View
218
Download
0
Category
Preview:
Citation preview
SUMMER BRIDGE PROGRAMDR. HWAJUNG LEE
DR. ASHLEY PODHRADSKY
Computer Forensics
Objectives
Guide to Computer Forensics and Investigations
2
What is computer forensics?History of computer forensicsWhen is computer forensics used? Computer Forensics in the newsDescribe how to prepare for computer
investigations Computer Forensics Example- AccessData
FTK Imager
Understanding Computer Forensics
3
Computer forensics Involves obtaining and analyzing digital information Investigates data that can be retrieved from a computer’s hard
disk or other storage media. Task of recovering data that users have hidden or deleted and using it as evidence. Evidence can be inculpatory (“incriminating”) or exculpatory
Related Fields Network forensics
Yields information about how a perpetrator or an attacker gained access to a network
Data recovery Recovering information that was deleted by mistake or intentionally Typically you know what you’re looking for
Disaster recovery Uses computer forensics techniques to retrieve information their clients have
lost due to natural or man made disaster
A Brief History of Computer Forensics4
1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know enough about computers to
ask the right questions Or to preserve evidence for trial Fraction of a penny crime (Office Space anyone??)
1980s Norton DiskEdit soon followed
And became the best tool for finding deleted file Apple produced the Mac SE
A Macintosh with an external EasyDrive hard disk with 60 MB of storage
1990s Tools for computer forensics were available International Association of Computer Investigative Specialists
(IACIS) Training on software for forensics investigations
ExpertWitness for the Macintosh First commercial GUI software for computer forensics Created by ASR Data
Understanding Case Law5
Technology is evolving at an exponential pace Existing laws and statutes can’t keep up change
Case law used when statutes or regulations don’t exist
Case law allows legal counsel to use previous cases similar to the current one Because the laws don’t yet exist
Each case is evaluated on its own merit and issues
Preparing for Computer Investigations6
Computer investigations and forensics falls into two distinct categories Public investigations Private or corporate investigations
Public investigations Involve government agencies responsible for
criminal investigations and prosecution Organizations must observe legal guidelines
Law of search and seizure Protects rights of all people, including suspects
Preparing for Computer Investigations7
Private or corporate investigations Deal with private companies, non-law-enforcement
government agencies, and lawyers Aren’t governed directly by criminal law or Fourth
Amendment issues Governed by internal policies that define expected
employee behavior and conduct in the workplace
Private corporate investigations also involve litigation disputes
Investigations are usually conducted in civil cases
Understanding Corporate Investigations
8
Private or corporate investigations Involve private companies and lawyers who address
company policy violations and litigation disputes
Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage
Understanding Corporate Investigations
9
Establishing company policies One way to avoid litigation is to publish and maintain
policies that employees find easy to read and follow Published company policies provide a line of
authority For a business to conduct internal investigations
Well-defined policies Give computer investigators and forensic examiners the
authority to conduct an investigation
Displaying Warning Banners Another way to avoid litigation
Maintaining Professional Conduct10
Professional conduct Determines your credibility Includes ethics, morals, and standards of behavior
Maintaining objectivity means you must form and sustain unbiased opinions of your cases
Maintain an investigation’s credibility by keeping the case confidential In the corporate environment, confidentiality is critical
In rare instances, your corporate case might become a criminal case as serious as murder
Preparing a Computer Investigation 11
Role of computer forensics professional is to gather evidence Forensic Investigators are not police officers, it is
our duty to show what happened, not prove guilt or innocence.
Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Preserve the evidence on a different computer
Chain of custody Route the evidence takes from the time you find it
until the case is closed or goes to court
Taking a Systematic Approach12
Steps for problem solving Make an initial assessment about the type of case
you are investigating Determine the resources you need Obtain and copy an evidence disk drive Identify the risks- Mitigate or minimize the risks Analyze and recover the digital evidence Investigate the data you recover Complete the case report Critique the case
Planning Your Investigation13
A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of
custody Secure evidence in an approved secure container Prepare a forensics workstation Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer
forensics tools
Securing Your Evidence14
Use evidence bags to secure and catalog the evidence
Use computer safe products Antistatic bags Antistatic pads
Use well padded containersUse evidence tape to seal all openingsPower supply electrical cord. Write your initials on tape to prove that
evidence has not been tampered withConsider computer specific temperature
and humidity ranges
Understanding Data Recovery Workstations and Software
15
Investigations are conducted on a computer forensics lab (or data-recovery lab)
Computer forensics and data-recovery are related but different
Computer forensics workstation Specially configured personal computer Loaded with additional bays and forensics software
To avoid altering the evidence use: Forensics boot disk, Write-blockers devices,
Network interface card (NIC), Extra USB ports, FireWire 400/800 ports, SCSI card, Disk editor tool, Text editor tool, Graphics viewer program, Other specialized viewing tools
Digital Forensic Cases
BTK Killer http://precisioncomputerinvestigations.wordpress.com
/2010/04/14/how-computer-forensics-solved-the-btk-killer-case/
Michael Jackson http://www.dfinews.com/news/michael-jackson-death-t
rial-showcases-iphone-forensics
Caylee Anthony http://www.christianpost.com/news/casey-anthony-
trial-computer-expert-unearths-chloroform-internet-searches-50980/
Guide to Computer Forensics and Investigations
16
Understanding Bit-Stream Copies17
Bit-stream copy Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy
Backup software only copy known files Backup software cannot copy deleted files, e-
mail messages or recover file fragments Bit-stream image
File containing the bit-stream copy of all data on a disk or partition
Also known as forensic copy
Acquiring an Image of Evidence Media
18
First rule of computer forensics Preserve the original evidence
Conduct your analysis only on a copy of the data
Use FTK Imager to create a forensic image www.accessdata.com/support/downloads
Your job is to recover data from: Deleted files File fragments Complete file
Recommended