Date post: | 24-Feb-2018 |
Category: |
Documents |
Upload: | masoud-machano |
View: | 222 times |
Download: | 0 times |
of 42
7/25/2019 Week cont..
1/42
WEEK 1
Computer Forensics and
Investigations as a Profession
7/25/2019 Week cont..
2/42
Understanding Computer
Forensics Defining Computer Forensics
The New Shorter Oxford English Dictionar
defines computer forensics as !the applicationof forensic science techni"ues to computer#$ased material%&
7/25/2019 Week cont..
3/42
Definition
Computer forensics is the process ofidentifing' preser(ing' anal)ing' and
presenting digital e(idence in a manner that isaccepta$le in a legal proceeding%
7/25/2019 Week cont..
4/42
cont
*t times' it is more science than art+ othertimes' it is more art than science%
computer forensics is similar to other forms oflegal forensics%
,ut' computer forensics needs a great-nowledge of computer hardware and software
in order to a(ert the unintended in(alidation ordestruction of e(idence and to preser(e thee(idence for future analsis%
7/25/2019 Week cont..
5/42
cont
Computer forensic re(iew in(ol(es theapplication of in(estigati(e and analticaltechni"ues to ac"uire and protect potentiallegal e(idence+ therefore' a professionalwithin this field needs to ha(e a detailedunderstanding of the local' regional' national'and sometimes e(en international lawsaffecting the process of e(idence collectionand retention%
7/25/2019 Week cont..
6/42
cont
Computer forensics can also $e descri$ed asthe critical analsis of a computer hard dis-
after an intrusion or crime% This is mainl$ecause speciali)ed software tools andprocedures are re"uired to anal)e the(arious areas where computer data is stored'after the fact%
7/25/2019 Week cont..
7/42
.eal#life Examples of Computer
Crimes/ac-ers pleads guilt to illegall accessing new
0or- Times Computer Networ-
*drian amo illegall accessed a data$asecontaining confidential information such ashome telephone num$ers and Social Securitnum$ers for o(er 2'333 contri$utors% The
records he accessed included entries forsome famous people in the 4S*%
7/25/2019 Week cont..
8/42
cont
5an pleads guilt to hac-ing intrusion and theft ofdata costing compan 67%8 million
Daniel 9erem was charged with illegallaccessing a protected computer and stealingcustomer data$ases from *cxiom thatmaintains customer information for automoti(e
manufacturers' $an-' credit card issuers' andretailers' among others% Daniel wor-ed as acomputer sstem administrator%
7/25/2019 Week cont..
9/42
:reparing for Computer ;n(estigations
* computer forensic in(estigator should -now
# how the networ- under in(estigation is laid out
# what de(ices are in use
# what tpes of operating sstems are installed
# what tpes of filesstems are $eing used
7/25/2019 Week cont..
10/42
Know 0our /ardware
What ;I/O? de(ices used in the organi)ation%
This list will pro(ide information on what toolswill $e needed to anal)e information and
what areas ma $e suscepti$le to intrusionand need more monitoring%
7/25/2019 Week cont..
11/42
cont
# Ser(ers
# Wor-stations
# :ersonal Digital *ssistants >:D*s?
# Other de(ices >remo(a$le media' printers'we$cams' faxes' and copiers%
7/25/2019 Week cont..
12/42
Chec- Computers for 4nauthori)ed
/ardware# 5odems
# Ke loggers@ record e(erthing tped
# ;S"uest S9et dri(e' 9umpDri(e':oc-e dri(e' microdri(e' porta$le laptop?
7/25/2019 Week cont..
13/42
Keep 4p to Date with New ;,lac-$err' ;nfrared >;.??
7/25/2019 Week cont..
14/42
Know 0our Operating Sstem
# Windows
# 4nix
7/25/2019 Week cont..
15/42
Know What Filesstems are in 4se
# F*T
7/25/2019 Week cont..
16/42
5aintain Tools and procedures for EachOperating Sstem and Filesstem
0ou need to ha(e tools and procedures in placeso that ou can more easil collect thee(idence ou need%
7/25/2019 Week cont..
17/42
:reinstalled Tools 5a-e Forensics
Easier# There are tools alread installed on most
operating sstems%
# *ll operating sstems come with a$ilit to loge(ents
# Event Viewer allows ou to audit certain e(ents
# E(ent Aiewer maintains log files
7/25/2019 Week cont..
18/42
E(ent Aiewer for Windows
E(ent Aiewer
7/25/2019 Week cont..
19/42
*uditing
*uditing is the process of trac-ing users andtheir actions on a networ-%
0ou should audit access use and rights changesto pre(ent unauthori)ed or unintentionalaccess $ a guest or restricted user account%
This will pre(ent access to sensiti(e or protected
resources%
7/25/2019 Week cont..
20/42
cont
# *uditing should $e a clear#cut plan $uilt aroundgoals and policies%
# When deciding what to audit' first identifpotential resources at ris- within our networ-en(ironment%
# These resource might $e sensiti(e files'
financial applications' and personnel files%
7/25/2019 Week cont..
21/42
cont
# Set up the audit polic through the operatingsstem tools
# ;t is useful to monitor successful as well asfailed access attempts
# *uditing is resource intensi(e and can easiladd additional load to our ser(er
# 5a-e time to (iew the logs
7/25/2019 Week cont..
22/42
Know 0our imits
# 0ou must -now what lengths ou must go tominimi)e the damage%
# Know the legal organi)ational rights and limits# Know the search and sei)ure guidelines
# Know the an)i$ars Computer *ct of B33
# Know the an)i$ars Criminal Code
7/25/2019 Week cont..
23/42
Will This End 4p in Court=
# ;n the case that an incident is of enormousproportion and the organi)ational polic is toprosecute' an in(estigation could end up incourt%
7/25/2019 Week cont..
24/42
cont
# Courts re"uires information instead ofe"uipment $e sei)ed' and information must $eample and unaltered%
# Computer forensic examiners can helpprosecute a case with ad(ice a$out how topresent computer#related e(idence in court%
7/25/2019 Week cont..
25/42
De(elop 0our ;ncident .esponseTeam
# :roper preser(ation of e(idence must $e done$ an incident response team (IRT) de(eloped$ an organi)ation%
# The team must -now how to handle situations%
# The team must ha(e clear incident responseplans%
7/25/2019 Week cont..
26/42
cont
# Team mem$ers should $e the following personnel@
# Securit and ;T personnel
# Someone to deal with communication withmanagement and emploees
# Someone to deal with communication with (endors'$usiness partners and press
# De(elopers of in#house applications and interfaces
# Data$ase managers
7/25/2019 Week cont..
27/42
State Clear :rocesses
# The $asic premise of incident handling andresponse is that an organi)ation needs toha(e a clear action plan on what proceduresshould $e in place when an incident happens%
# The procedures should $e@
# ;dentifing the initial infected resources
# Notifing -e personnel
7/25/2019 Week cont..
28/42
cont
# *ssem$ling the response team
# Diagnosing the pro$lem and identifing
possi$le solutions and setting priorities%# Gathering all the information learned a$out the
incident
# Communicating the incident%
7/25/2019 Week cont..
29/42
Coordinate with ocal awEnforcement
# ;t is good to report incidents to lawenforcement%
# aw enforcement agencies are familiar withcomputer crimes in(estigation' (iew intrusionas important' and will respond appropriatel%
7/25/2019 Week cont..
30/42
;n(estigati(e Guidelines
H ;t cannot $e o(eremphasi)ed that the rules ofe(idence appl e"uall to computer#$asedelectronic e(idence as much as the do tomaterial o$tained from other sources%
H ;t is alwas the responsi$ilit of the caseofficer to ensure compliance with legislation
and' in particular' to $e sure that theprocedures adopted in the sei)ure of an
7/25/2019 Week cont..
31/42
cont
H propert are performed in accordance withstatute and current case law%
H ;n case of an)i$ar' ma-e sure ou follow theguidelines in accordance with statute andcurrent laws of e(idence of an)i$ar%
7/25/2019 Week cont..
32/42
Computer Forensics Standards and,est :ractices
H ;OCE >;nternational Organi)ation on ComputerE(idence?
H *merican Societ of Crime a$orator Directors*C:O? Good :ractice Guide >4K?
H Four principles of computer#$ased electronice(idence according to *C:O@
:rinciple 1@ No action ta-en $ law enforcementagencies or their agents should change dataheld on a computer or storage media whichma su$se"uentl $e relied upon in court%
7/25/2019 Week cont..
35/42
cont
:rinciple B@ ;n circumstances where a personfinds it necessar to access original data heldon a computer or on storage media' thatperson must $e competent to do so and $ea$le to gi(e e(idence explaining the rele(anceand the implications of their actions%
7/25/2019 Week cont..
36/42
cont
:rinciple 2@ *n audit trail or other record of allprocesses applied to computer#$asedelectronic e(idence should $e created andpreser(ed% *n independent third part should$e a$le to examine those processes andachie(e the same result%
7/25/2019 Week cont..
37/42
cont
:rinciple J@ The person in charge of thein(estigation >the case officer? has o(erallresponsi$ilit for ensuring that the law andthese principles are adhered to%
7/25/2019 Week cont..
38/42
Explanation of the principles
H Computer#$ased electronic e(idence issu$ect to the same rules and laws that applto documentar e(idence%
H The doctrine of documentar e(idence ma $eexplained thus@ the onus is on the prosecutionto show to the court that the e(idence
produced is no more and no less now thanwhen it was first ta-en into the possession ofpolice%
7/25/2019 Week cont..
39/42
cont
H Operating sstems and other programsfre"uentl alter and add to the contents ofelectronic storage% This ma happenautomaticall without the user necessaril$eing aware that the data has $een changed%
7/25/2019 Week cont..
40/42
The Nature of Computer-BasedElectronic Evidence
H Computer#$ased electronic e(idence isinformation and data of in(estigati(e (alue thatis stored on or transmitted $ a computer%
H *s such' this e(idence is latent e(idence inthe same sense that fingerprints or DN*>deoxri$onucleic acid? e(idence is latent%
7/25/2019 Week cont..
41/42
cont
H ;n its natural state' we cannot see what iscontained in the phsical o$ect that holds oure(idence%
H E"uipment and software are re"uired to ma-ethe e(idence a(aila$le%
H Testimon ma $e re"uired to explain the
examination and an process limitations%
7/25/2019 Week cont..
42/42
cont
H Computer#$ased electronic e(idence is' $ its(er nature' fragile%
H ;t can $e altered' damaged' or destroed $improper handling or improper examination%
H For this reason' special precautions should $eta-en to document' collect' preser(e and
examine this tpe of e(idence%H Failure to do so ma render it unusa$le or
lead to an inaccurate conclusion%