Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Published byHoward Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,"— Presentation transcript:

1 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Computer Forensics Chapter 23

2 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionObjectives Identify the rules and types of evidence. Collect evidence. Preserve evidence. Maintain a viable chain of custody. Investigate a computer crime or policy violation.

3 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms Best evidence rule Competent evidence Demonstrative evidence Direct evidence Documentary evidence Evidence Exclusionary rule Forensics Free space Hearsay rule Real evidence Relevant evidence Slack space Sufficient evidence

4 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Computer Forensics The preservation, identification, documentation, and interpretation of computer data Reasons to perform computer forensics –Investigate systems as related to violation of laws –Ensure compliance with organization’s policies –Investigate systems victimized by remote attacks Be aware of legal implications and seek counsel when needed

5 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Incident Response Cycle Discover and report –Administer an incident response reporting process Confirm –Specialists review incident report and confirm occurrence Investigate –Response team investigates incident in detail Recover –Systems and applications returned to operational status Lessons learned –Action items to correct weaknesses and make improvements

6 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Incident Response Cycle (continued)

7 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionEvidence Documents, verbal statements, and material objects are admissible in a court of law. Computer evidence must be evaluated through a filter since the actual data cannot be seen. Concerns auditors who prefer to access the original data.

8 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Standards of Evidence Sufficient evidence –Must be convincing or measure up without question Competent evidence –Must be legally qualified and reliable Relevant evidence –Must be material to the case or have bearing on the matter at hand

9 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Types of Evidence Direct evidence –Knowledge is gained through direct observation. Real evidence –Tangible objects that prove or disprove a fact. Documentary evidence –Business records, printouts, manuals, etc. Demonstrative evidence –Models, charts, experiments used to aid a jury.

10 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Rules Pertaining to Evidence Best evidence rule –Original evidence preferred over duplicates Exclusionary rule –Must have been gained in accordance with all laws Hearsay rule –Second-hand evidence may not be allowed –Important as most computer-generated evidence is classified as second-hand

11 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Collecting Evidence Credibility of evidence relies on proper –Acquisition –Identification –Protection against tampering –Transportation –Storage

12 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Acquiring Evidence Data should be gathered as quickly as possible. –Attacker may attempt to cover their tracks. –Data may be tampered with or destroyed.

13 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Volatility of Data From most volatile to most persistent –CPU storage (registers/cache) –System storage (RAM) –Kernel tables –Fixed media –Removable media –Output/hardcopy

14 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Investigative Method Rigor

15 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Investigative Method Rigor (continued)

16 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Identifying Evidence Must be properly marked when collected –Be methodical. –Work in teams rather than individually. –Keep thorough logs during seizure and analysis. Characteristics of proper record keeping –Labels are difficult to remove and match log book. –Identifies the who, what, when, where, and why related to the collected evidence.

17 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Protecting Evidence Safeguard evidence from tampering and extremes in –Temperature –Humidity –Magnetic fields –Vibration

18 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Transporting Evidence Properly log in and out of controlled storage. Chain of custody must be maintained. Ensure evidence is properly packaged.

19 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Storing Evidence Evidence –Static-free bags –Foam packing material –Cardboard boxes Evidence room –Restricted access –Entry-logging capability –Camera monitoring

20 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Conducting the Investigation Never analyze the original target system. –Make multiple images of original to be used to analyze and authenticate the data. Keep thorough and precise notes of all actions. –Notes may become evidence in case. Control the environment of the investigation.

21 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chain of Custody Accounts for all persons who handled or had access to the data Answers the following evidence questions: –Who collected it? –When and from where was it collected? –Where and how it was stored? –Who had control or possession of it?

22 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Steps in Chain of Custody 1.Record each item collected as evidence. 2.Write a description of it in the documentation. 3.Store evidence in labeled containers. 4.Record all hash values in the documentation. 5.Securely transport evidence to storage facility. 6.Obtain signature of the person who accepts it. 7.Provide controls to prevent access to it. 8.Securely transport evidence to court.

23 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Free Space Memory cluster marked as usable by the OS –May contain fragment of previously deleted file –Is allocated when OS overwrites with new data

24 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Slack Space Unused space within a cluster –Attacker may hide malicious code or tools within it. –May contain data from previous files not overwritten by new files.

25 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Message Digest and Hash Applies a mathematical operation to data. –Creates a unique number (hash) based on the data. Hash should be applied to each file and log. –Should be written to write-once media. –Provides ability to “bag and tag” evidence. –Proves whether data has been changed or not.

26 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third EditionAnalysis Check the Recycle Bin for deleted files. Check the web browser history files. Check the address bar history. Check the web browser cookie files. Check the Temporary Internet Files folders. Search slack and free space for suspect character strings.

27 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Remediation After an Attack 1.Place the system behind a firewall. 2.Reload the OS. 3.Run virus/malware scanners. 4.Install security software. 5.Remove unneeded services and applications. 6.Apply all patches. 7.Restore the system from backup.

28 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chapter Summary Identify the rules and types of evidence. Collect evidence. Preserve evidence. Maintain a viable chain of custody. Investigate a computer crime or policy violation.

Download ppt "Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,"

Similar presentations

Configuration management

Configuration management
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Identifying & Collecting Physical Evidence

Identifying & Collecting Physical Evidence
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
9-1. 9-2 09 Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,

Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google