Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Published byHeather Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki."— Presentation transcript:

1 Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki

2

3 Forensics Forensics – What is it? Main concerns –Investigating and analyzing computer systems used in violation of laws –Investigating computer systems for compliance with company policies –Investigating computers systems that have been attacked. (part of incident response)

4 Forensics and Laws Forensics deals with legal concerns more than most other IT related duties. Evidence must be collected if you want to take legal action. Computers and networks is troubling with evidence as it is hard to “sense” and hard to prove. In fact it’s generally considered “hearsay” evidence

5 Random Thought Unlike many other areas of security which can mix and match. Forensics should always be done by a dedicated forensics person. Forensics is a structured PROCESS for data and evidence collection and should always be done by someone who specifically focuses on these processes and proceedures

6 Standards for Evidence For evidence to be considered credible it generally must be –Sufficient – convincing on it’s own –Competent – legally allowed and “reliable” –Relevant – must be material to the case and have bearing on the matter in question (more)

7 Types of Evidence Some evidence is “stronger” than others. There are a few types of evidence Direct Evidence - supports the truth of an assertion – example a witness who testifies they were present with and saw when a hacker broke into something. Circumstantial Evidence – indirectly proves a fact, may back up another fact that is used to prove an something. Real Evidence – tangible evidence that proves or disproves a fact. (ex fingerprints) (more)

8 Types of Evidence –Documentary Evidence – printouts, manuals, records etc. Most type of computer evidence is of this type –Demonstrative Evidence – a model or display used to aid the jury in understanding that an event occurred.

9 3 rules of evidence 1.Best Evidence rule – courts prefer the original evidence, rather than copies. 2.Exclusionary rule – evidence illegally seized cannot be used. If evidence is collected in violation of the Electronics Communication Privacy Act. It will be excluded… that means a company MUST have a policy and employees understand that they are being monitored if a company wants to use computer evidence against them. 3.Hearsay – hearsay is second hand evidence, not gathered from the personal knowledge of a witness. Computer generated evidence is hearsay evidence

10 Evidence Collection Evidence should be collected in a way that is reliable and doesn’t compromise the evidence itself! Sometimes when you notice a break in you have to weigh the costs of “stopping” the activity (turning off server) against keeping it running? Why? Anybody? (more)

11 Evidence Collection Steps in collecting evidence on a machine 1.Dump system memory 2.Power down system 3.Do a bit level image of the machine, using an stand alone machine (not the machine in question) 4.Analyze the image (more)

12 Evidence Collection When imaging a hard drive you should make at least 3 copies The original drive AND a 1 copy of the original should be stored away The 2 nd copy should be used for file authentication The 3 rd should be the drive you analyze You should never use the tools on the computer in question, you should use a clean “forensics station” to analyze the hard drives. (why?) You should always record the checksums of all the files on the computer before analysis (do example). See related next slide (tripwire) (more)

13 Tripwire screen shot

14 Evidence Collection Evidence should be marked when collected –Investigator, case number, date, time, location, description A log book of evidence should be maintained There should be a witness to verify evidence collection

15 Evidence Protection You must protect the evidence physically from damage and tampering –Protect from heat/cold –Vibration –Magnetic fields –If a device can receive electronic signals.. Shield the device

16 Transporting evidence Log all times someone removes evidence Be careful when transporting

17 Storing Evidence Store evidence in a locked away and monitored/guarded area.

18 Chain of Custody Once collected you must protect evidence from tampering. Chain of Custody shows who obtained evidence, where it was stored, and how had access to it. Record each item Record who collected it and where, when Description of evidence Tagged and sealed Obtain signature from anyone accepting evidence Provide signatures and seals whenever evidence is opened Provide controls against tampering while in storage

19 Conducting the investigation Have a formal procedure before hand! Have a professional do the analysis Take pictures before hand Use a forensics station or a live CD for analysis (what is a live CD?) Image the hard drives multiple times with a bit level method, work only on a copy Label hard drive and store in anti-static bag Before doing any analysis, do a checksum on all files and store that info. (why?) Keep a log of what you did and why, be able to explain and justify any actions taken.

20 File Deletion Terms When a user deletes a file, it’s not actually removed (unless using a highly secure OS) Some important terms relating to this are Free space – the space a file takes up that is still available after deletion (before something else uses it) Slack space – When file space is allocated, it is done in fixed sized blocks. A file will not actually use all this space. The unused area of a file even when in use is called the slack space. Information may be hidden in this space. (see visualization) (more)

21 Slack Space Hackers can hide data in the slack space to avoid detection

22 Chapter 20 – Review Questions Q. What is the concept of best evidence Q. When you want to do forensics on a computer, you should make a copy of the hard drive. What type of copy should you make? Q. What is the MINIMUM number of copies you should make of the original hard drive

23 Chapter 20 – Review Questions Q. Put these step of analysis in the correct order A.Analyze the Drive B.Power down the system C.Dump Memory D.Image the hard drive Q. Why do you run checksums/hashes on the original files before analysis? Q. Why should someone witness you as you collect the evidence? Q. What is the difference between “free space” and “slack space”

Download ppt "Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki."

Similar presentations

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
System Design System Design - Mr. Ahmad Al-Ghoul System Analysis and Design.

System Design System Design - Mr. Ahmad Al-Ghoul System Analysis and Design.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
ACCIDENT INVESTIGATION

ACCIDENT INVESTIGATION
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
9-1. 9-2 09 Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,

Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Similar presentations

Ads by Google