1 / 36

Computer Forensics BACS 371

Computer Forensics BACS 371. Evidentiary Methods I Incident Response. The Nature of Computer Evidence. “Evidence is what distinguishes a hypothesis from a groundless assertion.” Determining what is actually the crime Too many potential suspects Too much potential evidence

zahur
Download Presentation

Computer Forensics BACS 371

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer ForensicsBACS 371 Evidentiary Methods I Incident Response

  2. The Nature of Computer Evidence “Evidence is what distinguishes a hypothesis from a groundless assertion.” • Determining what is actually the crime • Too many potential suspects • Too much potential evidence • Evidence is easily contaminated • Contaminating some evidence may ruin all evidence

  3. Computer Forensics… is the discipline of acquiring, preserving, retrieving, and presenting electronic data. Three C’s of evidence: • Care • Control • Chain of Custody

  4. Computer Forensics Investigation Process • Intelligence • Basic understanding of issues surrounding incident • Hypothesis Formulation • Formulated with regard to “5 Ws” • Evidence Collection • Supporting and non supporting • Testing • Support or refute hypothesis • Conclusion

  5. Computer Security Incident • Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network. • Theft of trade secrets • Email spam or harassment • Unlawful or unauthorized intrusion into computing systems • Embezzlement • Possession or dissemination of child pornography • Denial-of-service (DoS) attacks • Tortuous interference of business relations • Extortion • Any unlawful action when the evidence of such action may be stored on computer media such as fraud, threats, and traditional crimes

  6. Events may include… • Violations of public law • Actionable in criminal or civil proceedings • Grave impact on an organization’s reputation and its business operations • Intense pressure, time, and resource constraints

  7. Goals of Incident Response • Prevent disjointed, non-cohesive response • Confirms or dispels whether incident occurred • Promotes accumulation of accurate information • Establishes controls for handling evidence • Protects privacy rights • Minimizes disruptions to business • Allows for criminal and civil action • Provides reports and recommendations • Provides rapid detection and containment • Minimizes compromise of proprietary data • Protects organizations reputation and assets • Educates senior management • Promotes rapid detection and/or prevention of future incidents

  8. Components of Incident Response

  9. Seven Major Components of Incident Response • Pre-incident preparation • Detection of incidents • Initial response • Formulate response strategy • Investigate the incident • Reporting • Resolution

  10. Components of Incident Response • Pre-incident preparation • Proactive measures before incident to ensure assets and information are protected • Detection of incidents • Report by end user • Report by system administrator • Internal Detection System • Incident response checklist

  11. Incident Response Checklist

  12. Components of Incident Response • Initial Response • Interviewing • System administrator • Personnel • Suspect • Review • Internal Detection System report • Network logs • Access control • Formulate a Response Strategy

  13. Investigate the Incident • Data Collection • Sound forensic methods • Host-Based Information • System date/time • Applications currently running • Open network connections and ports • Applications listening on ports • Initial live response – volatile data • In-depth response – log files • Full live response – live forensic analysis

  14. Request for Forensic Examination http://www.rmrcfl.org/Downloads/Documents/Shaded%20PDF.pdf

  15. Performing Forensic Analysis

  16. Forensic Analysis • Reviewing all data collected • Log files • System configuration files • Trust relationships • Web browser history files • Email messages • Installed applications • Graphics files • Techniques include • Software analysis • Review time/date stamps • Keyword searches • Review free space, deleted files, slack space

  17. Components of Incident Response • Reporting • Document immediately • Write concisely and clearly • Use a standard format • Employ technical editors • Resolution • Prevent further damage • Return to secure, healthy operational status • Apply countermeasures and update security standards

  18. The Five Mistakes of Incident Response • Not having a plan • Failing to increase monitoring and surveillance • Being unprepared for a court battle • Putting it back the way it was • Not learning from mistakes

  19. Basic Forensic Methodology • Acquire the evidence – maintain chain of custody • Authenticate that it is the same as the original • Analyze the data without modifying it

  20. Evidence Handling Process

  21. E-Evidence Acquisition and Authentication Objectives† • Document the scene, evidence, activities, and findings • Acquire the evidence • Authenticate the copy • Analyze and filter evidence • Be objective and unbiased • Present the evidence and an evaluation of the findings in an understandable and legally acceptable manner †Volonino, p. 85

  22. NYS Police Forensic Procedures (Continued)

  23. NYS Police Forensic Procedures(Cont.) (Continued)

  24. NYS Police Forensic Procedures(Cont.)

  25. Computer Evidence Worksheet

  26. Digital Photos

  27. Evidence Tag • Place or person from whom item was received • If item requires consent for search • Description of items taken • Information contained on storage device • Data and time item was taken • Full name and signature of individual initially receiving evidence • Case and tag number

  28. Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope Evidence Label

  29. Evidence Log Case Number: 123412 • Evidence Tag Number • Date • Action Taken • Person performing action • Identifying information

  30. Documentary Evidence1 • Chain of custody of documents • Marking of evidence • Organization of documentary evidence • Rules concerning original versus copies of documents 1Albrecht, Albrecht, Albrecht, Fraud Examination 2e, Thompson South-Western, 2006, p. 226

  31. Chain of Custody Procedures • Record or Evidence Lot • Release Dates recorded • Access to Evidence restricted • Original Hard Drive placed in Locker • All forensics performed on bit stream copies

  32. Chain of Custody Document

  33. Admissibility of Computer Forensic Evidence A forensic examiner’s qualifications can be challenged or the tools or methodologies used in a forensic investigation can be objected to. • Whether the theory or technique has been tested • Whether it has been subjected to peer review and publication • The known or potential error • The general acceptance of the theory in the scientific community • Whether the proffered testimony is based upon the expert’s special skill

  34. Maintaining a Defensible Approach • Performed in accordance with forensic science principles • Based on standards or current best practices • Conducted with verified tools • Conducted by individuals who are certified • Documented thoroughly

  35. Problems with Poorly Collected Evidence1 • If evidence is not collected and handled according to the proper standards, the judge may deem the evidence inadmissible when it is presented. • If the evidence is admitted, the opposing attorney will attack its credibility during questioning of the witnesses who testify regarding it. Such an attack can create doubt in the jury members’ mind. 1Scene of the Cybercrime, Shinder & Tittel, p.546

  36. Evidence Disposition • Initial Disposition • After final report completed • Dispose of working copies • Maintain “best evidence” • Final Disposition • 5 years from date case was opened • Unless…

More Related