7/25/2019 Week cont..

1/42

WEEK 1

Computer Forensics and

Investigations as a Profession

7/25/2019 Week cont..

2/42

Understanding Computer

Forensics Defining Computer Forensics

The New Shorter Oxford English Dictionar

defines computer forensics as !the applicationof forensic science techni"ues to computer#$ased material%&

7/25/2019 Week cont..

3/42

Definition

Computer forensics is the process ofidentifing' preser(ing' anal)ing' and

presenting digital e(idence in a manner that isaccepta$le in a legal proceeding%

7/25/2019 Week cont..

4/42

cont

*t times' it is more science than art+ othertimes' it is more art than science%

computer forensics is similar to other forms oflegal forensics%

,ut' computer forensics needs a great-nowledge of computer hardware and software

in order to a(ert the unintended in(alidation ordestruction of e(idence and to preser(e thee(idence for future analsis%

7/25/2019 Week cont..

5/42

cont

Computer forensic re(iew in(ol(es theapplication of in(estigati(e and analticaltechni"ues to ac"uire and protect potentiallegal e(idence+ therefore' a professionalwithin this field needs to ha(e a detailedunderstanding of the local' regional' national'and sometimes e(en international lawsaffecting the process of e(idence collectionand retention%

7/25/2019 Week cont..

6/42

cont

Computer forensics can also $e descri$ed asthe critical analsis of a computer hard dis-

after an intrusion or crime% This is mainl$ecause speciali)ed software tools andprocedures are re"uired to anal)e the(arious areas where computer data is stored'after the fact%

7/25/2019 Week cont..

7/42

.eal#life Examples of Computer

Crimes/ac-ers pleads guilt to illegall accessing new

0or- Times Computer Networ-

*drian amo illegall accessed a data$asecontaining confidential information such ashome telephone num$ers and Social Securitnum$ers for o(er 2'333 contri$utors% The

records he accessed included entries forsome famous people in the 4S*%

7/25/2019 Week cont..

8/42

cont

5an pleads guilt to hac-ing intrusion and theft ofdata costing compan 67%8 million

Daniel 9erem was charged with illegallaccessing a protected computer and stealingcustomer data$ases from *cxiom thatmaintains customer information for automoti(e

manufacturers' $an-' credit card issuers' andretailers' among others% Daniel wor-ed as acomputer sstem administrator%

7/25/2019 Week cont..

9/42

:reparing for Computer ;n(estigations

* computer forensic in(estigator should -now

# how the networ- under in(estigation is laid out

# what de(ices are in use

# what tpes of operating sstems are installed

# what tpes of filesstems are $eing used

7/25/2019 Week cont..

10/42

Know 0our /ardware

What ;I/O? de(ices used in the organi)ation%

This list will pro(ide information on what toolswill $e needed to anal)e information and

what areas ma $e suscepti$le to intrusionand need more monitoring%

7/25/2019 Week cont..

11/42

cont

# Ser(ers

# Wor-stations

# :ersonal Digital *ssistants >:D*s?

# Other de(ices >remo(a$le media' printers'we$cams' faxes' and copiers%

7/25/2019 Week cont..

12/42

Chec- Computers for 4nauthori)ed

/ardware# 5odems

# Ke loggers@ record e(erthing tped

# ;S"uest S9et dri(e' 9umpDri(e':oc-e dri(e' microdri(e' porta$le laptop?

7/25/2019 Week cont..

13/42

Keep 4p to Date with New ;,lac-$err' ;nfrared >;.??

7/25/2019 Week cont..

14/42

Know 0our Operating Sstem

# Windows

# 4nix

7/25/2019 Week cont..

15/42

Know What Filesstems are in 4se

# F*T

7/25/2019 Week cont..

16/42

5aintain Tools and procedures for EachOperating Sstem and Filesstem

0ou need to ha(e tools and procedures in placeso that ou can more easil collect thee(idence ou need%

7/25/2019 Week cont..

17/42

:reinstalled Tools 5a-e Forensics

Easier# There are tools alread installed on most

operating sstems%

# *ll operating sstems come with a$ilit to loge(ents

# Event Viewer allows ou to audit certain e(ents

# E(ent Aiewer maintains log files

7/25/2019 Week cont..

18/42

E(ent Aiewer for Windows

E(ent Aiewer

7/25/2019 Week cont..

19/42

*uditing

*uditing is the process of trac-ing users andtheir actions on a networ-%

0ou should audit access use and rights changesto pre(ent unauthori)ed or unintentionalaccess $ a guest or restricted user account%

This will pre(ent access to sensiti(e or protected

resources%

7/25/2019 Week cont..

20/42

cont

# *uditing should $e a clear#cut plan $uilt aroundgoals and policies%

# When deciding what to audit' first identifpotential resources at ris- within our networ-en(ironment%

# These resource might $e sensiti(e files'

financial applications' and personnel files%

7/25/2019 Week cont..

21/42

cont

# Set up the audit polic through the operatingsstem tools

# ;t is useful to monitor successful as well asfailed access attempts

# *uditing is resource intensi(e and can easiladd additional load to our ser(er

# 5a-e time to (iew the logs

7/25/2019 Week cont..

22/42

Know 0our imits

# 0ou must -now what lengths ou must go tominimi)e the damage%

# Know the legal organi)ational rights and limits# Know the search and sei)ure guidelines

# Know the an)i$ars Computer *ct of B33

# Know the an)i$ars Criminal Code

7/25/2019 Week cont..

23/42

Will This End 4p in Court=

# ;n the case that an incident is of enormousproportion and the organi)ational polic is toprosecute' an in(estigation could end up incourt%

7/25/2019 Week cont..

24/42

cont

# Courts re"uires information instead ofe"uipment $e sei)ed' and information must $eample and unaltered%

# Computer forensic examiners can helpprosecute a case with ad(ice a$out how topresent computer#related e(idence in court%

7/25/2019 Week cont..

25/42

De(elop 0our ;ncident .esponseTeam

# :roper preser(ation of e(idence must $e done$ an incident response team (IRT) de(eloped$ an organi)ation%

# The team must -now how to handle situations%

# The team must ha(e clear incident responseplans%

7/25/2019 Week cont..

26/42

cont

# Team mem$ers should $e the following personnel@

# Securit and ;T personnel

# Someone to deal with communication withmanagement and emploees

# Someone to deal with communication with (endors'$usiness partners and press

# De(elopers of in#house applications and interfaces

# Data$ase managers

7/25/2019 Week cont..

27/42

State Clear :rocesses

# The $asic premise of incident handling andresponse is that an organi)ation needs toha(e a clear action plan on what proceduresshould $e in place when an incident happens%

# The procedures should $e@

# ;dentifing the initial infected resources

# Notifing -e personnel

7/25/2019 Week cont..

28/42

cont

# *ssem$ling the response team

# Diagnosing the pro$lem and identifing

possi$le solutions and setting priorities%# Gathering all the information learned a$out the

incident

# Communicating the incident%

7/25/2019 Week cont..

29/42

Coordinate with ocal awEnforcement

# ;t is good to report incidents to lawenforcement%

# aw enforcement agencies are familiar withcomputer crimes in(estigation' (iew intrusionas important' and will respond appropriatel%

7/25/2019 Week cont..

30/42

;n(estigati(e Guidelines

H ;t cannot $e o(eremphasi)ed that the rules ofe(idence appl e"uall to computer#$asedelectronic e(idence as much as the do tomaterial o$tained from other sources%

H ;t is alwas the responsi$ilit of the caseofficer to ensure compliance with legislation

and' in particular' to $e sure that theprocedures adopted in the sei)ure of an

7/25/2019 Week cont..

31/42

cont

H propert are performed in accordance withstatute and current case law%

H ;n case of an)i$ar' ma-e sure ou follow theguidelines in accordance with statute andcurrent laws of e(idence of an)i$ar%

7/25/2019 Week cont..

32/42

Computer Forensics Standards and,est :ractices

H ;OCE >;nternational Organi)ation on ComputerE(idence?

H *merican Societ of Crime a$orator Directors*C:O? Good :ractice Guide >4K?

H Four principles of computer#$ased electronice(idence according to *C:O@

:rinciple 1@ No action ta-en $ law enforcementagencies or their agents should change dataheld on a computer or storage media whichma su$se"uentl $e relied upon in court%

7/25/2019 Week cont..

35/42

cont

:rinciple B@ ;n circumstances where a personfinds it necessar to access original data heldon a computer or on storage media' thatperson must $e competent to do so and $ea$le to gi(e e(idence explaining the rele(anceand the implications of their actions%

7/25/2019 Week cont..

36/42

cont

:rinciple 2@ *n audit trail or other record of allprocesses applied to computer#$asedelectronic e(idence should $e created andpreser(ed% *n independent third part should$e a$le to examine those processes andachie(e the same result%

7/25/2019 Week cont..

37/42

cont

:rinciple J@ The person in charge of thein(estigation >the case officer? has o(erallresponsi$ilit for ensuring that the law andthese principles are adhered to%

7/25/2019 Week cont..

38/42

Explanation of the principles

H Computer#$ased electronic e(idence issu$ect to the same rules and laws that applto documentar e(idence%

H The doctrine of documentar e(idence ma $eexplained thus@ the onus is on the prosecutionto show to the court that the e(idence

produced is no more and no less now thanwhen it was first ta-en into the possession ofpolice%

7/25/2019 Week cont..

39/42

cont

H Operating sstems and other programsfre"uentl alter and add to the contents ofelectronic storage% This ma happenautomaticall without the user necessaril$eing aware that the data has $een changed%

7/25/2019 Week cont..

40/42

The Nature of Computer-BasedElectronic Evidence

H Computer#$ased electronic e(idence isinformation and data of in(estigati(e (alue thatis stored on or transmitted $ a computer%

H *s such' this e(idence is latent e(idence inthe same sense that fingerprints or DN*>deoxri$onucleic acid? e(idence is latent%

7/25/2019 Week cont..

41/42

cont

H ;n its natural state' we cannot see what iscontained in the phsical o$ect that holds oure(idence%

H E"uipment and software are re"uired to ma-ethe e(idence a(aila$le%

H Testimon ma $e re"uired to explain the

examination and an process limitations%

7/25/2019 Week cont..

42/42

cont

H Computer#$ased electronic e(idence is' $ its(er nature' fragile%

H ;t can $e altered' damaged' or destroed $improper handling or improper examination%

H For this reason' special precautions should $eta-en to document' collect' preser(e and

examine this tpe of e(idence%H Failure to do so ma render it unusa$le or

lead to an inaccurate conclusion%