Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Similar presentations


Presentation on theme: "Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified."— Presentation transcript:

1 Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified

2 Overview Definition of Computer Forensics Definition of Computer Forensics Computer Forensics & IT Auditing Computer Forensics & IT Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Dos & Donts) The Process (Dos & Donts) Identification Identification Collection of Evidence Collection of Evidence Required Documentation Required Documentation Imaging Imaging Examination Examination Report Preparation Report Preparation Returning of Evidence Returning of Evidence

3 Definition of Computer Forensics Computer forensics involves the: Computer forensics involves the: Identification Identification Collection Collection Preservation Preservation Examination, and Examination, and Analysis of digital information Analysis of digital information Digital Information becomes Digital Evidence

4 What is Digital Evidence? Digital evidence is any information of value that is either stored or transmitted in a binary form, including digital audio, image, and video. Digital evidence is any information of value that is either stored or transmitted in a binary form, including digital audio, image, and video.

5 Computer Forensic Examination The Computer forensic examination is: The Computer forensic examination is: Locating digital evidence Locating digital evidence Evidence can withstand close scrutiny or a legal challenge. Evidence can withstand close scrutiny or a legal challenge.

6 Computer Forensics & IT Audit Incorporate computer forensic services Incorporate computer forensic services Cases are requiring computer forensics Cases are requiring computer forensics IT Auditors have: IT Auditors have: authority authority technical know how technical know how

7 Reasons for Computer Forensic Services Inappropriate Use of State Systems Inappropriate Use of State Systems Determining a Security Breach Determining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed Dismissals Evidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information Assets Theft of Information Assets Forgeries of Documents Forgeries of Documents

8 The Process Identification Identification Collection of Evidence Collection of Evidence Required Documentation Required Documentation Imaging Imaging Examination Examination Report Preparation Report Preparation Returning of Evidence Returning of Evidence

9 Identification IT AUDITORS ROLE (Forensic Specialist) 1. 1.Determine if reason for computer forensics is appropriate Identify where additional digital evidence may reside. CLIENTS ROLE (ex. State University) 1.Determine when to use Computer Forensic Services: 2.Identify where digital evidence may reside.

10 Collection of Evidence IT AUDITORS ROLE – –Help Client Secure the computer to be examined – –Require and Complete Necessary Forms – – Securely Collect Computer from Client CLIENTS ROLE –Ensure that computer to be examined remains secure until collected –Notify Appropriate Personnel –Complete Chain of Custody Form

11 Collection of Evidence – (Do's & Don'ts) Do not disturb the computer in question. Do not disturb the computer in question.

12 Computer is off, Leave it off Computer is off, Leave it off Collection of Evidence – Do's & Don'ts (cont)

13 Computer is on, Leave it on Computer is on, Leave it on Collection of Evidence – Do's & Don'ts (cont)

14 Do not run any programs on the computer. Do not run any programs on the computer. Collection of Evidence – Do's & Don'ts (cont)

15 Do not make any changes Do not make any changes Collection of Evidence – Do's & Don'ts (cont)

16 Do Not Insert Anything Into The Computer Do Not Insert Anything Into The Computer Collection of Evidence – Do's & Don'ts (cont)

17 Secure the computer Secure the computer Collection of Evidence – Do's & Don'ts (cont)

18 Required Documentation Computer Forensic Request Form Computer Forensic Request Form Chain of Custody Form Chain of Custody Form Signatures Signatures Disclosures and Disclaimers Disclosures and Disclaimers

19 Required Documentation

20 IT Auditors Role Assign a Case Number Assign A Team Date & Time When device was secured Clients Role Document Date & Time of Request Name of Requestor Date & Time Client secured the device Agency Name Head of the Agency Name

21 Required Documentation IT Auditors Role Document Hard Drive Serial Numbers Clients Role Document computers: Mac Address -Static IP Address Serial Number -Make & Model Reason For Request Desired Objectives

22 Approval From OSA ISA Director & Legal Counsel We also obtain approval from both the ISA director and legal counsel before commencing Computer Forensic services. We also obtain approval from both the ISA director and legal counsel before commencing Computer Forensic services. This approval will be documented on the requisition forms and filed with the case evidence as well. This approval will be documented on the requisition forms and filed with the case evidence as well.

23 IT Auditors Role Sign and Date form Obtain Director and Legal Counsel approval Clients Role Sign and Date form Obtain Agency Head Approval Required Documentation

24 Additional Chain of Custody Form Chain of Custody form continued on the reverse side of the computer forensic request form. Device Serial# FAS Make Model SignaturePrint Name ReasonDateTime Relinquished By: Received By:

25 Why Are These Documents Necessary? Collect important information Collect important information Legal Aspects Legal Aspects Get out of jail free card Get out of jail free card

26 Imaging IT AUDITORS ROLE – –Determine where to perform the image: – –Onsite – –In the Lab CLIENTS ROLE –escort our staff to physically collect the computer from the computers secure location.

27 Hardware Imaging

28 Imaging Here are some of the procedures we use during imaging to ensure that evidence collected is clearly identified and preserved: Here are some of the procedures we use during imaging to ensure that evidence collected is clearly identified and preserved:

29 Scan Hardcopies We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence. We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.

30 Tag Evidence We manually tag all evidence items with an assigned case number using the following naming convention: We manually tag all evidence items with an assigned case number using the following naming convention: Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., Agency Name – HDD Serial#) (Ex., Agency Name – HDD Serial#)

31 Connect Suspect Drive to Write Blocker

32 Connect Write Blocker to the suspects hard drive

33 Imaging Regular Hard Drive To image a regular sized hard drive, implement the following procedures: To image a regular sized hard drive, implement the following procedures: Request the client to purchase a storage device. Request the client to purchase a storage device. Reduces Cost Reduces Cost Ensure enough space is available to process the evidence. Ensure enough space is available to process the evidence. Easy transfer of images to client Easy transfer of images to client

34 Storage Device

35 Organize Evidence Information Create the following folders on the destination drive for every case: Create the following folders on the destination drive for every case: Case Name-Evidence Item Number (Folder) Case Name-Evidence Item Number (Folder) 1. Evidence (sub-folder) 1. HDD1 (sub-folder) 2. HDD2 (sub-folder) 2. Export (sub-folder) 3. Temp (sub-folder) 4. Index (sub-folder) 5. Drive Geometry (sub-folder) 6. Report (sub-folder) 7. Case Back-up (sub-folder) Place all images produced in the Evidence Folder

36 Use FTK Imager Create the image using FTK imager Create the image using FTK imager Through experience, we have found this to be one of the easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Through experience, we have found this to be one of the easiest and most portable software to create images. Also, this image can be used in both FTK and Encase.

37 Image Physical Drive Always image the Physical drive. Always image the Physical drive.

38 Imaging A Raid Server Redundant Array of Inexpensive Disks Have the systems administrator to help you review the RAID information. Have the systems administrator to help you review the RAID information. You need to gather the following information: You need to gather the following information: Stripe Size Stripe Size Element Order (Disk Order) Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or dynamic disk. Right hand, left hand, forward, back, or dynamic disk.

39 Imaging A Raid Server (cont) RAID Recontructor RAID Recontructor

40 Examination/Analysis Remove hard drive from the Write Block device. Remove hard drive from the Write Block device. Reassemble the computer Reassemble the computer Ensure evidence remains tagged. Ensure evidence remains tagged.

41 Examination/Analysis (cont) FTK FTK

42 Examination/Analysis (cont) FTK can take a few days to process your image. FTK can take a few days to process your image. During this time, we return to our normal audit work During this time, we return to our normal audit work

43 Examination/Analysis (cont) Run Keyword Searches Run Keyword Searches Obtain from Client Obtain from Client Review Corroborating Evidence Review Corroborating Evidence s s Surveillance Video Surveillance Video DVD & CDs DVD & CDs

44 Examination/Analysis (cont) Encase Encase

45 Examination/Analysis (cont) Do not answer or Do not answer or Provide additional information to agency personnel. Provide additional information to agency personnel. Agency personnel can accidentally leak information. Agency personnel can accidentally leak information.

46 Forensic Report The IT Auditor will issue a report to appropriate personnel once the examination is completed. The IT Auditor will issue a report to appropriate personnel once the examination is completed.

47 If court action is anticipated, inform Agency Head to preserve the original evidence if possible. If court action is anticipated, inform Agency Head to preserve the original evidence if possible. If original evidence cannot be preserved, NC Court Rules of evidence allow for the image to be admitted as evidence. If original evidence cannot be preserved, NC Court Rules of evidence allow for the image to be admitted as evidence.

48 Questions????


Download ppt "Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified."

Similar presentations


Ads by Google