1 / 19

System Forensics, Investigation, and Response Chapter 6 Controlling a Forensic Investigation

System Forensics, Investigation, and Response Chapter 6 Controlling a Forensic Investigation. Learning Objective. Procure evidence in physical and virtualized environments. Key Concepts. Preserving the crime scene Logical and physical media Data capture from local media

joanna
Download Presentation

System Forensics, Investigation, and Response Chapter 6 Controlling a Forensic Investigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System Forensics, Investigation, and Response Chapter 6 Controlling a Forensic Investigation

  2. Learning Objective • Procure evidence in physical and virtualized environments.

  3. Key Concepts • Preserving the crime scene • Logical and physical media • Data capture from local media • Legal concerns specific to computer forensics

  4. DISCOVER: CONCEPTS

  5. Considerations When Collecting Evidence • Never change the state of the data • Create an image (read-only) • Analyze the image (easiest data first) • Avoid losing volatile data • CPU/RAM • Running processes, network information, … • Maintain or capture the current state of each computer

  6. Preserving the Crime Scene • Photograph the physical configuration • Tag and bag all physical components • Make sure media is write-protected • Transport and store in controlled environments • Keep an accurate chain of custody record • Document all access

  7. Physical and Logical Analysis

  8. DISCOVER: ROLES

  9. The Role of Forensic Specialist

  10. Skills of a Forensic Specialist • Understands how hard disks and CDs are structured • Understands the basics of data encryption • Understands data compression • Understands techniques and automated tools used to capture and evaluate file slack • Can apply fuzzy logic tools to determine how a subject computer was used

  11. Skills of Forensic Specialist (Continued) • Understands how to examine the boot process and memory-resident programs • Knows how to make a backup image of data stored on flash memory media • Applies software tools and methods to identify and retrieve: • Passwords, logon information, e-mail messages, and accounting information • Employs forensic software tools

  12. DISCOVER: CONTEXTS

  13. Capturing Data from Storage Media • Structure of disk • Slack space • Swap files • Unallocated disk space • Boot partition data and hidden vendor partitions • Deleted files and folders • Corrupted files and folders

  14. Capturing Data from Storage Media (Continued) • Use proper tools • “Exact” copies of original data • Creation attributes (that is, how was data created)

  15. DISCOVER: RATIONALE

  16. Legal Aspects of Acquiring Evidence • The Fourth Amendment affects how specialists can acquire evidence • Preserving evidence • Establish authenticity • Follow a repeatable process

  17. Acquisition under the Fourth Amendment • When does “seizure” occur? • Who owns computer that contains data? • Is an image “good enough” for search? • Does attempts to delete data relate to privacy or cover-up? • Where does search in a network end? • Where does one search end and another begin?

  18. Processes to log evidence • You should use one of the following 3 criminal evidence rules: • Authentication – show that it’s a true copy • Best Evidence Rule – work with the original • Exceptions to Hearsay rule – confessions or business records Forensics tend to use authentication

  19. Authenticity Standards • Over the years, several evidence standards have been devised. • Relevancy test – Anything that is materially relevant to case • Frye Standard – Technique my be sufficiently established (general acceptance test) • Coppolino Standard – Even if not generally accepted, court can accept if good foundation laid • Marx Standard – No need to sacrifice common sense. • Daubert Standard – Rigorous test with special discovery procedures.

More Related