250 likes | 683 Views
Security and Privacy in Computer Forensics Applications. S. Srinivasan Professor of CIS Director, Center for Information Assurance University of Louisville Louisville, Kentucky. Outline. Computer Forensics in academia History Emerging curricula Technology Collaboration Applications
E N D
Security and Privacy in Computer Forensics Applications S. Srinivasan Professor of CIS Director, Center for Information Assurance University of Louisville Louisville, Kentucky
Outline • Computer Forensics in academia • History • Emerging curricula • Technology • Collaboration • Applications • Security issues • Privacy concerns
Computer Forensics • Computer Forensics • process involves: • Collection • Preservation • Analysis • Presentation of evidence from digital sources • Historically a law enforcement responsibility
Computer Forensics • 1984 – FBI forms the Computer Analysis and Response Team (CART) • 1993 - first international Computer Evidence conference held • 1995 – International Organization for Computer Evidence formed • 1997 – G-8 Summit in Moscow calls for training law enforcement personnel for solving high tech crimes
Computer Forensics • 2000 – first Regional Computer Forensics Lab formed in Dallas • 2006 – latest (14th) RCFL opened in Louisville, KY
FBI’s Regional Computer Forensics Labs (RCFLs) Source: www.rcfl.gov
Computer Forensics in Academia • Many programs housed in Criminal Justice departments • Main focus on evidence preservation and presentation • Analysis done by forensic examiners well versed in computing • Over 100 CF programs exist today in US
Computer Forensics in Academia • Important programs to review: • Purdue University, West Lafayette, IN • University of Tulsa, Tulsa, OK • University of Central Florida, Orlando, FL • Mississippi State Univ., Mississippi State, MS • Champlain College, Burlington, VT
Emerging Curricula • Typical courses in Computer Forensics program: • Networking • Operating Systems • Data Communications • Computer Evidence • Criminal Law • Basic Computer Forensics • Advanced Computer Forensics • Ethics • Algebra and Statistics
Emerging Curricula • Emphasis on both technology and policy • Exposure to forensic tools • EnCase • FTK • Significance of chain of evidence
Technology • Understanding of • storage technology • operating system features • Windows • Linux • Unix • Mac OS • file systems
Technology • Knowledge of • Slack space • Host Protected Area (HPA) • Device Configuration Overlay (DCO) • Disk imaging • Data recovery • Total data deletion • Handling encryption
Collaboration • Computer Forensics investigation requires collaboration of • Law enforcement • Attorneys • Computer specialists • In academia, collaborating units could be: • Computer Science • Criminal Justice • Law • Accounting & Finance
Applications • Email • Lasts longer than people believe • Businesses monitor employee emails • Admissible in legal proceedings • Protect using PGP • E-commerce • Exchange of confidential data • Impersonation
Applications • Data backup • Encrypt • Secure transfer of backup media • Periodic recovery
Security Issues • Data hiding • Image hiding • Improper destruction of sensitive data • Weak authentication tools • Created, Accessed, Modified date • Boot password • Password cracking
Privacy Concerns • Computer Forensic investigation reveals: • Passwords • Encryption keys • Images • Scope of investigation • Use of knowledge beyond goal of investigation • Legal requirements
Privacy Protection • Ten guidelines: • Remove personally identifiable data from storage media • Store an identical copy of any evidentiary media given to law enforcement • Limit search to goal of investigation • Handle time stamped events in strictest confidence • On networks, packet acknowledgement be via the use of tokens than IP addresses
Privacy Protection • Safe storage of all internal logs • Preservation of event logs in external nodes • Put policies in place for actionable items related to attacks • Put policies in place for safeguarding backed up data related to an investigation • Handle disposal of sensitive data in a secure manner
Summary • Computer Forensics provides plenty of trace back capabilities • Forensic investigators should get periodic training in ethical handling of data • Policies should be in place to protect privacy of subjects in an investigation
References • Computer Evidence: Collection and Preservation by Christopher Brown, Thomson Publishers, MA 2006, ISBN: 1-58450-405-6 • Guide to Computer Forensics and Investigations, 2nd edition by Bill Nelson et al, Thomson Publishers, MA 2006, ISBN: 0-619-21706-5 • Computer Forensics – Hacking Exposed: Secrets and Solutions by Chris Davis et al, Osborne-McGraw Hill Publishers, NY 2005, ISBN: 0-070225675-3
References • File System Forensic Analysis by Brian Carrier, Addison-Wesley, MA, 2005, ISBN: 0321268172 • Alec Yasinsac, Robert Earbacher, Donald G. Marks, Mark Pollitt, Peter M. Sommer, "Computer Forensics Education", IEEE Computer Security and Privacy Magazine, July-Aug 2003, Vol. 1, No. 4, pp. 15-23
References • EnCase http://www.guidancesoftware.com • FTK http://www.accessdata.com • FileHound http://www.filehound.org • SATA http://www.serialata.org/ • Creating disk image http://darkdust.net/marc/diskimagehowto.php • National Institute of Justice document on dd command http://www.ncjrs.gov/pdffiles1/nij/203095.pdf
References • Computer Forensics programs http://www.e-evidence.info/education.html • Brian Carrier http://dftt.sourceforge.net/
Thank you! srini@louisville.edu www.louisville.edu/infosec