introduction to computer forensics n.
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to Computer Forensics PowerPoint Presentation
Download Presentation
Introduction to Computer Forensics

Introduction to Computer Forensics

181 Vues Download Presentation
Télécharger la présentation

Introduction to Computer Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Introduction to Computer Forensics

  2. Acknowledgments Dr. David Dampier and the Center for Computer Security Research (CCSR)

  3. What is Forensics? Forensics is the art and study of argumentation and formal debate. It uses the application of a broad spectrum of sciences to answer questions of interest to the legal system. Forensic Science is the science and technology that is used to investigate and establish facts in criminal or civil courts of law. 3

  4. Criminal Justice Fundamentals • How a case usually plays out: • Law Enforcement notified of crime • Evidence is gathered – may require search warrants • Suspects are developed • Interviews or interrogations are conducted • Suspect is charged • Case w/evidence is turned over to prosecutor

  5. What is Computer Forensics? • Computer forensics is forensics applied to information stored or transported on computers • It “involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis” • Procedures are followed, but flexibility is expected and encouraged, because the unusual will be encountered.

  6. What is Computer Crime? • Three situations where you might find evidence on a digital device: • Device used to conduct the crime • Child Pornography/Exploitation • Threatening letters • Fraud • Embezzlement • Theft of intellectual property • Device is the target of the crime • Incident Response • Security Breach • Device is used to support the crime

  7. What is evidence in terms of Computer Forensics? • Can be anything! • As small as a few bytes • Could be, and hopefully will be complete files • Could be Deleted • Could be Encrypted • Likely will be fragments of files • A few Words • A couple of sentences • Hopefully some paragraphs • Registry entries, or log entries!

  8. Where do we find it? • Storage Media • RAM • Log Files • Registry

  9. How might the information be stored? • Might be plain data with no hidden agenda • The data could be encrypted • Data could be hidden • Could be hostile code

  10. Data Encryption • Encrypting data could guard the data in two ways. • Protect data • Use of Ciphers • Files might need to be decrypted • Decryption program generally stored fairly close to the file to be decrypted. • Probably password protected. • Prove integrity

  11. Data Hiding • Data could be obfuscated encryption is some method of modifying data so that it is meaningless and unreadable in it’s encrypted form. It also must be reasonably secure, that is it must not be easily decrypted without the proper key.  Anything less than that is obfuscation. This is data that is rendered unusable by some means, but is not considered as a serious form of encryption. • Data could be compressed • Data could be hidden in plain sight – innocent looking data has alternate meaning • Data could be hidden within File system

  12. Data Hiding (contd.) • Data could be hidden in a file • Steganography - science of writing hidden messages in such a way that no-one apart from the sender and intended recipient even realizes there is a hidden message • Invisible names • Misleading names • No names • Hidden data might not be in file • Slack, swap, free space • Removable Media

  13. Hostile Code • Presume that any unknown code is hostile. • Guilty until proven innocent. • Any code used by an unauthorized person to gain advantage or power over someone else should be considered hostile. • Resource theft • Circumvention of access control mechanisms • Social status • Remote access • Data gathering • Sabotage • Denial-of-service • Eluding detection

  14. How do we go about the business of Computer Forensics? Three A’s of Computer Forensics • Acquire the evidence without altering or damaging the original. • Authenticate that your recovered evidence is the same as the originally seized data. • Analyze the data without modifying it.

  15. Acquire the evidence • How do we seize the computer? • How do we handle computer evidence? • What is chain of custody? • Evidence collection • Evidence Identification • Transportation • Storage • Documenting the Investigation

  16. Authenticate the Evidence • Prove that the evidence is indeed what the criminal left behind. • Contrary to what the defense attorney might want the jury to believe, readable text or pictures don’t magically appear at random. • Calculate a hash value for the data • MD5 • SHA-1,SHA-256,SHA -512

  17. Analysis • Always work from an image of the evidence and never from the original. • Prevent damage to the evidence • Make two backups of the evidence in most cases. • Analyze everything, you may need clues from something seemingly unrelated.

  18. Password crackers Hard Drive Tools Fdisk on Linux Viewers QVP Diskview Thumbsplus Unerase tools CD-R Utilities Text search tools Drive Imaging Safeback Linux dd Disk Wiping Forensic Toolkits Forensic Computers Tools

  19. Forensic Software • Forensic Toolkit • The Coroner’s Toolkit • Sleuth Kit • Encase • ILook

  20. System Preservation Phase Evidence Searching Phase Event Reconstruction Phase Digital Crime Scene Investigation Process • No one right way to do it! Carrier, B., Page. 5, Figure 1.1