Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Published byJanel Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google."— Presentation transcript:

1 Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google Scholar) Presentation by Bryan Pass

2 Significance “Forensic Science Communications is a peer- reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists.” “Forensic Science Communications is a peer- reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists.” An overview of Computer Forensic methods from the forensics authority, the FBI. An overview of Computer Forensic methods from the forensics authority, the FBI. Not really new, more of an overview of current methods and thinking Not really new, more of an overview of current methods and thinking

3 Outline Significance Significance Open Research Topics Open Research Topics Computer Forensics for Traditional Crimes Computer Forensics for Traditional Crimes Computer Forensics for Computer Crimes Computer Forensics for Computer Crimes Who are we dealing with? Who are we dealing with? Data Recovery Data Recovery BackTracker BackTracker S-TLA + S-TLA +

4 Open Research Topics Education – How to better educate forensics and computer students about computer security and forensic methods Education – How to better educate forensics and computer students about computer security and forensic methods Honeypots / Honeynets – Setting up networks to attract hackers in order to study how they operate Honeypots / Honeynets – Setting up networks to attract hackers in order to study how they operate Automated log examination – Filtering raw data to lower the amount of information that a human has to review Automated log examination – Filtering raw data to lower the amount of information that a human has to review Data Recovery – Recovering data from physically damage media as well as recovering intentionally deleted information Data Recovery – Recovering data from physically damage media as well as recovering intentionally deleted information

5 Computer Forensics for Traditional Crimes Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Computer evidence is becoming more and more common place in investigations of traditional crimes. Computer evidence is becoming more and more common place in investigations of traditional crimes. Focus on extracting text, spreadsheets, human readable information Focus on extracting text, spreadsheets, human readable information Computer Forensics relies on extracting only useful information. Unlike traditional forensics which attempts to gather all information from a piece of evidence. Computer Forensics relies on extracting only useful information. Unlike traditional forensics which attempts to gather all information from a piece of evidence. 12 GB of printed text data would create a stack of paper 24 stories high. 12 GB of printed text data would create a stack of paper 24 stories high.

6 Traditional Crimes (cont.) Constantly adapting to changing technology instead of static techniques Constantly adapting to changing technology instead of static techniques Finger printing, DNA Analysis, etc. Finger printing, DNA Analysis, etc. Set procedures and guidelines are difficult or impossible to follow because of the variation in equipment used Set procedures and guidelines are difficult or impossible to follow because of the variation in equipment used Operating System, File System, Physical Medium, and Application Operating System, File System, Physical Medium, and Application Can make copies of the original evidence Can make copies of the original evidence Verification of copy Verification of copy Privacy / Legality Concerns Privacy / Legality Concerns Attorney’s data protected by confidentiality Attorney’s data protected by confidentiality E-mail or File servers with many users E-mail or File servers with many users

7 A Three-Level Hierarchical Model for Developing Guidelines for Computer Forensic Evidence

8 Computer Forensics for Computer Crimes Focus on analyzing log data from computer systems Focus on analyzing log data from computer systems Often one attack impacts multiple applications, physical systems, and even companies Often one attack impacts multiple applications, physical systems, and even companies Logs from applications on the target machine Logs from applications on the target machine Logs from other affected machines Logs from other affected machines Logs from routers, edge routers, firewalls, etc Logs from routers, edge routers, firewalls, etc

9 Computer Crimes (cont.) Different crimes could result in very different kinds of evidence Different crimes could result in very different kinds of evidence DDoS could produce router logs and packet captures DDoS could produce router logs and packet captures Defacement could produce application logs, router logs, and more traditional evidence (linguistics, etc) Defacement could produce application logs, router logs, and more traditional evidence (linguistics, etc) Routinely create legal nightmares of crossed borders and innocent participants Routinely create legal nightmares of crossed borders and innocent participants Data recovery techniques Data recovery techniques Encryption schemes and export laws Encryption schemes and export laws

10 Who are we dealing with? Determining the sophistication of the suspects Determining the sophistication of the suspects Tamper alarms, and traps Tamper alarms, and traps Must appear like a normal user to the device Must appear like a normal user to the device Cutting the power might not be a good idea Cutting the power might not be a good idea Information in volatile memory even the user didn’t know was there Information in volatile memory even the user didn’t know was there

11 Data Recovery Physical damage Physical damage It might be harder than you think to destroy a medium beyond partial reconstruction It might be harder than you think to destroy a medium beyond partial reconstruction Clean rooms Clean rooms Expensive and time consuming – is it worth it for the crime being investigated? Expensive and time consuming – is it worth it for the crime being investigated? Using Magnetometers to reconstruct disk images Using Magnetometers to reconstruct disk images How to really erase something How to really erase something Overwrite with 0, with random, with patterns, with compliment Overwrite with 0, with random, with patterns, with compliment

12 BackTracker Backtracking Intrusions Backtracking Intrusions Log access to other processes, files, sockets, etc Log access to other processes, files, sockets, etc Construct a timeline of what happens after the initial intrusion Construct a timeline of what happens after the initial intrusion (filtered dependency graph for bind attack)

13 S-TLA + A formal logic-based language for computer forensics investigations A formal logic-based language for computer forensics investigations Describes evidence, helps construct and test hypotheses for hacking scenarios Describes evidence, helps construct and test hypotheses for hacking scenarios S-TLAC – automated formal verification tool S-TLAC – automated formal verification tool Doesn’t seem to really be useful at all Doesn’t seem to really be useful at all

14 References “Recovering and Examining Computer Forensic Evidence.” Noblett et al. Forensic Science Communications. October 2000. (http://www.fbi.gov/hq/lab/fsc/backissu/oct2000 /computer.htm) (Cited by 13). “Recovering and Examining Computer Forensic Evidence.” Noblett et al. Forensic Science Communications. October 2000. (http://www.fbi.gov/hq/lab/fsc/backissu/oct2000 /computer.htm) (Cited by 13).http://www.fbi.gov/hq/lab/fsc/backissu/oct2000 /computer.htmhttp://www.fbi.gov/hq/lab/fsc/backissu/oct2000 /computer.htm “Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. February 2005. (Cited by 29). “Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. February 2005. (Cited by 29). “A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Boudriga. 2005 ACM Symposium on Applied Computing. “A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Boudriga. 2005 ACM Symposium on Applied Computing.

Download ppt "Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google."

Similar presentations

Computer Systems Networking. What is a Network A network can be described as a number of computers that are interconnected, allowing the sharing of data.

Computer Systems Networking. What is a Network A network can be described as a number of computers that are interconnected, allowing the sharing of data.
Chapter 13: Advanced Security and Beyond

Chapter 13: Advanced Security and Beyond
By Sarah Brule COMP 1631, Winter 2011 February 2nd, 2011.

By Sarah Brule COMP 1631, Winter 2011 February 2nd, 2011.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.

Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Similar presentations

Ads by Google