260 likes | 362 Views
Effective Discovery. Techniques In Computer Crime Cases. Introduction. Storm’s Edge Technologies. IT Consulting Company servicing the Dallas/Fort worth area. Services PC Support and Custom Built PCs Server Support and Custom Built Server Network Support Firewall Support
E N D
Effective Discovery Techniques In Computer Crime Cases
Storm’s Edge Technologies • IT Consulting Company servicing the Dallas/Fort worth area. • Services • PC Support and Custom Built PCs • Server Support and Custom Built Server • Network Support • Firewall Support • Web Site Development/Hosting • Custom Application Development • Computer Forensics • Disaster/Data Recovery Services
Contact Information Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX 76124 Email: Dan@StormsEdge.com Phone: 817.496.4956 Fax: 817.496.3435 Web: www.stormsedge.com
Computers or Spies? • What can we determine from a PC • Users Passwords • Web-Sites viewed • Documents opened • Pictures viewed • Age of PC • Last Reboot Time • What files have been accessed, deleted, modified, etc…
Computers or Spies? • What can we determine from a PC • Who created the document • When documents were printed • What software created the document • What devices where used • Who has used the PC • What software has recently be used • When the OS was installed • The possibilities too numerous to list!
Integrating the PC • Registry Files contain an abundant amount of information to include • Usernames/Passwords for email, websites, and programs • Internet Sites visited along with date/times • Search Terms used on Google and other search engines. • Recent file activity/access • List of software installed
Integrating the PC • Registry Files contain an abundant amount of information to include • Screen Saver required Password • User Logon Required or Not • Date Windows was Installed • Date each user last logged on. • Etc…
Integrating the PC • PC Event Logs can provide some insight into the use of a PC • Change in System Time • Boot/Startup Times • Problems with drivers & devices • Because the event logs generally cover a time period of several months they can provide a good history of activity.
Other Files • INI files are used by programs to store information/configuration. • Plain Text • Safe for Export • LNK (Short Cut) files will often provide insight to the users programs • Start Menu will give you a list of the common program they run/access.
Alibi with a PC • Establish who was using the PC • UserID/Password • Screen Saver w/Password • User Specific knowledge like logging into MySpace web-site. • Establish PC has the correct time • Check BIOS date vs. windows date • Check Event Log for time sync events
Alibi with a PC • Determine Activity and Time • File Dates (Creation, Access, Modified) • Web-Site Activity • Email Activity • Printer Activity
Classified/Sensitive Data • How to perform a Forensic Analysis when you can not possess the data. • Identify who has secured the evidence • Determine local policies in providing access • Process the Forensic Image files • Review any Sensitive Data on-site • Generate Report • Extract non-sensitive files for processing in your own forensic lab. • Request a review and copy of the report to ensure no classified/sensitive data is exported.
Extracting Non-Sensitive Files • Files to Extract for later processing • Registry Files • Event Logs • INI Files • LNK Files • Access Database of all files • FTK will create this as part of its normal processing of the Forensic Image Files. • EnCase will need to export a CSV file.
What is … • Slack Space – The area between the end of the file and the end of the cluster. • Free Space – The area available to store data including areas where files were stored but have been deleted. • Unallocated Space – The area of a device that is not covered by a partition. This would include any deleted partitions. • Swap File – File used to cache memory to the hard drive • Hibernation File – File used to store memory to the hard drive when hibernating
How Do I? • Prove a USB Key was used on a PC • Prove an Image was viewed • Recover Deleted Files • Determine if a user has opened a file • Prove a file was copied/moved • Find out when a file was deleted • Demonstrate a PC was used remotely • Show who created a file • Etc…..
Storm’s Edge Technologies Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX 76124 Email: Dan@StormsEdge.com Phone: 817.496.4956 Fax: 817.496.3435 Web: www.stormsedge.com