Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.

Published byVeronica Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer."— Presentation transcript:

1 By Jason Swoyer

2  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer forensics involves the preservation, identification, extraction, interpretation, and documentation of computer evidence.  Typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

3  The goal of computer forensics is to explain the current state of a digital artifact.  The term digital artifact can include a computer system, a storage media (such as a hard disk or CD- ROM), an electronic document (an email message or JPEG image) or even a sequence of packets moving over a computer network.

4  Preparation (of the investigator)  Collection (the data)  Examination  Analysis  Reporting

5  Preparation is the key to a successful investigator in the area of computer forensics. The slightest bit of effort before the incident happens can make the investigation process much quicker, easier, and can result in more reliable information.  The collection process involves searching for, the acknowledgment of, the collection of, and the documentation of all digital evidence that will be collected during the whole entire process. The digital evidence may involve real time information or stored information that may be lost unless certain safety measures are taken at the scene.

6  The authentication process involves the creation of mathematical validation codes of collected digital evidence. This process greatly helps to answer or resolve any questions that may have been raised during court cases about the accuracy of the evidence.  The examination process helps to make the evidence visible and explainable from its origin and significance. This process should document all components of the collected evidence as a whole. This process also involves looking deeper to search for any information that may be hidden or masked. What, where, when, and how

7  The analysis process is somewhat like the examination process, only that with the analysis process, you inspect the outcome of the examination of the evidence for its importance and values to the case as a whole.  The documentation is listed as the last step in the process; it is a step that takes place throughout all of the other steps. This step is important because one usually has real time documentation to prove what happened during the investigation process.

8  In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).  To recover data in the event of a hardware or software failure.  To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.  To gather evidence against an employee that an organization wishes to terminate.  To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

9  Active Data: Active data is the information that we can actually see. This includes data files, programs, and files used by the operating system. This is the easiest type of data to obtain.  Archival Data: Archival data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies, or entire hard drives.  Latent Data: Latent Data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.

10  Handle the original evidence as little as possible to avoid changing the data.  Establish and maintain the chain of custody.  Documenting everything that has been done.  Use tools and methods that have been tested and evaluated to validate their accuracy and reliability.

11  Capture a picture of the system and its surroundings. You may even want to videotape the entire process while the analyst works on the system to have an undisputable record for later use.  Keep detailed notes. These should include times and dates of all the actions taken and done at the site. Since it is hard to keep up with the output and system errors, you may want to record the server and surrounding area with a video camera and focus it at the terminal monitor.  Limit direct access to the file system as you are collecting the evidence and avoid updating the files or directory access table. If possible, analysis should be done on a bit-level copy of the system’s storage media, rather than the original.

12  Do not run programs that modify files or their access times.  Do not shutdown the computer until the most volatile evidence has been collected.  Do not trust the programs on the system. It is common to find that critical forensic tools have been modified with trojanized versions, which can provide false information.

13  Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on.  Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages.  Special care must be taken when handling computer evidence, most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place unless other measures have been taken.  For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere.

14  Begin by making a list of all the systems, software, and data involved in the incident as well as the evidence that has been collected.  Establish criteria regarding what is most likely to be relevant and could hold up and be accepted in court.  Remove all external factors that could cause accidental or misleading modifications of the file system or system state.

15  Perform a quick analysis of external logs and IDS output to provide a hint to where to focus the investigation on.  Check the processes running on the system, but following the levels of volatility, starting with memory, and look for any that appear out of place and copy the arp cache and so on.  Capture the temporary files that are important or may be deleted if the system should shutdown and reboot.

16  Make a byte to byte copy of the entire media and the evidence you have collected onto a backup device such as a flash drive.  Volatile Levels  Memory  Registry, routing table, arp cache, process table  Network connections  Temporary files  Disk or storage device

17  Who is logged into the system.  Open ports and listening applications.  Lists of currently running processes.  Registry information.  System information.  Attached devices (this can be important if you have a wireless-attached device not obvious at the crime scene

Download ppt "By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer."

Similar presentations

15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.

15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.
Computer Forensics.

Computer Forensics.
CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
E-Discovery for System Administrators Russell M. Shumway.

E-Discovery for System Administrators Russell M. Shumway.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Introduction to Computers and Programming

Introduction to Computers and Programming
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (

Similar presentations

Ads by Google