Download
digital forensics n.
Skip this Video
Loading SlideShow in 5 Seconds..
Digital Forensics PowerPoint Presentation
Download Presentation
Digital Forensics

Digital Forensics

284 Vues Download Presentation
Télécharger la présentation

Digital Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September 12, 2007

  2. Outline • Agenda for next several lectures • Review of Part 1 • Data Recovery • Evidence Collection and Data Seizure • Useful Links and discussions • Reference: Part II of Text Book: Chapters 5 and 6

  3. Agenda for Lectures until October 8, 2007 • September 17, 2007 • Chapters 7 and 8; Example programming projects • September 19, 2007 • Chapters 9, 10, 11 • September 24, 2007 • Guest Lecture: Richardson Police Department • September 26, 2007 • Chapter 12: Network Forensics • October 1, 2007 • Guest Lecture: FBI North Texas • October 3, 2007 • Selected Paper Discussions • October 8, 2007 • Begin Part IV of book

  4. Review of Part 1 • Lecture 1: Introduction • Lecture 2: Fundamentals • Lecture 3: Forensics Technologies • Lecture 4: Botnets • Lecture 5: Forensics Systems • Lecture 6: Forensics Services • Lecture 7: Malicious Code Detection

  5. Data Recovery • What Data Recovery? • Role of Backup in Data Recovery • Data Recovery Solution • Hiding and Recovering Hidden Data

  6. What is Data Recovery • Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered • In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis

  7. Role of Backup in Data Recovery • Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state • Challenge to backup petabyte sized databases/files • Obstacles for backing up • Backup window, network bandwidth, system throughout • Current trends • Storage cost decreasing, systems have to be online 24x7 • Next generation solutions • Multiple backup servers, optimizing storage space

  8. Data Recovery/Backup Solution • Develop a plan/policy for backup and recovery • Develop/Hire/Outsource the appropriate expertise • Develop a system design for backup/recovery • Three tier architectures, caches, backup servers • Examine state of the art backup/recovery products and tools • Implement the backup plan according to the policy and design

  9. Recover Hidden Data • Hidden data • Files may be deleted, but until they are overwritten, the data may remain • Data stored in diskettes and stored insider another disk • Need to get all the pieces and complete the puzzle • Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle • Reference: • http://www.forensicfocus.com/hidden-data-analysis-ntfs

  10. Evidence Collection and Data Seizure • What is Evidence Collection • Types of Evidence • Rules of Evidence • Volatile Evidence • Methods of Collection • Steps to Collection • Controlling Contamination

  11. What is Evidence Collection • Collecting information from the data recovered for further analysis • Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited • Collect evidence for analysis or monitor the intruder • Obstacles • Difficult to extract patterns or useful information from the recovered data • Difficult to tie the extracted information to a person

  12. Types of Evidence • Testimonial Evidence • Evidence supplied by a witness; subject to the perceived reliability of the witness • Word processor documents written by a witness as long as the author states that he wrote it • Hearsay • Evidence presented by a person who is not a direct witness • Word processor documents written by someone without direct knowledge of the incident

  13. Rules of Evidence • Admissible • Evidence must be able to be used in court • Authentic • Tie the evidence positively to an incident • Complete • Evidence that can cover all perspectives • Reliable • There should be no doubt that proper procedures were used • Believable • Understandable and believable to a jury

  14. Additional considerations • Minimize handling and corruption of original data • Account for any changes and keep detailed logs • Comply with the 5 basic rules • Do not exceed your knowledge – need to understand what you are doing • Follow the security policy established • Work fast / however need to be accurate • Proceed from volatile to persistent evidence • Do not shut down the machine before collecting evidence • Do not run programs on the affected machine

  15. Volatile Evidence • Types • Cached data • Routing tables • Process table • Kernel statistics • Main memory • What to do next • Collect the volatile data and store in a permanent storage device

  16. Methods of Collection • Freezing the scene • Taking a snapshot of the system and its compromised state • Recover data, extract information, analyze • Honeypotting • Create a replica system and attract the attacker for further monitoring

  17. Steps to Collection • Find the evidence; where is it stored • Find relevant data - recovery • Create order of volatility • Remove eternal avenues of change; no tampering • Collect evidence – use tools • Good documentation of all the actions

  18. Controlling Contamination • Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques • Maintain a chain of custody, who owns the data, data provenance techniques • Analyze the evidence • Use analysis tools to determine what happened • Analyze the log files and determine the timeline • Analyze backups using a dedicated host • Reconstruct the attack from all the information collected

  19. Conclusion • Data must be backed up using appropriate policies, procedur4es and technologies • Once a crime ahs occurred data ahs to be recovered from the various disks and commuters • Data that is recovered has to be analyzed to extract evidence • Evidence has to analyzed to determine what happened • Use log files and documentations to establish the timeline • Reconstruct the attack

  20. Links • Data Recovery • http://www.datatexcorp.com/ • http://www.forensicfocus.com/hidden-data-analysis-ntfs • Digital Evidence • http://faculty.ncwc.edu/toconnor/426/426lect06.htm • http://www.itoc.usma.edu/Workshop/2006/Program/Presentations/IAW2006-07-1.pdf • http://www.e-evidence.info/index.html • http://www.digital-evidence.org/ • http://findarticles.com/p/articles/mi_m2194/is_3_73/ai_n6006624/pg_1 • http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Presentations/DigitalEvidence.pdf