1. Computer Crime, Digital Investigation, and Data Recovery�or�An Introduction to Digital Forensics Golden G. Richard III
Associate Professor, Dept. of Computer Science
GIAC-certified Digital Forensics Investigator
Technical Advisor to the Gulf Coast Computer Forensics Laboratory (GCCFL)
Co-Founder, Digital Forensics Solutions, LLC
golden@cs.uno.edu
http://www.cs.uno.edu/~golden
2. Technical Definition: Digital Forensics “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.”
3. Definition for the Masses: Digital Forensics: “Deleted” files are almost never really gone
4. “Deletion” Fallacies “I deleted, the file, it’s gone.”
Deleted files are recoverable using digital forensics tools
“I changed the name of the file, now no one will find it”
Digital forensics tools immediately identify files based on content—names don’t matter at all
“I formatted the drive—whew!”
This destroys almost nothing
“I use only web-based email”
Some email fragments are still present locally
“I encrypted my files”
It’s more difficult to hide all your data than one might think
“I put the hard drive next to a HUGE magnet”
The magnet would have to be not only huge, but terrifying.
“I cut the floppy into little pieces”
At this point, it’s a question of how important it is to recover the data, because it is harder to recover the data
5. Digital Forensics Investigation In addition to data recovery…
Can determine which storage devices were plugged into a computer
Which applications were installed, even if they were uninstalled by the user
Which files were recently used
When files were deleted…
If downloaded files were organized…
...
6. Examples of Digital Evidence Computers increasingly involved in criminal and corporate investigations
Digital evidence may play a supporting role or be the “smoking gun”
Email
Harassment or threats
Blackmail
Illegal transmission of internal corporate documents
Meeting points/times for drug deals
Suicide letters
Technical data for bomb making
Image or digital video files (esp., child pornography)
Evidence of inappropriate use of computer resources or attacks
Use of a machine as a spam email generator
Use of a machine to distribute illegally copied software
7. Careers in Digital Forensics Law
Huge number of interesting legal issues
Digital forensics-savvy lawyers can make huge $$$
Law Enforcement
local, state, federal
Corporate
Digital forensics experts needed to provide security for company assets, perform private investigations
Education/Training
Research
8. Skill Levels (Technical Side)
9. Black Belt in Digital Forensics: Required Skills Excellent oral and written communication skills
Must communicate findings (incredibly technical details) to non-techies (in English)
Math…lots of it.
New tools which analyze content of pictures, audio, video are highly mathematical
Computer Science
Must squeeze every ounce of performance out of computer equipment
Case backlogs are getting longer, need fast tools
! NO CRAPPY PROGRAMMERS !
Innocent people may die, the guilty may be set free!
10. UNO Offerings Computer Science
Concentrations in Information Assurance (includes digital forensics)
All degree levels
B.S.
M.S.
Ph.D.
11. Resources Books
Digital Evidence and Computer Crime (E. Casey, Academic Press)
Computer Forensics and Privacy (M. Caloyannides, Artech House)
Websites
http://www.cs.uno.edu/~golden
http://www.cs.uno.edu
http://www.dfrws.org
Lots of references related to digital forensics, including a link to an interesting e-journal…
http://www.ijde.org/ (International Journal of Digital Evidence)
http://vip.poly.edu/kulesh/forensics/list.htm
tons of stuff, including a bunch of online papers
http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu
Huge collection of forensics-related software
Commercial and open-source digital forensics software
Sleuthkit
scalpel
foremost
Encase
FTK (Forensics Tool Kit)
ILook (law enforcement only)
WinHex
12. Aside: If You Really Want the Data to Die…
13. ?
