1 / 44

A talk with Data Clinic,

A talk with

leona
Download Presentation

A talk with Data Clinic,

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. © Data Clinic Ltd 2007© Data Clinic Ltd 2007

    2. A talk with … Data Clinic, Presented by Russ Burrows - Director Ian Donovan – Forensic Technician

    4. Data Clinic Services: Data Clinic provide various technological services to public and private sectors, including: Data Recovery Advanced Data Recovery Data Conversion Data Destruction Online Data Backup Forensic Investigations

    5. Data Recovery (DR) Data Recovery typically can be completed using Hardware Approach Clean Rooms required Without Clean Room Dust and other small particles would damage the platter surface Software Approach Commercial Recovery Software or Forensic Software can be used Tips for DR Avoid attempting to recover the data yourself, unless you are fully aware of the procedures. Avoid using Free software or Executing CheckDisk as this may render your data inaccessible. Any noises coming from a Drive normally indicates a mechanical fault

    6. Advanced Data Recovery (ADR)

    7. Data Conversion Data Clinic can successfully transfer data from outdated applications and redundant formats onto newer, more efficient platforms

    8. Online Back-Up Why Back-Up? 80% of all businesses that suffer major data loss collapse within a few days My University Will not accept late admission of course work because of ‘data loss’ they wouldn’t consider this to be a valid excuse! http://www.dataclinic.co.uk/data-backup-strategy-article.htm

    9. Data Destruction http://www.dataclinic.co.uk/data-wiping-best-practice.htm

    10. Section 1 Summary The Relationship between DR and Forensics is strong, why? An element of Forensics is being able to Recover Data. From time to time a Forensic Investigation may involve damaged media. Back-Up, a source for Evidence? If a ‘suspect’ uses an online back-up package, a wealth of data may be held elsewhere

    12. Today’s discussion DIGITAL FORENSICS

    13. Types of Investigations Prosecutors use Computer Evidence everyday to aid in convicting criminals involved in: Fraud Murder Drug Trafficking Child Pornography Embezzlement Terrorism

    14. Types of Investigations - at Data Clinic - Data Clinic tend to get involved with: 33% Conflict of Interest 22% Child Pornography 22% Intellectual Property Theft 11% Misuse of Equipment 11% Domestic Statistics are based on the last 12 months

    15. Conflict of Interest

    16. Child Pornography Not all about Images Categories of Explicit Images (COPINE)

    17. Intellectual Property Theft Removal of Intellectual Property Transferred to Pen Drive Transferred to DVD or CD

    18. Misuse of Equipment Personal Internet Browsing Is there a Company Policy in place for computer use? Has the policy / contract been signed by both parties?

    19. Domestic

    20. Equipment Software AccessData Forensic Toolkit Guidance Software EnCase Paraben Forensics Helix Others including X-Ways Forensics Hardware ImageMASSter Solo III Forensic Tableau SCSI Write Blocker RoadMASSter-II FRED, FREDDIE, FRED-SR, FREDL, FREDM & FREDC

    21. Types of Documentation

    22. Document Summary Initial Contact Communication Logs NDA / Forensic Contracts Non Disclosure Agreements Signatures Secure Collection & Delivery Consignment Paper Work Chain of Custody Signatures Photograph Equipment & Document Record Accurate data about each device, including the computer’s serial and model numbers Forensically Duplicate Suspect Media Keep logs of the duplication process and its associated results Investigate Under Instruction Maintain comprehensive notes, which will form part of your Forensic Report Document Findings Forensic Report, to include the procedures you undertook.

    23. Solutions If the investigation is not as straight forward as expected, you may need to source alternative solutions i.e. Seek advice from vendors Other professionals within the field Social Networking

    24. Solutions Contd. Imagine you have been instructed to recover all Microsoft Word Files on a suspect disk, within allocated and non allocated areas of the disk. One method you may use is: File Header Recovery.

    25. File Header Recovery How? Establish the HEX values for the .doc extension D0 CF 11 E0 A1 B1 1A E1 Execute a File Recovery by Type Select the Extension Or Customize the File Type Set the Max File Size Set the Output Folder

    26. Section 2 Summary Remember evidence can be found anywhere including the waste paper bin. Microsoft Vista BitLocker A recent article regarding Microsoft Vista suggests upon seizing the suspect equipment to verify you have the USB Key that contains the startup key in order to boot the protected OS. Documentation is a key part of Forensics. Document everything you see, say or do. In addition to your Studies, we hope the demonstration of using X-Ways Forensics was useful. Explore FileXT for the HEX values of file extensions. Occasionally you may have to work around the ACPO guidelines and use your own initiative. As long as you can prove your methods and demonstrate the evidence you have acquired, this should be valid.

    28. Involving the Client

    29. Setting Client Expectations Deadlines need to be noted Expectations need to be realistic Expect complications, as most forensic investigations are not ‘a piece of cake’. Allow time to revisit the ‘need for investigation’.

    30. Setting Client Expectations Contd. It is easy to underestimate the time it takes to undergo a complete Forensic Investigation. It may mean your commitment to the job exceeds that of your contractual agreement with your employer. A happy client is likely to return.

    31. Establishing a Protocol

    32. Applicable Costs Witness Statement Investigating Under Instruction Usually charged per hour Forensic Imaging Usually two images are created of each suspect item Consultations Teleconferences or Face to Face

    33. Applicable Costs Contd. Typically to Investigate Under Instruction a client could be expected to pay between £50 – £250+ per hour. The range is discretionary to the case in hand, i.e. home user or business user.

    34. Section 3 Summary Your client will normally be more than happy to help, invite them to your offices – show them your progress, the hospitality will help also. Make sure any Expectations set are realistic and can be easily managed Any deadlines you feel you cannot meet, let your client know at the earliest opportunity. They are usually working to a time schedule set by their legal representative. Forensic Investigations are hugely laborious thus can be extremely lucrative One Key prerequisite to become a Forensic Investigator is: PATIENCE

    36. Managing Your Workload Maintain consistent communications with your client. Have weekly reviews with your team to ensure investigations can be prioritised Keep comprehensive notes – this is absolutely critical. Ensure your time can be justified

    37. Tips for On the Job Keep one notepad for each investigation Keep one box file for each investigation Manage your electronic evidence on secure servers and organise your space efficiently. Keep copies of signed contracts in your Box Files and electronic copies on your evidence server.

    38. Ask Questions Don’t be afraid to ask your client questions, i.e. How long have you worked here for? What is your job title? Why are you involved? Get their personal thoughts on the matter in hand, it might portray more perspective.

    39. Working Under Instruction It is a better safeguard for all involved to work under instruction of a legal representative. Typically a solicitor will be appointed by the Client.

    40. Section 4 Summary It is absolutely important the work you complete is under instruction of a legal representative. Make a habit of asking questions to all involved. If you have any tips whilst on your placement, share them and make the whole process smoother. You will learn more this way and at the same time will encourage social networking amongst like-minded people.

    42. Summary We are able to conclude that: Documentation is a key principle of Digital Forensics Accurate accounts of what you see, say or do is absolutely paramount You should always work under the instruction of a legal representative You should maintain consistent communications with your client From time to time you will have to source solutions Also we hope you have gained some insight into what Forensics is all about in a working environment.

    43. Thank You. Thank you for Listening. You may download this presentation from www.dataclinic.co.uk/forensics-presentation.ppt Email ian@dataclinic.co.uk

    44. Recommended Texts Computer forensics : computer crime scene investigation by Vacca John R ISBN/ISSN: 1584503890 Computer forensics jumpstart , by Michael Solomon and others by Solomon Michael G ISBN/ISSN: 078214375X Incident response , by Kenneth R. van Wyk and Richard Forno by Van Wyk Kenneth R ISBN/ISSN: 0596001304 Investigative data mining for security and criminal detection , Jesśs Mena by Mena Jesus ISBN/ISSN: 0750676132 Software forensics : collecting evidence from the scene of a digital crime by Slade Robert M ISBN/ISSN: 00714280460071428046

    45. Questions

More Related