Chap 8 EPCF

8/8/2019 Chap 8 EPCF

http://slidepdf.com/reader/full/chap-8-epcf 1/21

Ethics, Privacy andEthics, Privacy and

Computer ForensicsComputer Forensics

Chap 8 Computer Basics ForChap 8 Computer Basics For

Digital InvestigatorsDigital Investigators



The BasicsThe Basics

Central Processing Unit (CPU)Central Processing Unit (CPU) Processing instruction for every computerProcessing instruction for every computer

Basic Input and Output System (BIOS)Basic Input and Output System (BIOS) Handles basic movement of data in a computerHandles basic movement of data in a computer

Programs use it to communicate with CPUPrograms use it to communicate with CPU

Power on Self Test (POST)Power on Self Test (POST) A small program that tests basic components of a computer A small program that tests basic components of a computer

Verifies integrity of CPU and Program itself Verifies integrity of CPU and Program itself

Then it checks all others: drives, monitor, RAM and keyboardThen it checks all others: drives, monitor, RAM and keyboard

Before POST is complete and after BIOS is activated, someBefore POST is complete and after BIOS is activated, somecomputers allow you to edit the configuration usingcomputers allow you to edit the configuration usingComplementary Metal Oxide Silicon (CMOS)Complementary Metal Oxide Silicon (CMOS)

Result of POST are checked against CMOS settingsResult of POST are checked against CMOS settings



Disk Boot Disk Boot

An operating system extends the function An operating system extends the functionof the BIOS and interfaces with theof the BIOS and interfaces with the

outside worldoutside world Boot sequence looks for location of OSBoot sequence looks for location of OS

and loadsand loads

The ability to boot up from a disk isThe ability to boot up from a disk isimportant when the hard disk may containimportant when the hard disk may containevidenceevidence



Representation of dataRepresentation of data

Digital data is a sequence of 0 and 1 calledDigital data is a sequence of 0 and 1 calledbitsbits

Bit RepresentationBit Representation

littlelittle- -endianendian Intel basedIntel based

BigBig- -endianendian Sun and Mac basedSun and Mac based

Common data representation is HexadecimalCommon data representation is Hexadecimal

Another one is ASCII (table 8.1) Another one is ASCII (table 8.1) We need to use tools that display data inWe need to use tools that display data in

hexadecimal and ASCIIhexadecimal and ASCII



Storage MediaStorage Media

Hard disks, floppy disk, thumb drives etc.Hard disks, floppy disk, thumb drives etc.

Hard disks are the richest in digital evidenceHard disks are the richest in digital evidence

Integrated Disk Electronics (IDE) or AdvancedIntegrated Disk Electronics (IDE) or AdvancedTechnology Attachment (AT A)Technology Attachment (AT A)

Higher performance SCSI drivesHigher performance SCSI drives

Fireware is an adaptation of SCSI standards that Fireware is an adaptation of SCSI standards that

provides high speed access to a chain of devicesprovides high speed access to a chain of devices All hard drives contain platters made of light, All hard drives contain platters made of light,

righid material such aluminum, ceramic or glassrighid material such aluminum, ceramic or glass



More on Hard DrivesMore on Hard Drives

Platters have a magnetic coating on both sides andPlatters have a magnetic coating on both sides andspin between a pair of read/write headsspin between a pair of read/write heads

These heads move like a needle on top of the old LPThese heads move like a needle on top of the old LP

records but on a cushion of air created by the diskrecords but on a cushion of air created by the diskabove the surfaceabove the surface

The heads can align particles of magnetic mediaThe heads can align particles of magnetic mediacalled writing, and can detect how the magneticcalled writing, and can detect how the magneticparticles are assignedparticles are assigned called readingcalled reading

Particles aligned one way are considered 0 andParticles aligned one way are considered 0 andaligned another way 1aligned another way 1



StorageStorage

Cylinders are the data tracks that the data isCylinders are the data tracks that the data isbeing recorded onbeing recorded on

Each track/cylinder is divided intoEach track/cylinder is divided into sectorssectors that that

contain 512 bytes of informationcontain 512 bytes of information 512*8 bits of information512*8 bits of information

Location of data can be determined by whichLocation of data can be determined by whichcylindercylinder they are on whichthey are on which headhead can accesscan access

them and whichthem and which sectorsector contains them or CHScontains them or CHSaddressingaddressing

Capacity of a hard drive # of C*H*S*512Capacity of a hard drive # of C*H*S*512



LimitationsLimitations

When the investigation revealsWhen the investigation revealsevidence that the activity falls withinevidence that the activity falls withinreportable crimes;reportable crimes;

When the investigation reveals that When the investigation reveals that the trail of evidence extends beyondthe trail of evidence extends beyond

the boundaries of your enterprisethe boundaries of your enterprisenetwork; andnetwork; and

When you know youre over yourWhen you know youre over yourhead.head.

Event Discovery Analysis Decision Investigate



File System LocationsFile System Locations

SKIP SECTION 8.5 for nowSKIP SECTION 8.5 for now



Very Brief Intro to Encryption Very Brief Intro to Encryption

Encryption is a process that translated plaintext/digitalEncryption is a process that translated plaintext/digitalobject into unreadable format or digital object object into unreadable format or digital object

Encryption uses the concept of aEncryption uses the concept of a keykey which is a type of which is a type of data that when applied using a specific algorithm willdata that when applied using a specific algorithm willresult in unreadable dataresult in unreadable data

Symmetric EncryptionSymmetric Encryption decryption is simply adecryption is simply a

reverse of the encryption (using the same key)reverse of the encryption (using the same key)

Asymmetric Encryption Asymmetric Encryption decryption process isdecryption process isdifferent from encryption and usually done withdifferent from encryption and usually done with

different keysdifferent keys



Digital SignaturesDigital Signatures

Electronic method to ensure:Electronic method to ensure:

Data is from who it says it is fromData is from who it says it is from

Data has NOT

been alteredData has NOT

been altered Important for eImportant for e- -commerce transactionscommerce transactions

Works whether or not the document itself Works whether or not the document itself

is encryptedis encrypted



Digital SignaturesDigital Signatures Sender builds the signature using a private keySender builds the signature using a private key

Recipient decodes the signature using theRecipient decodes the signature using thesenders public keysenders public key

To ensure no changes to data, messages can beTo ensure no changes to data, messages can behashedhashed

HashingHashing (somewhat akin to CRC) calculates a(somewhat akin to CRC) calculates aunique value for the document unique value for the document

Receiver reReceiver re- -calculates the hash and compares tocalculates the hash and compares tothe received hashthe received hash



The digital signature process.The digital signature process.



EthicsEthics

Very hard to define Very hard to define

Certified professionals are held to a highCertified professionals are held to a high

standardsstandards Should be part of an organizationalShould be part of an organizational

behavior and culturebehavior and culture

Generate guidelines for ethics and Net Generate guidelines for ethics and Net- - ethicsethics



(ISC)(ISC)22 Code of EthicsCode of Ethics

Conduct in accordance with highest moral standardsConduct in accordance with highest moral standards

Not be a party of any unlawful or unethical act Not be a party of any unlawful or unethical act

Report any unlawful actsReport any unlawful acts

Support and be active in promoting best informationSupport and be active in promoting best informationsecurity practicessecurity practices

Provide competent services to their clients, employees &Provide competent services to their clients, employees &communitycommunity

Be professionalBe professional

Do not misuse information they have access toDo not misuse information they have access to



CEI 10 Cs of Computer EthicsCEI 10 Cs of Computer Ethics - - ThouThou

ShallShall

I.I. Not use a computer to harm otherNot use a computer to harm otherpeoplepeople

II.II. Not interfere with other peoples workNot interfere with other peoples work

III.III. Not snoop around in other peoplesNot snoop around in other peoplescomputer filescomputer files

IV.IV. Use a computer to stealUse a computer to steal

V. V. Use a computer to bear false witnessUse a computer to bear false witness



Computer Ethics Institute 10 Cs of Computer Ethics Institute 10 Cs of Computer EthicsComputer Ethics - - Thou ShallThou Shall

VI. VI. Not copy or use proprietary software for which youNot copy or use proprietary software for which youhave not paidhave not paid

VII. VII. Not use other peoples computer resources without Not use other peoples computer resources without authorization or the proper compensationauthorization or the proper compensation

VIII. VIII. Not appropriate other peoples intellectual output Not appropriate other peoples intellectual output IX.IX. Think about the social consequences of the programThink about the social consequences of the program

you are writing for the system you are designingyou are writing for the system you are designingX.X. Use a computer in ways that ensure considerationUse a computer in ways that ensure consideration

and respect for your fellow humanand respect for your fellow human



Good Internet Conduct Good Internet Conduct

Unacceptable and unethical activities:Unacceptable and unethical activities: Seeks to gain unauthorized access to resources of theSeeks to gain unauthorized access to resources of the

internet internet

Destroys integrity of computer based informationDestroys integrity of computer based information Disrupts the use of the internet Disrupts the use of the internet

Wastes resources such as people, capacity andWastes resources such as people, capacity andcomputers via these actionscomputers via these actions

Compromises privacy of usersCompromises privacy of users

Involves negligence in the conduct of internet wideInvolves negligence in the conduct of internet wideexperimentsexperiments



References (General)References (General)

http://www.dcfl.gov/home.asphttp://www.dcfl.gov/home.asp http://www.porcupine.org/forensics/http://www.porcupine.org/forensics/ http://www.cftt.nist.gov/http://www.cftt.nist.gov/ http://www.computerworld.com/news/special/pages/0,10911,1705,00.htmlhttp://www.computerworld.com/news/special/pages/0,10911,1705,00.html http://www.itl.nist.gov/div897/docs/computer_forensics_tools_verification.htmlhttp://www.itl.nist.gov/div897/docs/computer_forensics_tools_verification.html http://seattletimes.nwsource.com/html/businesstechnology/134531230_forensics0http://seattletimes.nwsource.com/html/businesstechnology/134531230_forensics0

8.html8.html

http://www.cio.com/archive/030101/autopsy.htmlhttp://www.cio.com/archive/030101/autopsy.html http://www.csoonline.com/read/030103/machine.htmlhttp://www.csoonline.com/read/030103/machine.html http://www.sans.org/rr/incident/http://www.sans.org/rr/incident/ http://www.saic.com/infosec/computerhttp://www.saic.com/infosec/computer- -incident incident- -management.htmlmanagement.html http://www.ey.com/global/download.nsf/International/Computer_Forensics/$file/chttp://www.ey.com/global/download.nsf/International/Computer_Forensics/$file/c

omputerforensics.pdf omputerforensics.pdf http://www.crazytrain.com/http://www.crazytrain.com/

http://www.htcia.org/http://www.htcia.org/ http://www.cops.org/http://www.cops.org/ http://www.securityfocus.com/incidentshttp://www.securityfocus.com/incidents



Class WorkClass Work

Research the following tools. Provide at least 5 of eachResearch the following tools. Provide at least 5 of each Network vulnerability scanningNetwork vulnerability scanning

OS vulnerability scanningOS vulnerability scanning

Application vulnerability scanning Application vulnerability scanning

Digital ForensicsDigital Forensics Pretty Good Privacy (PGP) softwarePretty Good Privacy (PGP) software

For each tool indicate in a tableFor each tool indicate in a table Cost, Available for download and evaluationCost, Available for download and evaluation

Coverage and what are the requirement to be installedCoverage and what are the requirement to be installed

Description of the tool and why you like it or not like it Description of the tool and why you like it or not like it

OS flavor it works onOS flavor it works on



Class WorkClass Work

In not more than ½ page or two slides andIn not more than ½ page or two slides anddescribe the ethical questions concerningdescribe the ethical questions concerninghandling of digital evidencehandling of digital evidence

Based on what you have read so far, how canBased on what you have read so far, how canyou improve on the digital evidence processyou improve on the digital evidence process

List the types of possible sources of digitalList the types of possible sources of digitalevidence and a description of what they mayevidence and a description of what they mayhave that is relevant have that is relevant

List at least 10 web sites with digital forensicsList at least 10 web sites with digital forensicsservices and describe their methodology. Not services and describe their methodology. Not more than ½ page or one slidemore than ½ page or one slide

Date post:	10-Apr-2018
Category:	Documents
Upload:	prasad-rane
View:	220 times
Download:	0 times

Chap 8 EPCF

Documents