1 / 12

COMPUTER FORENSICS

COMPUTER FORENSICS. Aug. 11, 2000 for. tan@atstake.com. Cambridge, Massachusetts. COMPUTER FORENSICS CAN BE MANY THINGS. Child Pornography Fraud Espionage & Treason Corporate or University Policy Violation Honey-pots. Corporate or University internal investigation

shelly
Download Presentation

COMPUTER FORENSICS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMPUTER FORENSICS Aug. 11, 2000 for tan@atstake.com Cambridge, Massachusetts

  2. COMPUTER FORENSICS CAN BE MANY THINGS • Child Pornography • Fraud • Espionage & Treason • Corporate or University Policy Violation • Honey-pots • Corporate or University internal investigation • FBI or (unlikely) Sheriff investigation • Computer Security Research • Post Mortem or Damage Assessment Computer Forensics ultimately support or refute a case someone cares to make.

  3. FORENSICS IS A FOUR STEP PROCESS • Acquisition • Identification • Evaluation • Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)

  4. PRESENTATION – Starting at the End • Many findings will not be evaluated to be worthy of presentation as evidence. • Many findings will need to withstand rigorous examination by another expert witness. • The evaluator of evidence may be expected to defend their methods of handling the evidence being presented. • The Chain of Custody may be challenged.

  5. EVALUATION – What the Lawyers Do • This is what lawyers (or those concerned with the case) do. Basically, determine relevance. • Presentation of findings is key in this phase. • Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems.

  6. IDENTIFICATION – Technical Analysis • Physical Context • Logical Context • Presentation/Use Context • Opinion to support relevance of findings • Handling and labeling of objects submitted for forensic analysis is key. • Following a documented procedure is key.

  7. FBI List of Computer Forensic Services • Content (what type of data) • Comparison (against known data) • Transaction (sequence) • Extraction (of data) • Deleted Data Files (recovery) • Format Conversion • Keyword Searching • Password (decryption) • Limited Source Code (analysis or compare) • Storage Media (many types)

  8. THE EVIDENCE LOCKER • Restricted Access and Low Traffic, Camera Monitored Storage. • Video Surveillance & Long Play Video Recorders • Baggies for screws and label everything! • Sign In/Out for Chain of Custody

  9. ACQUISITION – What Are the Goals? • Track or Observe a Live Intruder? • Assess Extent of Live Intrusion? • Preserve “Evidence” for Court? • Close the Holes and Evict the Unwanted Guest? • Support for Sheriff, State Police or FBI Arrest? • Support for Court Ordered Subpoena?

  10. GROUND ZERO – WHAT TO DO • do not start looking through files • start a journal with the date and time, keep detailed notes • unplug the system from the network if possible • do not back the system up with dump or other backup utilities • if possible without rebooting, make two byte by byte copies of the physical disk • capture network info • capture process listings and open files • capture configuration information to disk and notes • collate mail, DNS and other network service logs to support host data • capture exhaustive external TCP and UDP port scans of the host • contact security department or CERT/management/police or FBI • if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented • short-term storage • packaging/labeling • shipping

  11. ADDITIONAL RESOURCES • RCMP Article on the Forensic Process. http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm • Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html • Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/ • The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm • Long Play Video Recorders. http://www.pimall.com/nais/vrec.html • FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm • Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl • Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/security-improvement/implementations/i003.01.html

  12. Thank you … … very much, MIT!

More Related