1 / 18

Computer Forensics

Computer Forensics. Summer bridge Program Dr. HwaJUNG LeE dr. Ashley Podhradsky. Objectives. What is computer forensics? History of computer forensics When is computer forensics used? Computer Forensics in the news Describe how to prepare for computer investigations

tanya-jimenez
Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics Summer bridge Program Dr. HwaJUNGLeE dr. Ashley Podhradsky

  2. Objectives • What is computer forensics? • History of computer forensics • When is computer forensics used? • Computer Forensics in the news • Describe how to prepare for computer investigations • Computer Forensics Example- AccessData FTK Imager Guide to Computer Forensics and Investigations

  3. Understanding Computer Forensics • Computer forensics • Involves obtaining and analyzing digital information • Investigates data that can be retrieved from a computer’s hard disk or other storage media. Task of recovering data that users have hidden or deleted and using it as evidence. Evidence can be inculpatory (“incriminating”) or exculpatory • Related Fields • Network forensics • Yields information about how a perpetrator or an attacker gained access to a network • Data recovery • Recovering information that was deleted by mistake or intentionally • Typically you know what you’re looking for • Disaster recovery • Uses computer forensics techniques to retrieve information their clients have lost due to natural or man made disaster

  4. A Brief History of Computer Forensics • 1970s, electronic crimes were increasing, especially in the financial sector • Most law enforcement officers didn’t know enough about computers to ask the right questions • Or to preserve evidence for trial • Fraction of a penny crime (Office Space anyone??) • 1980s • Norton DiskEdit soon followed • And became the best tool for finding deleted file • Apple produced the Mac SE • A Macintosh with an external EasyDrive hard disk with 60 MB of storage • 1990s • Tools for computer forensics were available • International Association of Computer Investigative Specialists (IACIS) • Training on software for forensics investigations • ExpertWitness for the Macintosh • First commercial GUI software for computer forensics • Created by ASR Data

  5. Understanding Case Law • Technology is evolving at an exponential pace • Existing laws and statutes can’t keep up change • Case law used when statutes or regulations don’t exist • Case law allows legal counsel to use previous cases similar to the current one • Because the laws don’t yet exist • Each case is evaluated on its own merit and issues

  6. Preparing for Computer Investigations • Computer investigations and forensics falls into two distinct categories • Public investigations • Private or corporate investigations • Public investigations • Involve government agencies responsible for criminal investigations and prosecution • Organizations must observe legal guidelines • Law of search and seizure • Protects rights of all people, including suspects

  7. Preparing for Computer Investigations • Private or corporate investigations • Deal with private companies, non-law-enforcement government agencies, and lawyers • Aren’t governed directly by criminal law or Fourth Amendment issues • Governed by internal policies that define expected employee behavior and conduct in the workplace • Private corporate investigations also involve litigation disputes • Investigations are usually conducted in civil cases

  8. Understanding Corporate Investigations • Private or corporate investigations • Involve private companies and lawyers who address company policy violations and litigation disputes • Corporate computer crimes can involve: • E-mail harassment • Falsification of data • Gender and age discrimination • Embezzlement • Sabotage • Industrial espionage

  9. Understanding Corporate Investigations • Establishing company policies • One way to avoid litigation is to publish and maintain policies that employees find easy to read and follow • Published company policies provide a line of authority • For a business to conduct internal investigations • Well-defined policies • Give computer investigators and forensic examiners the authority to conduct an investigation • Displaying Warning Banners • Another way to avoid litigation

  10. Maintaining Professional Conduct • Professional conduct • Determines your credibility • Includes ethics, morals, and standards of behavior • Maintaining objectivity means you must form and sustain unbiased opinions of your cases • Maintain an investigation’s credibility by keeping the case confidential • In the corporate environment, confidentiality is critical • In rare instances, your corporate case might become a criminal case as serious as murder

  11. Preparing a Computer Investigation • Role of computer forensics professional is to gather evidence • Forensic Investigators are not police officers, it is our duty to show what happened, not prove guilt or innocence. • Collect evidence that can be offered in court or at a corporate inquiry • Investigate the suspect’s computer • Preserve the evidence on a different computer • Chain of custody • Route the evidence takes from the time you find it until the case is closed or goes to court

  12. Taking a Systematic Approach • Steps for problem solving • Make an initial assessment about the type of case you are investigating • Determine the resources you need • Obtain and copy an evidence disk drive • Identify the risks- Mitigate or minimize the risks • Analyze and recover the digital evidence • Investigate the data you recover • Complete the case report • Critique the case

  13. Planning Your Investigation • A basic investigation plan should include the following activities: • Acquire the evidence • Complete an evidence form and establish a chain of custody • Secure evidence in an approved secure container • Prepare a forensics workstation • Make a forensic copy of the evidence • Return the evidence to the secure container • Process the copied evidence with computer forensics tools

  14. Securing Your Evidence • Use evidence bags to secure and catalog the evidence • Use computer safe products • Antistatic bags • Antistatic pads • Use well padded containers • Use evidence tape to seal all openings • Power supply electrical cord. • Write your initials on tape to prove that evidence has not been tampered with • Consider computer specific temperature and humidity ranges

  15. Understanding Data Recovery Workstations and Software • Investigations are conducted on a computer forensics lab (or data-recovery lab) • Computer forensics and data-recovery are related but different • Computer forensics workstation • Specially configured personal computer • Loaded with additional bays and forensics software • To avoid altering the evidence use: • Forensics boot disk, Write-blockers devices, Network interface card (NIC), Extra USB ports, FireWire 400/800 ports, SCSI card, Disk editor tool, Text editor tool, Graphics viewer program, Other specialized viewing tools

  16. Digital Forensic Cases • BTK Killer • http://precisioncomputerinvestigations.wordpress.com/2010/04/14/how-computer-forensics-solved-the-btk-killer-case/ • Michael Jackson • http://www.dfinews.com/news/michael-jackson-death-trial-showcases-iphone-forensics • Caylee Anthony • http://www.christianpost.com/news/casey-anthony-trial-computer-expert-unearths-chloroform-internet-searches-50980/ Guide to Computer Forensics and Investigations

  17. Understanding Bit-Stream Copies • Bit-stream copy • Bit-by-bit copy of the original storage medium • Exact copy of the original disk • Different from a simple backup copy • Backup software only copy known files • Backup software cannot copy deleted files, e-mail messages or recover file fragments • Bit-stream image • File containing the bit-stream copy of all data on a disk or partition • Also known as forensic copy

  18. Acquiring an Image of Evidence Media • First rule of computer forensics • Preserve the original evidence • Conduct your analysis only on a copy of the data • Use FTK Imager to create a forensic image • www.accessdata.com/support/downloads • Your job is to recover data from: • Deleted files • File fragments • Complete file

More Related