Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Published byDale Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland."— Presentation transcript:

1 Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland

2 Background These lectures are designed to provide a basic awareness of data forensics. Understanding of terminology Awareness of the principles Understanding of the basic procedure Please be aware that I am not a practitioner.

3 Resources Notes from the Qinetiq Information Security Foundation Course (2002) ACPO Good Practice Guide for Computer-based Electronic Evidence http://www.acpo.police.uk/asp/policies/Data/gpg_co mputer_based_evidence_v3.pdf http://www.acpo.police.uk/asp/policies/Data/gpg_co mputer_based_evidence_v3.pdf Interpol Computer Crime Manual IOCE Guidelines http://www.ioce.org/fileadmin/user_upload/2002/ioc e_bp_exam_digit_tech.html http://www.ioce.org/fileadmin/user_upload/2002/ioc e_bp_exam_digit_tech.html

4 Goals To define computer forensics To understand its limitations To understand the principles that apply to computer-based evidence To understand the process –Top-level –Tools –Risks

5 Definition of Forensics I (quoted from Wikipedia) “Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action.”

6 Definition of Forensics II (quoted from Wikipedia) “The use of the term ‘forensics’ in place of ‘forensic science’ could be considered incorrect; the term ‘forensic’ is effectively a synonym for ‘legal’ or ‘related to courts’ (from Latin, it means ‘before the forum’). However, it is now so closely associated with the scientific field that many dictionaries include the meaning that equates the word ‘forensics’ with ‘forensic science’.”

7 Definition of Forensics III (quoted from Wikipedia) “‘Forensic’ comes from the Latin word ‘forensis’ meaning forum. During the time of the Romans, a criminal charge meant presenting the case before a group of public individuals. Both the person accused of the crime and the accuser would give speeches based on their side of the story. The individual with the best argumentation and delivery would determine the outcome of the case. Basically, the person with the best forensic skills would win.”

8 The Basic Principle “Evidence must not be damaged, destroyed or otherwise compromised by procedures used to investigate the computer, otherwise it may be rendered inadmissable.” (Qinetiq)

9 The Rules Maintain the integrity of the evidence. Do not work on the original evidence. Do not trust the computer system. Record all actions.

10 ACPO Principle 1 “No action should be taken by an analyst that should change data held on a computer or other media which may subsequently be relied upon in Court.”

11 ACPO Principle 2 “In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.”

12 ACPO Principle 3 “An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine these processes and achieve the same result.”

13 ACPO Principle 4 “The person in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.

14 The Process Search and seizure Audit and continuity Imaging Production of evidence

15 Search and Seizure Evidence –IT systems, media, and documentation –A trained officer should be used to do this. Scene –Secure the scene physically and electronically –Disconnect external data communications –Decide whether to switch off or leave alone –On-site imaging and previewing –Other forensic activities

16 Audit Log book –Must be maintained –Must be secured –Must be taken to court Booking out –All property/exhibits must be booked out prior to analysis.

17 Audit Details Record –Details of exhibit numbers/bag seal numbers –Details of system/media –Damage found –Other property found –Photograph of system (optional) –Comparison of system date/time with actual date/time.

18 Evidence Control Be able to account for the whereabouts and condition of all exhibits/property –Property books –Receipts –Log books Note that the evidence may be sensitive.

19 Imaging Normally, imaging takes place by hosting the hard disc drives in an imaging system Must record the media details Imaging should be performed in a ‘safe’ OS environment, with the devices mounted read- only.

20 In Court Formal report Witness statement System image files Extracted evidence Forensic tool reports

Download ppt "Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland."

Similar presentations

Psychology of Homicide Unit III Lecture

Psychology of Homicide Unit III Lecture
Chapter 13: Chapter 13 Packet #1.

Chapter 13: Chapter 13 Packet #1.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Discussion on SA-500 – AUDIT EVIDENCE

Discussion on SA-500 – AUDIT EVIDENCE
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Q UINCY COLLEGE Paralegal Studies Program Paralegal Studies Program Interviewing & Investigation LAW-123 Introduction to Interviewing and Investigating.

Q UINCY COLLEGE Paralegal Studies Program Paralegal Studies Program Interviewing & Investigation LAW-123 Introduction to Interviewing and Investigating.
Last Topic - The Ombudsman Federal Ombudsman Provincial Ombudsman Banking Ombudsman Federal Insurance Ombudsman and Federal Tax Ombudsman Federal Ombudsperson.

Last Topic - The Ombudsman Federal Ombudsman Provincial Ombudsman Banking Ombudsman Federal Insurance Ombudsman and Federal Tax Ombudsman Federal Ombudsperson.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
COEN 152 Computer Forensics Introduction to Computer Forensics.

COEN 152 Computer Forensics Introduction to Computer Forensics.

Similar presentations

Ads by Google