1 / 37

Computer Forensics

Computer Forensics. CS 407 MW 10:30 – 12:30 Texts: File System Forensic Analysis , Brian Carrier Windows Forensics Analysis , 2 nd editiion , Harlan Carvey Supplementary Texts: Digital Evidence and Computer Crime , Eoghan Casey

osias
Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics • CS 407 • MW 10:30 – 12:30 • Texts: • File System Forensic Analysis, Brian Carrier • Windows Forensics Analysis, 2ndeditiion, Harlan Carvey • Supplementary Texts: • Digital Evidence and Computer Crime, Eoghan Casey • Guide to Computer Forensics and Investigations, Nelson, et al • Web site: ackler.csrl.sou.edu/

  2. More Texts: • Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, http://www.ncjrs.gov/pdffiles1/nij/187736.pdf Forensic Examination of Digital Evidence: A Guide for Law Enforcement Series, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf Best Practices for Seizing Electronic Evidence V2 www.fletc.gov/training/programs/legal-division/downloads-articles-and -faqs/downloads/other/bestpractices.pdf/view

  3. Advanced Computer ForensicsA New RealmResponsiblities Ethical Legal Technical • Three Course Sequence • File system Forensics • Live Incident Response, • FTK , Crime Scene Exercise • ACE Certification • Preparation for CCE Certification, ISFCE

  4. Syllabus Week 1: Procedural, Legal and Ethical Principals of Computer Forensics Week 2: Imaging Hard Drives Media preparation for cloning, proving it is sterile Imaging tools Intro to dd, dcfldd, ddrescue FTK Imager Write blockers Tool validation test plans and test reports Week 3-5: Hard Drive and File System Structure Master Boot Record, Partition tables, Directories FAT, NTFS, ext2, ext3, IDE, ATAPI, Sata, SCSI Drives, Raid devices

  5. Syllabus Week 6-7: Registry Analysis Registry structure, system information, tracking user activity MRUs, time lines, USB devices, restore points FTK’s Registry Viewer, regedit, and regripper Week 8-9: Windows File Analysis Event logs, link files, setup logs, firewall logs File metadata, $I30 files, prefetch files Week 10: File Signature and data carving File structure and file signatures “File Extractor Pro”

  6. Computer Forensics • As in all endeavors: • “Blame always falls some where.” • Rule: • “Let it not be in your lap.”

  7. Computer Forensics • Discovery and recovery of digital evidence • Usually post facto • Sometimes real time • Types of forensic investigations • Liturgical • Going to court • Crimes, etc. • Non-Liturgical • Administrative adjudication • Industry

  8. Purpose • Prove or disprove criminal activity • Prove or disprove policy violation • Prove or disprove malicious behavior to or by the computer/user • If the evidence is there, the case is yours to lose with very little effort.

  9. Today • Ethical issues • Privacy issues • Evidence • Association of suspect with evidence • Chain of custody • Seizing electronic evidence

  10. Ethical issues • Evidence • All of it • Emphasis on exculpatory • Respect for suspects privacy and rights • Beware of collateral damage • Proper use of dual use technology • All tools can be used to commit crime • All procedures can be used to hide crime

  11. Business Issues • No interruption of business • Know the policies of the business • Sensitive to the business costs during an investigation

  12. Privacy Issues • Rights of the suspect • Liabilities of the investigator • Public versus private storage of information • Expectation of privacy

  13. Search and Seize • With and without a warrant • Not for the computer forensics expert • Residences • Private Sector-workplaces • Public Sector-workplaces • “In plain sight” issues

  14. Subpoenas • Person to testify • Present to the court computers, records, documents • Authentication issues • Record alteration • Usually for computer based business records • Often a snapshot of ongoing record keeping

  15. Search Warrants • Show up and take away • Court approved with probable cause • Good for computers • Records, etc. • Sneak & peek • Compelling reason • Notify within 7 – 45 days • For stored communications and records • Caution: third party information

  16. Electronic Storage • Any temporary or intermediate storage of a wire or electronic communication incidental to the electronic transmission of the communications • And backup for the restoration of the electronic communication service (not for future use)‏

  17. Wire Communications • Telephone communications mostly • Specifically the communication must contain the human voice • At any point from the point of origin to the point of reception • Must be on a wire somewhere • Wire communication in “temporary or incidental” electronic storage is covered by Title III • Causes confusion • Unopened voice mail is covered • Opened voice mail is not

  18. Electronic Communications • Internet communications mostly • Signs, signals, writing, images, sounds, data, or intelligence transmitted electronically • BUT does not include • Wire or oral communications • Tone-only paging device • Cannot be characterized as containing the human voice

  19. Communications Intercept • Acquisition contemporaneous with transmission • Content • Addressing information

  20. Electronic surveillance • Pen/Trap Statue • Collection of addressing information for wire and electronic communications • Title III of the Omnibus Crime Control and Safe Streets Act of 1968 • Collection of content of wire and electronic communications

  21. Pen/Trap Statue • Collection of addressing information • Phone is different from Internet • Application for a Pen/Trap order • Who wants it • Where do they work • State their belief the info is relevant to an ongoing criminal investigation • Application is easy • Violation is severe

  22. Title III - 1968 • Assumption: any interception of private communication between two parties is illegal. • Title III order is required when • Intercepted communication is protected under Title III • The proposed surveillance is an interception oc communications • Is there a statutory exception

  23. Title III Wire Taps • Court approved upon probable cause • Feds need DoJ approval • Good for 30 days • Can apply for non-notification • Usually used for “wire communications” • Very dicey area between “wire communication” and “electronic communication”

  24. Title III - 2001 • Voice intercept authorized in computer hacking investigations • Electronic storage of wire communications is now covered by same rules as stored electronic communications (only need a search warrant)‏ • Session times, addresses only requires a subpoena not a Pen/Trap order • Warrants for e-mail are now nationwide

  25. Title III - Today • NSA surveillance puts all in disarray

  26. NSLs • Specifically enabled in the USA PATRIOT Act • Requires FBI supervisor approval • No judicial oversight • Disclosure is forbidden

  27. Evidence • Demonstrative • Documentary • Testimonial • Circumstantial • Hearsay

  28. Demonstrative Evidence • Physical evidence that one can see and inspect • Does not play a direct part in the incident • Of probative value • Sometimes referred to as real evidence

  29. Documentary Evidence • Evidence supplied by a writing or other document • Must be authenticated to be admissible

  30. Testimonial Evidence • A person’s testimony • Offered to prove the truth of the matter

  31. Hearsay Evidence • “Hearsay is a statement offered in evidence to prove the truth of the matter asserted” Federal Rules of Evidence, § 801 • There are many exceptions to hearsay evidence. • Most forensic evidence must be shown to be excepted from hearsay

  32. Computer Evidence • Two broad classes • Computer generated records • Computer stored records • Computer data contains potential hearsay evidence • To be admissible, a hearsay exception must be established • Unless it can be shown that the data are reliable, trustworthy, material and authentic.

  33. Computer Generated Data • Computer generated records • Data untouched by human hands. • Phone logs • ISP logs • syslogs • The data contains no hearsay evidence • To be admissible, it must be shown that the data are reliable, trustworthy, material and authentic. • Reliability of the computer programs

  34. Computer Stored Data • Computer stored records • Data potentially contains hearsay • Photo graphs • Results of Excel spreadsheets • A printout of an e-mail is considered to be an original. • However, to connect the e-mail to the defendant one must tie the computer system to the defendant. • The ISP records of the e-mail server are business records and only require testimony of the ISP.

  35. Computer Stored Business Records • Business records • Data generated in the usual course of business • Done regularly • A satisfies a hearsay exception.

  36. Evidence • Admissible • must be legally obtained and relevant • Reliable • has not been tainted (changed) since acquisition • Authentic • the real thing, not a replica • Complete • includes any exculpatory evidence • Believable • lawyers, judge & jury can understand it

  37. Chain of Custody • The evidence must be accounted for at all times after seizure • Very prone to violation with digital evidence • Can’t take it home to work on! • Sometimes it is hard to say where the evidence is. • Fortunately the courts accept hash codes • Not for long • MD5 collisions in less than a minute

More Related