Class Name, Instructor Name

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

RAM Random access memory, or RAM for short, is active during the processing function. RAM is often referred to as “temporary memory.” RAM consists of electronic.
An Overview of the Computer System
Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.
Computer Systems – Hardware
Computer Basics Flashcards #2
Capturing Computer Evidence Extracting Information.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
17-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein COMPUTER FORENSICS.
18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE: An Introduction, 2 nd ed. By Richard Saferstein COMPUTER FORENSICS.
Bellringer Do you think students should study computers? Why or why not?
Essential Computer Concepts
Learning Targets Identify the external parts of the computer Identify examples of input devices Identify examples of output devices Define basic computer.
CPU (CENTRAL PROCESSING UNIT): processor chip (computer’s brain) found on the motherboard.
Computer Forensics An Intro to Computer Crime. Computer Forensics BTK  The BTK Killer ( B lind, T orture, K ill)  Dennis Rader - Feb 2005 Charged with.
17- PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein.
Computer Forensics Security Services. Copyright © Texas Education Agency All rights reserved. Images and other multimedia content used with permission.
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
Components of a Computer Prepared by: Mrs. McCallum-Rodney.
Computer Architecture
Introduction to Computer Systems
Computer Basic Vocabulary
CJ386-Unit 7 Review A questioned document is any material that contains marks, symbols or signs conveying a meaning or message and whose source or authenticity.
Parts of the Computer System
Click once to reveal the definition. Think of the answer. Then click to see if you were correct. HARDWARE Physical parts of the computer.
General Computer Knowledge COE 201- Computer Proficiency.
CSC190 Introduction to Computing Operating Systems and Utility Programs.
Digital Forensics. Hardware components Motherboard Motherboard System bus System bus CPU CPU ROM ROM RAM RAM HDD HDD Input devices Input devices Output.
Hardware Introducing the Components of a Computer.
18-1 ©2011, 2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE: An Introduction, 2 nd ed. By Richard Saferstein COMPUTER FORENSICS.
Parts of a Computer Created by Carmen Garzes. An electronic device that manipulates information or data. It can store, retrieve or process data. There.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Chapter 1 Looking Inside the Computer System.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
COMPUTER FORENSICS Intro video. 2 Digital Forensic Science The scientific examination and analysis of digital evidence in such a way that the information.
INTRODUCTION TO COMPUTERS. A computer system is an electronic device used to input data, process data, store data for later use and produce output in.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Computer Forensics Security Services.
Chapter 2 content Basic organization of computer What is motherboard
Handwriting Analysis Computer, Mobile device Analysis
Introduction to Computing Systems
Computer and Internet Basics
ICT COMPUTER FUNDAMENTALS
Introduction to Computers Mrs. Gambucci
Introduction to Computers
OPERATING SYSTEM CONCEPT AND PRACTISE
Section 2.1 Section 2.2 Identify hardware
Technology Applications Mr. Moses
Chapter 18: Computer Forensics 1.
An Overview of the Computer System
Computer Hardware – System Unit
ICT COMPUTER FUNDAMENTALS
I/O Resource Management: Software
Basic Computer for Small Business
Basic Computer for Small Business
Types of Computers & Computer Hardware
Looking Inside the machine (Types of hardware, CPU, Memory)
Introduction to Computing Lecture # 1
An Overview of the Computer System
An Overview of the Computer System
(Discussion and WS – Analysis of Electronic Data)
Fundamentals of Information Systems
Computer Basics: Inside a Computer Part II
Computer components.
Thursday April 19, 2018 (Discussion – Storing and Retrieving Data, Processing the Electronic Crime Scene)
Chapter 4: Hardware for Educators
Chapter 17 COMPUTER FORENSICS.
Notes from Last Class Office Hours: GL Accounts?
Computer Applications Unit A
4. Computer system.
Computer components.
Presentation transcript:

Class Name, Instructor Name Chapter 18: Computer Forensics Class Name, Instructor Name Date, Semester 1

Introduction Computers have permeated society and are used in countless ways with innumerable applications. Similarly, the role of electronic data in investigative work has realized exponential growth in the last decade. The usage of computers and other electronic data storage devices leaves the footprints and data trails of their users.

Introduction Computer forensics involves the preservation, acquisition, extraction, and interpretation of computer data. In today’s world of technology, many devices are capable of storing data and could thus be grouped into the field of computer forensics.

Fig. 18-1

The Basics Before getting into the nuts and bolts of computers, the important distinction between hardware and software must be established. Hardware comprises the physical and tangible components of the computer. Software, conversely, is a set of instructions compiled into a program that performs a particular task. Software are those programs and applications that carry out a set of instructions on the hardware.

Terminology Computer Case/Chassis: This is the physical box holding the fixed internal computer components in place. Power Supply: PC’s power supply converts the power it gets from the wall outlet to a useable format for the computer and its components. Motherboard: The main circuit board contained within a computer (or other electronic devices) is referred to as the motherboard. System Bus: Contained on the motherboard, the system bus is a vast complex network of wires that serves to carry data from one hardware device to another.

Terminology Read-Only Terminology Memory (ROM): ROM chips store programs called firmware, used to start the boot process and configure a computer’s components. Random Access Memory (RAM): RAM serves to take the burden off of the computer’s processor and Hard Disk Drive (HDD). The computer, aware that it may need certain data at a moments notice, stores the data in RAM. RAM is referred to as volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer.

Terminology Central Processing Unit (CPU): The CPU, also referred to as a processor, is essentially the brains of the computer. Input Devices: These devices are used to get data into the computer. For example: Keyboard Mouse Joystick Scanner

Terminology Output Devices: Equipment through which data is obtained from the computer. For example: Monitor Printer Speakers The Hard Disk Drive (HDD) is typically the primary location of data storage within the computer.

Terminology Different operating systems map out (partition) HDDs in different manners. Examiners must be familiar with the file system they are examining. Evidence exists in many different locations and in numerous forms on a HDD. The type of evidence can be grouped under two major sub-headings: visible and latent data.

How Data is Stored Generally speaking, a HDD needs to have its space defined before it is ready for use. Partitioning the HDD is the first step. When partitioned, HDDs are mapped (formatted) and have a defined layout. They are logically divided into sectors, clusters, tracks, and cylinders.

How Data is Stored Sectors are typically 512 bytes in size. A byte is 8 bits . A bit is a single 1 or 0. Clusters are groups of sectors and their size is defined by the operating system. Clusters are always in sector multiples of two. A cluster, therefore, will consist of 2, 4, 6, 8, etc., sectors. (With modern-day operating systems, the user can exercise some control over the amount of sectors per cluster.) Tracks are concentric circles that are defined around the platter. Cylinders are groups of tracks that reside directly above and below each other.

How Data is Stored After the partitioning and formatting processes are complete, the HDD will have a map of the layout of the defined space in that partition. Partitions utilize a File Allocation Table “FAT” to keep track of the location of files and folders (data) on the HDD. The NTFS partition (most current Window systems-7, Vista and XP) utilizes, among other things, a Master File Table (MFT).

How Data is Stored Each partition table (map) tracks data in different ways. The computer forensic examiners should be versed in the technical nuances of the HDDs they examine. It is sufficient for purposes here, however, to merely visualize the partition table as a map to where the data is located. This map uses the numbering sectors, clusters, tracks, and cylinders to keep track of the data.

Processing the Electronic CS Processing the electronic crime scene has a lot in common with processing a traditional crime scene. Warrants Documentation Good investigation techniques At this point, a decision must be made as to whether a live acquisition of the data is necessary.

Shutdown vs. Pulling the Plug Several factors influence the systematic shutdown vs. pulling-the-plug decision. For example, if encryption is being used, pulling the plug will encrypt the data rendering it unreadable without a password or key; therefore, pulling the plug would not be prudent. Similarly, if crucial evidentiary data exists in RAM and has not been saved to the HDD and will thus be lost with discontinuation of power to the system, another option must be considered. Regardless, the equipment will most likely be seized.

Forensic Image Acquisition Now that the items have been seized, the data needs to be obtained for analysis. The computer Hard Disk Drive will be used as an example, but the same “best practices” principals apply for other electronic devices as well. Throughout the entire process, the computer forensic examiner must adopt the method that is least intrusive. The goal with obtaining data from a HDD is to do so with out altering even one bit of data.

Forensic Image Acquisition Because booting a HDD to its operating system changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created. Occasionally, in cases of specialized or unique equipment or systems, the image of the HDD must be obtained utilizing the seized computer. Regardless, the examiner needs to be able to prove that the forensic image he/she obtained includes every bit of data and caused no changes (writes) to the HDD.

Computer Fingerprint To this end, a sort of “fingerprint” of the drive is taken before and after imaging. This fingerprint is accomplished through the use of a Message Digest 5 (MD5), Secure Hash Algorithm (SHA), or similar validated algorithm. Before imaging the drive, the algorithm is run and a 32-character alphanumeric string is produced based on the drive’s contents. It then run against the resulting forensic image, and if nothing changed, the same alphanumeric string will be produced, thus demonstrating that the image is all-inclusive of the original contents and that nothing was altered in the process.

Visible Data Visible data is that data which the operating system is aware of. Consequently this data is easily accessible to the user. From an evidentiary standpoint, it can encompass any type of user created data, such as: Word processing documents Spread sheets Accounting records Databases Pictures

Temporary Files and Swap Space Temporary files, created by programs as a sort of “back-up on the fly” can also prove valuable as evidence. Finally, data in the swap space (utilized to conserve the valuable RAM within the computer system) can yield evidentiary data. Latent data, on the other hand, is that data which the operating system is not aware of.

Latent Data Evidentiary latent data can exist in both RAM and file slack. RAM slack is the area from the end of the logical file to the end of the sector. File slack is the remaining area from the end of the final sector containing data to the end of the cluster. Another area where latent data might be found is in unallocated space. Unallocated space is that space on a HDD the operating system sees as empty and ready for data.

Latent Data The constant shuffling of data through deletion, defragmentation, swapping, etc., is one of the ways data is orphaned in latent areas. Finally, when a user deletes files the data typically remains behind. Deleted files are therefore another source of latent data to be examined during forensic analysis.

Analysis of Internet Data Places where a forensic computer examiner might look to determine what websites a computer user has visited recently are: Internet cache Cookies Internet history • The history file can be located and read with a forensic software package. Another way to access web sites that have been visited is by examining bookmarks and favorite places.

IP Addresses IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number from 0 to 255. IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most Internet investigations are conducted.

Investigation of Internet Communications An investigator tracking the origin of an e-mail seeks out the sender’s IP address in the e-mail’s header. Chat and instant messages are typically located in a computer’s random-access memory (RAM). Tracking the origin of unauthorized computer intrusions, or hacking, requires investigating a computer’s log file, RAM, and network traffic. • A firewall is a device designed to protect against intrusions into a computer network.

Mobile Forensics Mobile devices offer many of the services that are offered by computers and other devices. These devices can provide a vast amount of useful and evidentiary data in an investigation. • Leaving a mobile device running but placing it in something that will block its communication is the preferred method for preserving data on a mobile device. • Complications arise in extracting and evaluating data from mobile devices because of the variety of ways that different devices store and manage data.