Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective Discovery Techniques In Computer Crime Cases.

Similar presentations


Presentation on theme: "Effective Discovery Techniques In Computer Crime Cases."— Presentation transcript:

1 Effective Discovery Techniques In Computer Crime Cases

2 Introduction

3 Storm’s Edge Technologies  IT Consulting Company servicing the Dallas/Fort worth area.  Services  PC Support and Custom Built PCs  Server Support and Custom Built Server  Network Support  Firewall Support  Web Site Development/Hosting  Custom Application Development  Computer Forensics  Disaster/Data Recovery Services

4 Contact Information Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX Phone: Fax: Web:

5 Forensic Process

6 Overview Image Hard Drive Process Forensic Image Discovery Procedures Analyze Forensic Image Document Findings Forensic Process

7 Stage of the Forensic Process Document & Photograph Connect Drive to Write Block Connect PC to Write Block Create Forensic Image Secure Original Evidence Drive Allocate 1 Day Image Hard Drive

8 Stage of the Forensic Process Update Forensic PC Windows & Anti-Virus Forensic Software Select Forensic Software Encase Forensic Tool Kit Etc… Start the processing Allocate 2-3 Days for each Drive Process Forensic Image

9 Stage of the Forensic Process Obtain Forensic Reports Review Case Documents Determine Search Terms Develop Analysis Strategy Allocate at least 1 Week Discovery Procedures

10 Stage of the Forensic Process Analyze Registry Hives Determine Operating System Determine Time Zone of PC Determine Users of PC Analyze Event Logs Perform Search of Terms Allocate at least 1 Week Analyze Forensic Image

11 Stage of the Forensic Process Generate Registry Reports Operating System Time Zone Users Etc… Generate Event Log Reports Usage Patterns Time Changes Generate Search Term Results Allow 2-4 Days Document Findings

12 Forensic Timeline 1 Day - Image Hard Drive 2-3 Days - Process Forensic Image 1 Week - Discovery Procedures 1 Week - Analyze Forensic Image 2-4 Days - Document Findings Note: Timeline is based on a single average PC with a 250GB Drive Forensic Process - 21 Days

13 Computers or Spies?  What can we determine from a PC  Users Passwords  Web-Sites viewed  Documents opened  Pictures viewed  Age of PC  Last Reboot Time  What files have been accessed, deleted, modified, etc…

14 Computers or Spies?  What can we determine from a PC  Who created the document  When documents were printed  What software created the document  What devices where used  Who has used the PC  What software has recently be used  When the OS was installed  The possibilities too numerous to list!

15 Integrating the PC  Registry Files contain an abundant amount of information to include  Usernames/Passwords for , websites, and programs  Internet Sites visited along with date/times  Search Terms used on Google and other search engines.  Recent file activity/access  List of software installed

16 Integrating the PC  Registry Files contain an abundant amount of information to include  Screen Saver required Password  User Logon Required or Not  Date Windows was Installed  Date each user last logged on.  Etc…

17 Integrating the PC  PC Event Logs can provide some insight into the use of a PC  Change in System Time  Boot/Startup Times  Problems with drivers & devices  Because the event logs generally cover a time period of several months they can provide a good history of activity.

18 Other Files  INI files are used by programs to store information/configuration.  Plain Text  Safe for Export  LNK (Short Cut) files will often provide insight to the users programs  Start Menu will give you a list of the common program they run/access.

19 Alibi with a PC  Establish who was using the PC  UserID/Password  Screen Saver w/Password  User Specific knowledge like logging into MySpace web-site.  Establish PC has the correct time  Check BIOS date vs. windows date  Check Event Log for time sync events

20 Alibi with a PC  Determine Activity and Time  File Dates (Creation, Access, Modified)  Web-Site Activity  Activity  Printer Activity

21 Classified/Sensitive Data  How to perform a Forensic Analysis when you can not possess the data.  Identify who has secured the evidence  Determine local policies in providing access  Process the Forensic Image files  Review any Sensitive Data on-site  Generate Report  Extract non-sensitive files for processing in your own forensic lab.  Request a review and copy of the report to ensure no classified/sensitive data is exported.

22 Extracting Non-Sensitive Files  Files to Extract for later processing  Registry Files  Event Logs  INI Files  LNK Files  Access Database of all files  FTK will create this as part of its normal processing of the Forensic Image Files.  EnCase will need to export a CSV file.

23 What is …  Slack Space – The area between the end of the file and the end of the cluster.  Free Space – The area available to store data including areas where files were stored but have been deleted.  Unallocated Space – The area of a device that is not covered by a partition. This would include any deleted partitions.  Swap File – File used to cache memory to the hard drive  Hibernation File – File used to store memory to the hard drive when hibernating

24 How Do I?  Prove a USB Key was used on a PC  Prove an Image was viewed  Recover Deleted Files  Determine if a user has opened a file  Prove a file was copied/moved  Find out when a file was deleted  Demonstrate a PC was used remotely  Show who created a file  Etc…..

25 Open Questions

26 Storm’s Edge Technologies Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX Phone: Fax: Web:


Download ppt "Effective Discovery Techniques In Computer Crime Cases."

Similar presentations


Ads by Google