Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 www.vita.virginia.gov Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 www.vita.virginia.gov 1.

Published byIsaiah Neal Modified over 10 years ago

Similar presentations

Presentation on theme: "1 www.vita.virginia.gov Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 www.vita.virginia.gov 1."— Presentation transcript:

1 1 www.vita.virginia.gov Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 www.vita.virginia.gov 1

2 2 Overview Purpose behind computer forensics Challenges faced within the field Basic information about how to conduct an investigation and the tools used Quick tips for performing Windows forensic investigations

3 3 www.vita.virginia.gov Purpose Collection of evidence in a manner that can be relied upon –Law enforcement will likely duplicate it but they will use it if they have to To remove doubt that the evidence has been tampered with or altered in any way Find evidence that a system and ultimately the systems user were involved in the action under investigation

4 4 www.vita.virginia.gov Computer Forensics Principles for dealing with digital evidence –Actions taken to secure and collect digital evidence should not affect the integrity of that evidence. –Persons conducting an examination of digital evidence should be trained for that purpose. –Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review. Source: Forensic Examination of Digital Evidence: A Guide for Law Enforcement

5 5 www.vita.virginia.gov Evidence Challenges Physically collecting the evidence –How do you prevent being accused of tampering? Taking actions that do not modify any evidence –Specialized tools for collecting digital evidence Making sure a devices state does not change while in possession –Cell phones and remote signals Preserving evidence –Systems cant be shut off without losing volatile data

6 6 www.vita.virginia.gov Legal Challenges Different laws throughout different states Wiretap laws Federal vs. state Important laws to note –Fourth Amendment – unreasonable search and seizure –Fifth Amendment – protection against self incrimination –Wiretap Act (18 U.S.C. 2510-22) –Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27) –Stored Wired and Electronic Communication Act (18 U.S.C. 2701-120)

7 7 www.vita.virginia.gov Organization Challenges No expectation of privacy –Requires detailed policies –Periodic renewal of consent to policies Personal equipment use Teleworking Data management

8 8 www.vita.virginia.gov Performing a Forensic Investigation Persistent Data – Data that is preserved when the system does not have power –Typically data stored on a drive Hard Drive USB Drive Floppy Drive Volatile Data – Transient data that is lost when power is no longer available –Volatile data may exist in memory after the computer powers down in certain situations

9 9 www.vita.virginia.gov Forensic Tools Data collection tools –EnCase –Forensic Toolkit (FTK) –Write blockers –Disk imagers Network analysis tools –Wireshark, tcpdump Distributions –Knoppix, Helix

10 10 www.vita.virginia.gov Collecting Evidence Take pictures Have a witness –Preferably a non-technical witness Establish chain of custody Secure evidence storage Log evidence access Create a forensic image of the system –Create a working copy of the image

11 11 www.vita.virginia.gov Analyzing a Windows System Thumbnails Windows Registry –Application and system information storage AppData –Persistent application data stored here Indexing Wireless Interface Connections –C:\Users\All Users\Microsoft\Wlansvc\Profiles\Interfaces

12 12 www.vita.virginia.gov Interesting Registry Locations RunMRU –The commands entered into the run dialog box. The MRUList shows the order of execution OpenMRU/LastVisitedMRU – post WinXP only –Opens and saves from the OS dialog box HKLM\SYSTEM\ \Enum –Subkey 1394 for firewire devices –Subkey USB for Universal Serial Bus devices

13 13 www.vita.virginia.gov Devices Connected to the System How do I find when a device was FIRST connected to a computer? –Examine setupapi.log %windir%\setupapi.log in XP and 2003 Server %windir%\inf\setupapi.dev.login in Vista List of USB Vendor IDs and associated ProductIDs –http://www.linux-usb.org/usb.idshttp://www.linux-usb.org/usb.ids This list may be somewhat out of date Devices typically have their own serial number –Windows Generated Serial Number Windows generated serial numbers have amperstands as the 2 nd, 10 th, and 12 th characters in a serial number –X&XXXXXXX&X&P

14 14 www.vita.virginia.gov Internet Explorer Data Data Recorded by Internet Explorer –IE 6 – complete history retained even with clear history –IE 7 – most history removed with delete all option –IE 8 – InPrivate browsing can prevent data from being recorded Temporary Internet Files Index.dat –Contains all sites visited

15 15 www.vita.virginia.gov Windows Gotchas Defragment –Will overwrite slack disk areas –Touches every file –Scheduled for 3AM every Wednesday by default Last access time – Vista only –Turned off by default Self healing file systems –Will replace windows files that look to be damaged or that dont have the correct metadata Bitlocker –Whole disk encryption can impeded forensic imaging

16 16 www.vita.virginia.gov Review Purpose behind computer forensics Challenges faced within the field Basic information about how to conduct an investigation and the tools used Quick tips for performing Windows forensic investigations

17 17 www.vita.virginia.gov Questions For more information please contact me at: Michael.Watson@VITA.Virginia.GOV Thank You!

Download ppt "1 www.vita.virginia.gov Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 www.vita.virginia.gov 1."

Similar presentations

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Introduction Lesson 1 Microsoft Office 2010 and the Internet

Introduction Lesson 1 Microsoft Office 2010 and the Internet
Microsoft Office 2010 Basics and the Internet

Microsoft Office 2010 Basics and the Internet
1 2 In a computer system, a file is a collection of information with a single name, such as addresses.doc, or filebackup.ppt, or ftwr.exe, or guidebook.xls.

1 2 In a computer system, a file is a collection of information with a single name, such as addresses.doc, or filebackup.ppt, or ftwr.exe, or guidebook.xls.
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Troubleshooting Startup Problems

Troubleshooting Startup Problems
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
In The Name Of Allah, The Most Beneficent, The Most Merciful

In The Name Of Allah, The Most Beneficent, The Most Merciful
XP New Perspectives on Introducing Microsoft Office 2003 Tutorial 1 1 Using Common Features of Microsoft Office 2003 Tutorial 1.

XP New Perspectives on Introducing Microsoft Office 2003 Tutorial 1 1 Using Common Features of Microsoft Office 2003 Tutorial 1.
1 Online communication: remote login and file transfer.

1 Online communication: remote login and file transfer.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Similar presentations

Ads by Google