1. Computer/Digital Forensics • Lynn Ackler • Office – CSC 222 • Office Hours • MR 9 – 10 • Any time you find me • Course • CCJ 346 – CRN 2037 • TR 10:00 – 12:00

2. Course • 2-3 hours of lecture per week • 1-2 hours of lab per week • Attendance • Your responsibility • Labs • Must be done on Wednesdays, 3 - 4

3. Course Requirements • Lab Reports – A bunch • Web History • MD5 Hash and Disk Clone • Evidence Recovery • Seizure • Phishing • 1 mid-term exam • 1 Final – comprehensive

4. Course Description • Surveys the technologies, techniques, and responsibilities of a criminal or civil investigation involving computers, digital devices, networks, network service providers and electronic evidence. • Examines rules of evidence and proof and emphasizes maintaining an evidentiary trail through computer data and network activity. • Reviews the responsibilities of the computer forensics investigator. • Discusses the fragility of computer evidence and the techniques used to protect evidence. • SOU Course Catalog

5. Course Objectives • Find evidence of individual behavior on a computer. • Seize digital devices. • Search, preserve and document digital evidence. • Discuss the many ways that a digital device may be involved criminal or illegal activities. • Discuss the legal and ethical aspects of computer forensics. • Describe the many vulnerabilities to your personal and professional life that computers and computer networks pose.

6. Acceptable Use If you violate ethical or legal standards regarding computer/network usage you are subject to dismissal and/or legal prosecution. See 30/03/08ww.sou.edu/usage.html

7. Computer Forensics • As in all endeavors: • “Blame always falls some where.” • Rule: • “Let it not be in your lap.”

8. Computer Forensics • Discovery and recovery of digital evidence • Usually post facto • Sometimes real time • Types of forensic investigations • Liturgical • Going to court • Crimes, etc. • Non-Liturgical • Administrative adjudication • Industry

9. Purpose • Prove or disprove criminal activity • Prove or disprove policy violation • Prove or disprove malicious behavior to or by the computer/user • If the evidence is there, the case is yours to lose with very little effort.

10. Legal and Ethical Issues • Computer Forensic Exams are Illegal. • Without the cover of Law • 4th Amendment • You will learn dual use technology. • All tools can be used to commit crime • All procedures can be used to hide crime • It is unethical to breach some ones expectation of privacy.

11. Responsibilities • Evidence • All of it • Emphasis on exculpatory • Respect for suspects privacy and rights • Beware of collateral damage • Be very very careful if you demonstrate what you can do.

12. Business Issues • No interruption of business • Know the policies of the business • Sensitive to the business costs during an investigation

13. Privacy Issues • Rights of the suspect • Liabilities of the investigator • Public versus private storage of information • Expectation of privacy

14. Forensics Intro Web Behavior Digital Devices and Networks Computer Laws “Computer” Seizure “Computer” Search Case Development Internet Course Outline

15. CT/CSI Counter Terrorism / Crime Scene Investigation 2006 The Forensics Experience

16. Evidence • Forensics is all about evidence. • Something that tends to prove or disprove the existence of an alleged fact. • 03/30/08 Federal Rules of Evidence govern proceedings in the courts of the United States.

17. Evidence • Admissible • must be legally obtained and relevant • Reliable • has not been tainted (changed) since acquisition • Authentic • the real thing, not a replica • Complete • includes any exculpatory evidence • Believable • lawyers, judge & jury can understand it

18. Evidence • Admissible • Search Warrant, Wire Tap, NSL • Reliable • Chain of custody, protected, properly handled • Not tainted, not changed, MD5 • Authentic • Computer data is different • Complete • Must search entire hard disk • Believable • Impossible for geeks

19. Definition of Forensics • Discipline of digital evidence discovery, protection and presentation. • Technologies, techniques, and responsibilities of a criminal or civil investigation involving computers, networks, network service providers and electronic evidence.

20. Types of Forensic Exams • Legal or Liturgical • Will go to trial • Civil • Similar to liturgical probably for negotiation or extortion • Business • Termination or reprimand an employee • Disaster Recovery • What happened, how to prevent • Illegal/Surveillance

21. Read Your Employee’s Handbook • What can your employer do to you? • What can they see? • What can you do? • What can’t you do?

22. Areas of Forensics • Physical • Digital • Chemical • Accounting • Etc.

23. Physical • Ballistics • Fingerprints • Artifacts • etc.

24. Digital ForensicsComputer Forensics • Evidence contained in computers • Evidence contained in digital devices • Phones • Cameras • Memory sticks • Smart cards • Evidence contained in networks

25. Chemical • Blood • DNA • Explosives • Drugs • Fiber analysis • Etc.

26. Accounting • Fraud • Multiple sets of books • Stock manipulation • Insider trading

27. Digital DevicesBe careful, be very careful • Computers, Laptops • Palm pilots • Cell phones • iPods • Cameras • Camcorders • etc.

28. Digital Evidence • Records and Logs • Results of activities • Statement of intent • Contraband • Indication of time line

29. Skills and Knowledge • Be aware of the many types of digital devices and their components and potential contents • Develop a Web behavior profile • Learn how to seize a computer and other devices • Proper handling of digital evidence • How to search a computer for evidence • Analyze a phishing scam • Become more knowledgeable about the digital/information world

30. Must Prove: Actus Reaus - The criminal act Mens Rea - The criminal intent Conviction