1 / 26

Effective Discovery

Effective Discovery. Techniques In Computer Crime Cases. Introduction. Storm’s Edge Technologies. IT Consulting Company servicing the Dallas/Fort worth area. Services PC Support and Custom Built PCs Server Support and Custom Built Server Network Support Firewall Support

mckile
Download Presentation

Effective Discovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Effective Discovery Techniques In Computer Crime Cases

  2. Introduction

  3. Storm’s Edge Technologies • IT Consulting Company servicing the Dallas/Fort worth area. • Services • PC Support and Custom Built PCs • Server Support and Custom Built Server • Network Support • Firewall Support • Web Site Development/Hosting • Custom Application Development • Computer Forensics • Disaster/Data Recovery Services

  4. Contact Information Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX 76124 Email: Dan@StormsEdge.com Phone: 817.496.4956 Fax: 817.496.3435 Web: www.stormsedge.com

  5. Forensic Process

  6. Overview

  7. Stage of the Forensic Process

  8. Stage of the Forensic Process

  9. Stage of the Forensic Process

  10. Stage of the Forensic Process

  11. Stage of the Forensic Process

  12. Forensic Timeline

  13. Computers or Spies? • What can we determine from a PC • Users Passwords • Web-Sites viewed • Documents opened • Pictures viewed • Age of PC • Last Reboot Time • What files have been accessed, deleted, modified, etc…

  14. Computers or Spies? • What can we determine from a PC • Who created the document • When documents were printed • What software created the document • What devices where used • Who has used the PC • What software has recently be used • When the OS was installed • The possibilities too numerous to list!

  15. Integrating the PC • Registry Files contain an abundant amount of information to include • Usernames/Passwords for email, websites, and programs • Internet Sites visited along with date/times • Search Terms used on Google and other search engines. • Recent file activity/access • List of software installed

  16. Integrating the PC • Registry Files contain an abundant amount of information to include • Screen Saver required Password • User Logon Required or Not • Date Windows was Installed • Date each user last logged on. • Etc…

  17. Integrating the PC • PC Event Logs can provide some insight into the use of a PC • Change in System Time • Boot/Startup Times • Problems with drivers & devices • Because the event logs generally cover a time period of several months they can provide a good history of activity.

  18. Other Files • INI files are used by programs to store information/configuration. • Plain Text • Safe for Export • LNK (Short Cut) files will often provide insight to the users programs • Start Menu will give you a list of the common program they run/access.

  19. Alibi with a PC • Establish who was using the PC • UserID/Password • Screen Saver w/Password • User Specific knowledge like logging into MySpace web-site. • Establish PC has the correct time • Check BIOS date vs. windows date • Check Event Log for time sync events

  20. Alibi with a PC • Determine Activity and Time • File Dates (Creation, Access, Modified) • Web-Site Activity • Email Activity • Printer Activity

  21. Classified/Sensitive Data • How to perform a Forensic Analysis when you can not possess the data. • Identify who has secured the evidence • Determine local policies in providing access • Process the Forensic Image files • Review any Sensitive Data on-site • Generate Report • Extract non-sensitive files for processing in your own forensic lab. • Request a review and copy of the report to ensure no classified/sensitive data is exported.

  22. Extracting Non-Sensitive Files • Files to Extract for later processing • Registry Files • Event Logs • INI Files • LNK Files • Access Database of all files • FTK will create this as part of its normal processing of the Forensic Image Files. • EnCase will need to export a CSV file.

  23. What is … • Slack Space – The area between the end of the file and the end of the cluster. • Free Space – The area available to store data including areas where files were stored but have been deleted. • Unallocated Space – The area of a device that is not covered by a partition. This would include any deleted partitions. • Swap File – File used to cache memory to the hard drive • Hibernation File – File used to store memory to the hard drive when hibernating

  24. How Do I? • Prove a USB Key was used on a PC • Prove an Image was viewed • Recover Deleted Files • Determine if a user has opened a file • Prove a file was copied/moved • Find out when a file was deleted • Demonstrate a PC was used remotely • Show who created a file • Etc…..

  25. Open Questions

  26. Storm’s Edge Technologies Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX 76124 Email: Dan@StormsEdge.com Phone: 817.496.4956 Fax: 817.496.3435 Web: www.stormsedge.com

More Related