1 / 26

Computer Forensics and Advanced Topics

Computer Forensics and Advanced Topics. Chapter 17. Computer Forensics. Application of computer science and engineering principles and practices to investigate unauthorized computer use and/or the use of a computer to support illegal activities

Télécharger la présentation

Computer Forensics and Advanced Topics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Computer Forensics and Advanced Topics Chapter 17

  2. Computer Forensics • Application of computer science and engineering principles and practices to investigate unauthorized computer use and/or the use of a computer to support illegal activities • Computer forensics is conducted for three purposes: • Investigating and analyzing computer systems as related to violation of laws. • Investigating and analyzing computer systems for compliance with an organization's policies. • Investigating computer systems that have been remotely attacked.

  3. Role of a Computer Forensic Specialist • Isolates security holes • Identifies modes of access • Detects clues for evidence of a cybercrime or security breach • Ensures maximum recovery of data and preservation of digital evidence

  4. The Forensic Process • Identify evidence • Collection of evidence • Examination of evidence • Analysis of evidence • Documenting and reporting of evidence

  5. Digital Evidence • Digital evidence can be retrieved from computers, cell phones, pagers, PDAs, digital cameras, and any device that has memory or storage. • Extremely volatile and susceptible to tampering • Often concealed like fingerprints • Sometimes time sensitive

  6. Digital Evidence • Evidence consists of documents, verbal statements, and material objects admissible in a court of law. • It is critical to convince management, juries, judges, or other authorities that some kind of violation has occurred. • If evidence will be used in court proceedings or actions that could be challenged legally, evidence must meet these three standards: • Sufficiency: The evidence must be convincing or measure up without question. • Competency: The evidence must be legally qualified and reliable. • Relevancy: The evidence must be material to the case or have a bearing on the matter at hand.

  7. Principles of Digital Evidence • Investigation/analysis performed on seized digital evidence should not change evidence in any form • Evidence should only be manipulated and analyzed on a copy of original source • Individual must be forensically competent to be given permission to access original digital evidence • Activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review

  8. Identify Evidence • Mark evidence properly as it is collected so that it can be identified as the particular piece of evidence gathered at the scene. • Label and store evidence properly. • Ensure that the labels cannot be removed easily. • Keep a logbook. • Identify each piece of evidence (in case the label is removed).

  9. Identify Evidence • The information should be specific enough for recollection later in the court. • Log other identifying marks, such as device make, model, serial number, and cable configuration or type. • Note any type of damage to the piece of evidence. • It is important to be methodical while identifying evidence. • Do not collect evidence by yourself—have a second person witness the actions.

  10. Identify Evidence • Protect evidence from electromagnetic or mechanical damage. • Ensure that the evidence is not tampered, damaged, or compromised by the procedures used during the investigation. • Do not damage evidence – Avoids liability problems later. • Protect evidence from extremes in heat and cold, humidity, water, magnetic fields, and vibration. • Use static-free evidence protection gloves, not standard latex gloves. • Seal the evidence in a proper container with evidence tape.

  11. Types of Evidence • Direct evidence is oral testimony that proves a specific fact, such as an eyewitness' statement. • Real evidence is physical evidence that links the suspect to the scene of a crime. • Documentary evidence is evidence in the form of business records, prints, and manuals. • Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, or chart, offered to prove that an event occurred.

  12. Three rules of Evidence • Best Evidence Rule • Courts prefer original evidence rather than a copy to ensure no alteration of the evidence has occurred. • Exclusionary Rule • The Fourth Amendment to the United States Constitution precludes illegal search and seizure and, therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. • Hearsay Rule • Hearsay is second-hand evidence—evidence not gathered from the personal knowledge of the witness.

  13. Guidelines for Collecting Evidence • While conducting the investigation, analyze computer storage carefully. • Analyze a copy of the system and not the original system – that is evidence. • Use a system specially designed for forensics examination. • Conduct analysis in a controlled environment with: • Strong physical security • Minimal traffic • Controlled access

  14. Guidelines for Collecting Evidence • Unless there are specific tools to take forensic images under Windows, DOS should be used for imaging process instead of standard Windows. • Boot it from a floppy disk or a CD, and have only the minimal amount of software installed to preclude propagation of a virus or the inadvertent execution of a Trojan horse or other malicious program. • Windows can then be used to examine copies of the system.

  15. Collecting Evidence • Each investigation is different. Given below is an example of a comprehensive investigation. • Remove or image only one component at a time. • Remove the hard disk and label it – use an anti-static or static-dissipative wristband and mat before beginning the investigation. • Identify the disk type (IDE, SCSI, or other type). Log the disk capacity, cylinders, heads, and sectors. • Image the disk with a bit-level copy, sector by sector – this will retain deleted files, unallocated clusters, and slack space.

  16. Collection Steps • Make a list of all systems, software, and data involved, as well as evidence to be collected • Establish criteria for what is likely to be relevant and admissible in court • Remove external factors that may cause accidental modification of file system or system state • Perform quick analysis of external logs and IDS output continued…

  17. Collection Steps • Proceed from more volatile assets to less • Memory • Registry, routing table, arp cache, process cache • Network connections • Temporary files • Disk or storage device • Check processes running on the system • Copy arp cache, routing table, registry, status of network connections • Capture temporary files • Make byte-by-byte copy of entire media • Remove and store original media in a secure location • Do not run programs that modify files or their access times • Do not shutdown until the most volatile evidence has been collected • Do not trust programs on the system • Document the procedure

  18. Chain of Custody • The chain of custody accounts for all persons who handled or had access to the evidence. • It shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence.

  19. Chain of Custody • Steps in the chain of custody are: • Record each item collected as evidence. • Record who collected the evidence along with the date and time. • Document a description of the evidence. • Put the evidence in containers and tag the containers with the case number the name of the person who collected it, and the date and time.

  20. Chain of Custody • Steps in the chain of custody are (continued): • Record all message digest (hash) values in the documentation. • Securely transport the evidence to a protected storage facility. • Obtain a signature from the person who accepts the evidence at this storage facility. • Provide controls to prevent access to and compromise of the evidence while it is being stored. • Securely transport it to the court for proceedings.

  21. Free Space vs Slack Space • When a user deletes a file, the file is not actually deleted. • Instead, a pointer in a file allocation table is deleted. • A second file that is saved in the same area does not occupy as many sectors as the first file – there will be a fragment of the original file. • The sector that holds the fragment of this file is referred to as free space because the operating system marks it usable when needed. • When the operating system stores something else in this sector, it is referred to as allocated. • Unallocated sectors still contain the original data until the operating system overwrites them.

  22. Free Spack vs Slack Space • When a file is saved to a storage media, the operating system allocates space in blocks of a predefined size, called sectors. • The size of all sectors is the same on a given system or hard drive. • Even if a file contains only 10 characters, the operating system will allocate a full sector of say 1,024 bytes—the space left over in the sector is slack space.

  23. Free Space vs Slack Space • It is possible for a user to hide malicious code, tools, or clues in slack space, as well as in the free space. • Slack space from files that previously occupied that same physical sector on the drive may contain information. • Therefore, an investigator should review slack space using utilities that can display the information stored in these areas.

  24. Education and Training • One of the most cost-effective tools in computer security • Knowledge of systems documentation • Knowledge of security procedures • Availability of resources and references • “Loose lips sink ships” • Clearly delineate information that may never be divulged over the phone

  25. Education and Training • Require proof of positive identity • Purpose of training and awareness program • Agency security appointments and contacts • Contacts and action in the event of a real or suspected security incident • Legitimate use of system accounts • Access and control of system media continued…

  26. Education and Training • Destruction and sanitization of media and hard copies • Security of system accounts (including sharing of passwords) • Authorization for applications, databases, and data • Use of the Internet, the Web, and e-mail

More Related