CIT 180 Security Fundamentals Computer Forensics

Outline Introduction Rules and types of evidence Collection of evidence Preservation of evidence Viable chain of custody Steps in ivestigating computer crime or policy violation

Introduction Forensics is the application of scientic knowledge to solving legal problems. Involves preservation, identification, documentation, and interpretation of computer data Can be performed in three steps: investigating and analyzing computer systems as related to violation of laws investigating and analyzing computer systems for compliance with an organization's policies investigating computer systems that have been remotely attacked

Evidence The documents, verbal statements, and material objects admissible in a court of law Critical to convincing management, juries, judges, or other authorities that a violation occured Submission of computer evidence challenging because people involved may not be technically savvy Additional challenge due to computer data being in bits not readilly readable form Good auditing techniques are encouraged

Types of evidence Direct evidence: oral testimony that proves a specif fact. Example is eyewitness account Real evidence: also known as associative or physical evidence, includes physical objects tha prove or disprove a fact Documentary evidence: business records, printouts, manuals, etc Demonstrative evidence: aids the jury and can be in the form of a model, experiment, chart, etc, offered to illustrate that an event occured or did not occur

Three rules regarding evidence Best evidence rule: use original evidence rather than a copy to ensure no alteration occured Exclusionary rule: any evidence collected through illegal search and seizure or in violation privacy laws is not admissible. Wiretapping an employee's communication should be consented to by the employee. Heresy rule: computer-generated evidence is considered heresy or second-hand evidence in that it is not gathered from the personal knowledge of the witness

Collecting evidence – aquiring evidence Collect as much information before whoever is committing the crime starts hiding information secure diskettes, CDs, memory cards, USB drives, tapes, etc Use judgement whether to turn-off computer or not. Pro: preserve the state of the computer Con: may lose memory data and corrupt files

Collecting evidence – identifying evidence Mark evidence correctly as it is being collected. Keep a log book identifying each piece of evidence Some facts to record include who discovered the evidence, case number, date, time, location of discovery, reason for collecting evidence There is need for a second person to be present when collecting evidence

Acquiring evidence – other considerations protect the collected evidence any evidence that need to be transported in or out of storage locations should be recorded and ensure no tampering occurs in transit store evidence in a low traffic evidence room

Acquiring evidence – conducting the investigation Analyze a copy of the system not the original May use Live CD to boot the system to recreate a malicious event Following image backup process is a good example: remove one component at a time to avoid corruption remove hard disk and label it identify disk type (IDE, SCSI) and write the capacity, cylinders, heads, tracks make three or four copies of the disk check disk image to ensure there are no errors generate a message digest of the disk inventory all files and document system date and time

Chain of custody The following are critical steps in chain of custody: Record each item collected as evidence Record who collected the evidence with date and time Write a description of the evidence Put the evidence in containers and tag the containers with case numbers Record all message digests Securely transport the evidence to a protected facility Obtain signatures from person accepting the evidence Provide controls to prevent access and compromise Securely transport to court shouln need arise

Free space versus Slack space When a file on storage medium is deleted, the physical data is not deleted rather a pointer to the location where the data is located is removed from the file allocation table Free space refers to the cluster on disk that holds data that has no pointer in the file allocation table. Looking at free space might reveal some useful data a user thought was deleted. Slack space is space that is taken up due to the block size allocation of data but not used for actual data. For example when writing oen character the operating system allocates a block of 512 bytes. Therefore, 511 bytes are unused and are slack space. Savvy users may hide malicious code in slack space

Message digest A value generated by a mathematical algorithm by applying a key to the data. The mathematical operation cannot be reversed meaning that it is not possible to get the data back from the message digest. Used for ensuring that data was not modified (Integrity). To check that data was not modified, input the data into the mathematical function using the same key and compare the output to the value that was obtained the first time the digest was generated. If they are the same data did not change otherwise it changed

Analysis Check recycle bin Check web browser history Check cookie files Check profiles Check Temporary Internet files Search files for suspect character strings Search free and slack space

Secure recovery You have the option of contracting a company that provides secure recovery sites Such a company provides either offices or via Internet services where restoration services can be conducted Data is important in either the physical or remote approach so ensure confidentiality and integrity

High availability and Fault Tolerance High availability means data and processing power are available despite a disrupting event. Fault tolerance means that there is uninterrupted access to data and services even in cases where a “fault” occurs. Mirroring ensures fault tolerance. Avoid a single point of failure by building duplication or redundancy in your system