Presentation on theme: "IT-Forensic Investigations (in Sweden) Computers Sebastian Leclerc 13.12.2011."— Presentation transcript:
IT-Forensic Investigations (in Sweden) Computers Sebastian Leclerc 13.12.2011
During house searches “The police force in Sweden only needs reasonable doubt for performing house searches, no warrant is needed.” One wants… To be able to shut down systems without any risk of information loss, access protection or encryption Find passwords in the environment where the confiscation took place Photograph the environment and document how everything is connected.
During the investigation One wants to be as sure as possible of… That the data we are identifying holds its integrity That we are able to reproduce the investigation and get the same results That nobody can question our findings
”Please check if there is anything interesting on this disk”…. ”Only look for everything that has something to do with the investigation”… ”You can print out the contents of the hard drive”… Hard drives capacity400GB About 500 pages *.txt per MB, paperweight 80g / m2 Amount of pages (A4)200.000.000 Amount of boxes (a' 2.500 A4)80.000 Paper, ton(s)1000 Laser printer with a 10 page / minute capacity (A4) Months480 Years40
During the investigation one normally looks for User activities Browser history (ex. search terms such as ”how to hide a body?”) Chat logs Email Installed software Encryption File sharing programs (P2P, torrents etc., sometimes) Folders and files Documents Pictures Other: Network information, Process Information, Process-to-Port Mapping, Open files, Logged-on Users, Time, Clipboard, Shares, Volatile and nonvolatile information to name a few.
Two main modes of operations ”Live search”, which is done byte after byte. Takes a long time each time, but one can use more flexible searching methods other than indexed searching. For example using GREP for searching telephone numbers, credit card numbers etc. ”Indexed search”, where one allows the computer to create a database over everything that isn’t junk symbols. Takes a very long time to create, however makes the searching much easier (But only finds what is indexed…).
After an investigation 1 The documentation should contain… The data/information one finds The Systems date/time settings System events with ties to data, file names and date/time Users Other concurrent system events of interest. After the investigation a academic report must be produced with… Prelude, preface Summary Table of contents Background information Description of material Observations and investigations Investigation methods. Compilation of investigations and results Analysis and conclusion
After an investigation 2 After investigation should speak for itself and contain… On what grounds ones conclusions are made How one has gotten to this conclusion To have to testify should almost be seen as a failure!