250 likes | 414 Views
Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 11, 2012. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Reporting. Keep it as simple as possible. Audience is not trained in these techniques. Document everything. You never know what might be important.
E N D
Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 11, 2012 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
Reporting • Keep it as simple as possible. • Audience is not trained in these techniques. • Document everything. • You never know what might be important. • Provide an executive summary of results. • Concise summary will give a quick idea of what is found.
Concise Summary • Understand the importance of the report. • Limit the summary to specifics. • Design the layout and presentation in an easy-to-understand format. • Understand the difference between reports providing technical information and those supporting litigation. • Write clearly • Provide supporting material • Explain methods used as well as results
Document Everything • Success depends not only on the results, but on the methods employed. • All forensics experts must be identified, and must provide a signed written report. • Report contains: • Complete statement of all opinions, including basis and reasons for them. • Any data considered in forming the opinion. • Any exhibits to be used in support of or summary of the opinions. • Qualifications of the witness, including publications, training, experience. • Amount of compensation to be provided for both investigation and testimony. • A list of all other cases in which the witness has testified as an expert, either in court or by deposition. • Other information as provided by the victim organization:
Other Documentation • Copies of any permissions to search. • Warrants • Subpoenas • Organizational requests • Remember to report who, what, where, when, why, and how.
Interviews and Diagrams • All interviews should be completely documented and transcript provided. • Again, you never know what will or will not be important. • Using diagrams is another way of documenting cases. • Picture is worth a thousand words!
Example: What is it explaining? Data Data MD5 Data MD5 MD5 ???
Videotapes and Photographs • If possible, videotape all aspects of seizure. • Certainly photograph everything: • Network setup • Cables • Phone jacks • Machine and desktop setup • Screens on computer, open applications.
Transporting Evidence • Chain of Custody • Techniques used to protect evidence. • Prevention of even the perception that equipment could be damaged by transport. • Watch out for Static Electricity. • Use Faraday Bags for Mobile Devices
Documenting Gathered Evidence • Typical Report Format • Executive Summary • Objectives • Analysis • Findings • Supporting Documentation • Glossary
Objectives • State clearly the objective of the investigation. • What were you trying to discover? • Computer used to commit the crime • Computer is target of the crime • Computer is data repository relevant to the crime.
Analysis • Complete documentation of the investigation. • Details, details, details. • What evidence did you analyze? • What did you do with it? • How did you do it? • When did you do it? • What tools did you use to do it?
Findings • Specific information discovered • Ordered by importance and relevance • Can include: • Data • Graphic image analysis • Internet evidence discovered • Any techniques used to hide data or make evidence hard to find.
Supporting Documentation • Usually longest section of report. • Contains everything used in the analysis • Chain of Custody forms • Printouts of evidence found • Log files
Glossary • Used to explain complex and technical terms. • Important if audience is not technically savvy.
Who can testify in court? • Material Witness • Speaks directly to facts that they have first hand knowledge of. • Cannot provide opinions to the court. • Expert Witness • Must be highly trained and/or educated. • Serves the court, not prosecution or defense. • Can provide opinions about what they have discovered, but opinions must be supportable by the evidence examined.
Expert Witness Qualification • Education received and degrees earned • Professional training received. • Certifications held. • CFCE • ACE • SANS certification • Detailed experience • Testimony experience • Daubert Examination
Daubert Examination • Daubert vs. Dow Chemical Pharmaceuticals, Inc • The Daubert standard is used to determine admissibility of expert testimony. • Testing must be done on all tools and processes. • Expert must have published and had their work peer-reviewed. • Does the expert use recognized standards and understand established error rates?
Ways to testify • Deposition • Testimony in written form. • Usually done well before the trial. • Both attorneys present, as well as court reporter. • Direct Examination • Attorney who calls you to testify asks questions to get the evidence out in court. • Cross Examination • Opposing attorney asks questions to try and trip you up. • Trying to cast doubt in the eyes of the Jury on your credibility.
Getting the Job Done • Understand the case • Review as much material about the case as possible. • Understand the strategy of the counsel for which you are working. • In reality, you are working for one side or the other, and you must not say things (without being asked) that would be detrimental to the case. • Understand your job. • Work for the court. • Allegiance owed to the truth.
Appearance Matters • Dress well, and in a professional way. • First impressions can kill your credibility or enhance it. • Be well groomed. • Same reasons. • Be positive in your attitude. • The way you present yourself to the judge and jury will affect how your testimony is accepted. • Try not to use colloquialisms: • Ummm, you know, sure, wow. • Address the jury (or judge) directly.
Be prepared! • Be clear and concise. • Rehearse your testimony and know what you are going to say. • You can say anything, but what matters is what they understand. • Listen to the question. Observe the attitudes and actions of the jury and/or judge. • Use a neutral tone. Don’t get angry or impatient. • Use layspeak, not geekspeak.
Be prepared! • Know your processes and tools. • If you can’t explain it, don’t use it. • Use best practices as much as possible. • Well known techniques are more widely accepted. • Say only what is necessary. • Don’t volunteer information. • Be complete, but don’t overelaborate. • Remember your audience.
Be prepared! • Use presentation aids when needed. • A picture is indeed worth a thousand words. • Use non-technical words to explain technical concepts. • Look for signs of understanding among the audience. • Be prepared to explain anything, and to justify your actions.