Upload
damian-foster
View
213
Download
0
Embed Size (px)
Citation preview
Phases of Computer Forensics1
Computer ForensicsBACS 371
1Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005, McGraw Hill
Phases of Computer Forensics
Collection Phase Get physical access to computer and related items Make a forensic image copy of all information Authentication & Preservation
Examination Phase Makes evidence visible Explains origin and significance Should document content and state of evidence Technical review – forensic examiner
Analysis Phase Follow trail of clues Build evidence Looks for probative value – investigation team
Reporting Phase Outline examination process Pertinent data recovered Validity of procedure
Collection
Search for… Recognition of… Documentation of… Collection and Preservation of… Packaging and Transportation of… Electronic Evidence
Digital Evidence Collection Toolkit1
Documentation Tools Cable tags Indelible felt tip markers Stick-on labels
Disassembly and Removal Tools Flat-blade and Philips-type
screwdrivers Hex-nut drivers Needle-nose pliers Secure-bit drivers Small tweezers Specialized screwdrivers Standard pliers Star-type nut drivers Wire cutters
Package and Transport Supplies Antistatic bags Antistatic bubble wrap Cable ties Evidence bags Evidence tape Packing materials Packing tape Sturdy boxes of various sizes
Other Items Gloves Hand truck Large rubber bands List of contact telephone numbers
for assistance Magnifying glass Printer paper Seizure disk Small flashlight Unused floppy diskettes (3 ½” and 5
¼”)
1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Preliminary Interviews1
Separate and identify all persons (witnesses, subjects, others)
Obtain Information Owners/users of devices Passwords Purpose of System Unique security schemes Offsite data storage Documentation
1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Document the Scene1
Observe and document scene – photos and sketches
Document condition of computers Identify related, but not collected,
electronics Photograph scene Photograph computer
1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Evidence Collection
Non-electronic evidence Stand-alone/Laptop computers Network attached computers Network servers Other electronic devices
Places to Look for Information
Deleted Files and Slack Space Recycle Bin System and Registry Files Unallocated Disk (Free) Space Unused Disk Space Erased Information
Ways of Hiding Information
Rename the File Make the Information Invisible Use Windows to Hide Files Protect the File with a Password Encrypt the File Use Steganography Compress the File Hide the Hardware
Methodology for Investigating Computer Crime1
Search and Seizure Formulate a plan Approach and Secure Crime Scene Document Crime Scene Layout Search for Evidence Retrieve Evidence Process Evidence
Information Discovery Formulate Plan Search for Evidence Process Evidence
While maintaining Chain of Custody
1Field Guide for Investigating Computer Crime, Timothy E. Wright, http://www.securityfocus.com/print/infocus/1244
Brief Outline of the Scientific Method
1. Identify and research a problem2. Formulate a hypothesis3. Conceptually and empirically test the
hypothesis4. Evaluate the hypothesis with regards to
test results5. If hypothesis is acceptable, evaluate its
impact