Server 5.2) Received: from [61.247.235.152] by web14525.mail.isp.com via HTTP Message-id: 20040506115412.59571.qmail@web14525.mail.isp.com 20040506115412.59571.qmail@web14525.mail.isp.com What can you determine from this header: What can you determine from this header: –Recipients IP address 202.159.212.9 202.159.212.9 –Senders IP address 61.247.235.152 61.247.235.152 –Reference Number of the Email. 59571 59571 –Date and time the Email was sent. May 6 th, 2004 at 11:54:12 May 6 th, 2004 at 11:54:12

19 Preserving Evidence Things Investigators must follow in order to collect legal evidence: Things Investigators must follow in order to collect legal evidence: –They must have warrant to collect information from a suspects computer. –Must keep all evidence as if it was never touched by them. –Must know what is admissible in court –They also must collect and record all vital information about the computer itself and its disk drives. –If they contaminate any evidence, all of may become unsuitable to testify with.

20 Sources Windows Forensics and Incident Recovery by Harlan Carvey, 2005 Windows Forensics and Incident Recovery by Harlan Carvey, 2005 Computer Forensics by Michael G. Solomon and Diane Barrett, 2005 Computer Forensics by Michael G. Solomon and Diane Barrett, 2005 The unofficial Guide to Ethical Hacking by Ankit Fadia, 2006 The unofficial Guide to Ethical Hacking by Ankit Fadia, 2006 Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer and the Internet, Academic Press, 2000 Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer and the Internet, Academic Press, 2000 http://www.porcupine.org/forensics/ http://www.porcupine.org/forensics/ http://www.porcupine.org/forensics/ http://computerforensics.net/forensics.htm http://computerforensics.net/forensics.htm http://computerforensics.net/forensics.htm http://www.forensics.com/html/resource_articles.html http://www.forensics.com/html/resource_articles.html http://www.forensics.com/html/resource_articles.html http://www.computerforensicsworld.com http://www.computerforensicsworld.com http://www.computerforensicsworld.com http://www.cybercrime.gov http://www.cybercrime.gov http://www.cybercrime.gov

Download ppt "COMPUTER FORENSICS By Jason Ford and Anthony Kniffin."

Similar presentations

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Computer Crime The Internet has opened the door to new kinds of crime and new ways of carrying out traditional crimes. Computer crime is any act that violates.

Computer Crime The Internet has opened the door to new kinds of crime and new ways of carrying out traditional crimes. Computer crime is any act that violates.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.

Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Prepared by: Nahed Al-Salah

Prepared by: Nahed Al-Salah
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
Handling Security Incidents

Handling Security Incidents
H-1 Management Information Systems for the Information Age Copyright 2004 The McGraw-Hill Companies, Inc. All rights reserved Extended Learning Module.

H-1 Management Information Systems for the Information Age Copyright 2004 The McGraw-Hill Companies, Inc. All rights reserved Extended Learning Module.
Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.

Computer Forensics What is Computer Forensics? What is the importance of Computer Forensics? What do Computer Forensics specialists do? Applications of.
9-1. 9-2 09 Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,

Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Role of Technology in Combating Crime Against Woman and Children Presented by Detective Constable Janelle Blackadar Child Exploitation Section Toronto.

Role of Technology in Combating Crime Against Woman and Children Presented by Detective Constable Janelle Blackadar Child Exploitation Section Toronto.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.

Similar presentations

Ads by Google