Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC Slides at:

Published byChester Horn Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC Slides at:"— Presentation transcript:

1 Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC Slides at: www.speakwisdom.com brent@speakwisdom.com

2 Caveat I am not dispensing legal advice Use what you hear, read, and do at your own risk Consult with your legal advisor when conducting an investigation

3 The Need for Computer Forensics

4 Anyone can access anything via the internet Students, faculty, staff and parents doing bad stuff! Technology is more sophisticated –Faster –More portable Schools have perceived responsibility

5 Concerns Pornography –Child Pornography Emails –Threatening –Relationship related Instant Messages Web sites (MySpace) –Bullying –Faculty pages

6

7

8 Bringing Things to School Flash Memory Devices Containing what?

9 PDA’s and Cell Phones Palm –Fading? –Lots of aps and storage (flash) –Infrared and BlueTooth beaming Windows Mobile –Lots of storage (flash) –Familiar interface –Easily networked (WiFi, Bluetooth) –View photos and movies –Capture images, sound

10 More Threats Downloads –To School PCs CDs/DVDs Social Networking Sites –FaceBook –MySpace Phishing –Emails & Web sites

11 Objectives Gain Basic Knowledge –What is Computer Forensics? –Concepts –Procedures –What Not to Do? –What to do Next? Learn some basic techniques Raise level of awareness

12 Do You Have a Duty To Report? Yes, if you suspect a crime has been committed Yes, if you suspect “sexual exploitation” including conduct involving child pornography. Once you bring in police, you stop forensic work.

13 Kinds of Forensics PC/Laptop –Files, email, internet activity Device –Cell phone –PDA –MP3 Player (iPod!) Network –Internet traffic –Local/wireless traffic

14 Places High Technology Crime Investigation Association –www.htcia.orgwww.htcia.org Atlanta HTCIA –www.atlhtcia.orgwww.atlhtcia.org Southeast Cybercrime Summit –www.southeastcybercrimesummit.comwww.southeastcybercrimesummit.com

15 Places Access Data (FTK) –www.accessdata.comwww.accessdata.com X-Ways Forensics (winhex) –www.x-ways.comwww.x-ways.com ProDiscover –www.techpathways.comwww.techpathways.com Helix –www.e-fense.comwww.e-fense.com

16 Certification Certified Computer Examiner –http://www.certified-computer- examiner.com/index.htmlhttp://www.certified-computer- examiner.com/index.html More –Google search “computer forensics” Books –Plenty! –Check Amazon, BN, etc.

17 Preparation What to Do Before You Start You need the right people!

18 Build a Response Team Cover all bases –Legal, Technical, Law Enforcement, PR Attorney or Legal Advisor Strong “Geek” –Vast knowledge required School Law Enforcement Person, Local Police Public Relations

19 Incident Response Plan Response plan –Who is called? –How others are notified? Clear process –Who has responsibility for what? –Decision Points Policy issue / Legal issue Coordinate with law enforcement –As appropriate

20 Someone Must Know Your Hardware & Software Servers Workstations PDAs CD-ROM, CD/DVD Webcams Modems Key Loggers USB Devices Wireless Windows –9x, 2000, 2003, XP Unix/Linux OS X DOS FAT NTFS EXT2/EXT3

21 Someone Must Know Auditing and Logging Know where OS keep logs Know kinds of OS logs –Windows Event viewer Auditing Date and time of device Date and time of log entries File/Directory date & time stamps

22 Computer Evidence

23 Will this End Up in Court? Assume your case will! Courts require ample unaltered evidence Evidence must be processed properly Specially trained team should always conduct investigation

24 Main Emphasis of Forensics Identify the Evidence Determine how to preserve the evidence Extract, process, and interpret the evidence Ensure that the evidence is acceptable in a court of law

25 Evidence Computer evidence is fragile Courts know that digital evidence is easily planted/altered You must be able to show that evidence is pristine and unmodified! See www.cybercrime.govwww.cybercrime.gov

26 Evidence Can include any form of electronic data Can include devices –Computers –CD-ROMs –Floppies –Cellular Telephones –Pagers –Digital Cameras

27 Rules More latitude in schools/businesses –Internal processes –Governed by policy documents –Expectation of privacy Law enforcement works under more restrictive rules –Subpoenas & search warrants –Chain of command –Agency boundaries

28 What to “Prosecute”? Harm inflicted? Violation of Written Policy? Policy communicated to teacher/student/parents? Investigation conducted by trained personnel? Successful investigation?

29 Problem in School Systems Security and Forensics projects don’t generate revenue –Or FTEs Hard to get “higher up” to understand need –Until superintendent and board picture is in the paper Money for training Politics of position

30 Training Training team is essential They need to –Learn basic procedures –Gain expertise in technical areas Sufficient Personal Interest? –Get Certified –Get degree

31 End User Training Users need to be aware –School System Policies –Requirements to guard information –Laws –Awareness Illegal Activities –Social Engineering –Spyware Consider Yearly Seminar Splash Screen

32 Investigation

33 Do It Right! Photograph system scene Take Notes (two present) Get the basics –System Model/SN –HD model and SN –System Date/Time –Bios BOOT info Power Down (pull plug) –Laptop – Pull battery

34 Evidence Gathering Have secure-erased drives ready Get Suspect Drive Image –Attach a write-blocker –Get two or more images of the drive Seal original drive –Place a copy of the drive back in the PC (if appropriate) Original drive should be locked away Control Chain of Custody

35 Capturing the Data Image

36 Preparing an Evidence Drive Use USB drive case

37 Preparing an Evidence Drive Use large drives Have several Secure-erase all drives –Record date, time, and method Store in locked area Software to Secure Erase? –Helix –WinHex Pro –ProDiscover

38 Prepare Evidence Drive –Connect to Analysis PC –WinHex Pro Select Physical Media (not Logical Drive) Edit / Fill Sectors / hex 00 Will take several minutes –(25 min for 40Gb)

39 Image Options Boot suspect PC with Helix –Easiest for laptops Attach USB evidence drive Use AIR or similar tool to image drive

40 Image Options Remove HD from Suspect, place as Slave in Analysis PC –Use Write Blocker Remove HD from PC, place in USB Case –Use Write Blocker Protect the original!

41 Image Options Get image –Multiple copies Image Type –Drive to Drive –Drive to Image File (DD)

42

43

44

45 Sources for Write Blockers www.digitalintelligence.com www.blackbagtech.com www.forensicpc.com

46 Other Image Options Use USB Evidence Drive –Boot PC with Knoppix or Helix CD –Open terminal window –dd if=/dev/hda of=/dev/sda –Speed: 1 hour per GB –Boot PC with Helix CD –Open terminal window –Dcfldd if=/dev/hda of=/dev/sda –Speed: 4 min per GB

47 Other Image Options –GHOST! Boot with BartPE CD –Open command window –Ghost32 –ir –fnf –(Image Raw, No Fingerprint) –Speed: 2 min per GB –GHOST! Version 7.5 or later Boot with Ghost Floppy –Ghost –ir -fnf

48 What is the Hash? Used to verify that image is accurate MD5 suspect drive or partition MD5 image Should match Record!

49 Extracting Information from Data

50 Analysis Work on Image, not Original Time Consuming! Tools Allow –Finding deleted files Images Email IE cache –Searching for text (“drugs”, etc.) –Show Hidden Files –Show Hidden Partitions or Drives

51 Definitions Unallocated Space –Space never used on a hard drive –Space made available by deleted files Slack Space –Space in a cluster not used by file data

52 1. Examine Suspect HD Boot Suspect PC with Helix Hidden Drive? (QTPARTED) Browse with File Manager –See images, open documents –See hidden partition Use Retriever –Path \media\sda1 –Find images

53 1a. Examine USB Evidence Drive Image in Windows Use Windows Disk Management MMC to look at Partition MyComputer Search Wrong Extension? Encrypted? MS TweakUI –Can be used to hide drive letters

54 2. Find Images (Not Deleted) ExifPro Easy

55 3. Find Deleted Files Great tool, easy to use

56 4. Examine in Windows Examine PC with Helix Windows –System Information Drive letter discrepancy? –Incident Response Windows Forensics Toolchest Security Reports (others want NetCat) –Scan for Images (no path information) –Windows Search (for files) –Disk Management (for drives, partitions)

57 WinHex Open.dd file Specialist –Interpret file as disk View all.jpg’s in file system –Tools, Disk Tools, Explore Recursively –You can add path column Look for.dbx files

58 WinHex Find.jpg’s in Unallocated space –Tools, Disk Tools, File Recovery by Type Find text in files –Search, Find Text (or Simultaneous Search)

59 Email - Outlook Express Local Settings\Application Data\Identities\…\Microsoft\Outloo k Express OE Reader (free) Mail stored in.dbx files Similar tools for Outlook.pst files

60 Passwords and Encryption

61 NTPassword –http://home.eunet.no/pnordahl/ntpass wd/ Password Tools –http://www.passwordportal.net/ –http://www.brothersoft.com/downloa ds/crack-password.html –http://www.elcomsoft.com/index.html –http://www.accessdata.com/

62 Steganography and Keystroke Logging Steganography –Try Steganote Keystroke logging –Try 007Starr

63 Common Forensics Tools

64 PRODISCOVER Create Case Add Image Content View –Examine Deleted Files Click check box on interesting file Make comment Gallery view

65 PRODISCOVER Content Search –Search for pattern Drugs, sex, etc. –Click Search Results Finds anything: docs and email! Search for *.jpg

66 PRODISCOVER What about files with wrong ext? –Pick Folder on Left Side –Tools – Signature Matching –Export Report

67 Pulling It All Together

68 You are now… Dangerous! Keep Going!

69 Questions?

70 Thank you! www.speakwisdom.com

Download ppt "Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC Slides at:"

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Keeping Your Child Safe on the Internet. Welcome We are first-generation Internet parents Our children are the first generation to be born and raised.

Keeping Your Child Safe on the Internet. Welcome We are first-generation Internet parents Our children are the first generation to be born and raised.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google