11
DIGITAL FORENSICS An Overview
DIGITAL FORENSICS
An Overview
BASICS OF EVERY FORENSICS CASE
1.Make an Image
2.Conduct the Investigation
3.Bookmark relevant/important discoveries
4.Prepare a report of the findings
HISTORY
• 1984 Started with the FBI’s Media Magnet Program• 3 Cases handled that year
• 1991 The program later became the Computer Analysis Response Team (CART)
• 1995 International Organization on Computer Evidence (IOCE) was formed.
• 2001 CART renamed to Regional Computer Forensics Laboratory (RCFL)• FBI’s full service forensics laboratory devoted to examining and supporting criminal
investigations. The RCFL’s support state, local and federal cases
• 2001 Computer Forensics renamed to Digital Forensics – 16 centers as of today
WHAT IS IT?
• The practice of determining the past actions that have taken place on a computer system using computer forensic techniques and understanding artifacts.
• Science, and the techniques that you learn and, in the future, possibly discover must be documented, tested, and verified if you expect them to hold up to scrutiny.
• Often confused with Incident Response (IR).
• Incident Response is a function that strictly belongs within information technology support services and is often looking for a cause or the break associated with the violation as it relates to a system or network and the overall computer infrastructure, rather than the actions of a person; which is what Digital Forensic does.
WHAT CAN IT DO?
• Recovering deleted files.
• Determine what programs have been run.
• Recover what web pages users have viewed.
• Recover the webmail that users have read.
• Determine what file servers users have used.
• Discover the hidden history of documents.
• Recover deleted private chat conversations between users.
• Recover call records and Short Message Service (SMS) messages from mobile devices.
TOOLS & EQUIPMENTS
• Forensic Workstations: There are many available on the market, but what is essential is that the workstations have the processing and memory power to perform the examination you need. As the business/lab grows, access to servers might be needed as well purchasing an actual forensics work station.
• SIFT: Vmware developed by SANS for Ubuntu
• Write Blockers: An external device that allows acquisition and allows read commands, but blocks writing commands.
• Anti-static Bags: Prevent static and shock from damaging the evidence/components you have gathered for your investigation.
• EnCase: Used for data acquisition and analysis
• FTK: Forensics Tool Kit scans hard-drives looking for various information and even recovering items. This is also used to make computer images.
• ProDiscover: Creates a computer image and can turn an image into a bootable VMware.
PREPARING FOR A CASE
• What type of case is it?• Administrative, Civil, Criminal
• Public/Private
• What is being investigated?• Crime/Violation
• OS/Device
• Who will be involved & at what level?
PERFORMING & DOCUMENTING THE INVESTIGATION
• Industry Tools, Processes & Guidelines Used within the investigation
• Reporting Findings• Forensic Examiners do not make interpretation, but report their
findings
• If during a non criminal investigation certain information is uncovered, like child pornography, the case will become criminal and case will need to be revaluated
• Preparing Reports for legal use • Outcome
RECENT & SAMPLE CASES
• Target Data Breaches• Network Intrusion/Hacking
• Personal and financial data was compromised
• Resactor
• Sold Credit Card Numbers
• Timberwolves Player : Dante Cunningham
• Romania Bank Transfer Case: Local Non-Profit • Zeus
HOW TO BECOME A FORENSICS EXAMINER?
• Formal Training: Credibility• Academic
• Certifications
• Experience
• Skillset: Competency• Tools
• Industry Best Practices
• Methodologies
• Personality: Success• Analytical
• Detailed
• Strong/Emotional Stable
• Patient
