190 likes | 415 Views
Intro to Cyber Crime and Computer Forensics CSE 4273/6273 January 7, 2013. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Textbooks. Required Texts: Carrier, Brian, File System Forensic Analysis , Addison-Wesley, 2005.
E N D
Intro to Cyber Crime and Computer Forensics CSE 4273/6273 January 7, 2013 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
Textbooks • Required Texts: • Carrier, Brian, File System Forensic Analysis, Addison-Wesley, 2005. • Brodsky, Stanley, Testifying in Court: Guidelines and Maxims for the Expert Witness, American Psychological Association, 1991. • Optional Text: • Jones, Keith J., Bejtlich, Richard, and Rose, Curtis W., Real Digital Forensics: Computer Security and Incident Response, Addison-Wesley, 2006.
More Syllabus Stuff • Mock Trial days, April 22 and 24: 8:00 to 5:00 • Dress professionally for witness testimony. • Drop date: January 11 • Add date: January 14
Semester-Long Exercise • Crime Scene Takedown Exercise • February 11-16 • Phase II: Evidence Discovery Phase • February 18 – March 29 • Phase III: Evidence Presentation Phase • April 1 – April 24
What is Forensics? • Forensics is the application of scientific techniques of investigation to the problem of finding, preserving and exploiting evidence to establish an evidentiary basis for arguing about facts in court cases
What is Science? “There are no forbidden questions in science, no matters too sensitive or delicate to be probed, no sacred truths. That openness to new ideas, combined with the most rigorous, skeptical scrutiny of all ideas, sifts the wheat from the chaff. It makes no difference how smart, august, or beloved you are. You must prove your case in the face of determined expert criticism.” -Carl Sagan C 2004 Mark M. Pollitt 6
What is Science? Organized study of natural phenomena Application of the scientific method Hypothesis Experiment Conclusions based on demonstrable proof Skepticism – search for alternative explanations C 2004 Mark M. Pollitt 7
Skepticism “The tenets of skepticism do not require an advanced degree to master as most successful used car buyers demonstrate.” The whole idea of a democratic application of skepticism is that everyone should have the essential tools to effectively and constructively evaluate claims of knowledge. All science asks is to employ the same levels of skepticism we use in buying a used car.” – Carl Sagan C 2004 Mark M. Pollitt 8
What is Forensic Science? Forensis – Latin meaning public, forum, discussion Forensic – belonging to, suitable for use in courts or public fora Forensic Science – any science used for the purpose of law C 2004 Mark M. Pollitt 9
The Three Elements C 2004 Mark M. Pollitt 10
What is Computer Forensics? • Computer forensics is forensics applied to information stored or transported on computers • It “Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis” • There should be a process and that process should be followed, but flexibility is essential, because the unusual will be encountered.
What is Computer Crime? • Three situations where you might find evidence on a digital device: • Device used to conduct the crime • Child Pornography/Exploitation • Threatening letters • Fraud • Embezzlement • Theft of intellectual property • Device is the target of the crime • Incident Response • Security Breach • Device is used to support the crime
What is evidence? • Can be anything! • As small as a few bytes • Could be, and hopefully will be complete files • Could be Deleted • Could be Encrypted • Likely will be fragments of files • A few Words • A couple of sentences • Hopefully some paragraphs • Registry entries, or log entries!
Where do we find it? • Storage Media • RAM • Log Files • Registry
What do we do with it? Three A’s of Computer Forensics • Acquire the evidence without altering or damaging the original. • Authenticate that your recovered evidence is the same as the originally seized data. • Analyze the data without modifying it.
Acquire the evidence • How do we seize the computer? • How do we handle computer evidence? • What is chain of custody? • Evidence collection • Evidence Identification • Transportation • Storage • Documenting the Investigation
Authenticate the Evidence • Prove that the evidence is indeed what the criminal left behind. • Contrary to what the defense attorney might want the jury to believe, readable text or pictures don’t magically appear at random. • Physical Authentication • Properly identify and label evidence • Establish Chain of Custody • Electronic Authentication • Calculate a hash value for the data
Analysis • Always work from an image of the evidence and never from the original. • Prevent damage to the evidence • Make two backups of the evidence in most cases. • Analyze everything, you may need clues from something seemingly unrelated.