Tan COMPUTER FORENSICS.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

COEN 250 Computer Forensics Unix System Life Response.
COEN 252 Computer Forensics
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
COEN 250 Computer Forensics Windows Life Analysis.
System and Network Security Practices COEN 351 E-Commerce Security.
Network Security Testing Techniques Presented By:- Sachin Vador.
COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COEN 252: Computer Forensics Router Investigation.
Chapter 14: Computer and Network Forensics
Network security policy: best practices
Security Guidelines and Management
By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Forensic and Investigative Accounting
Introduction to Knoppix-STD: Forensic Analysis of a Compromised Linux Harddrive Dana M. Epp Computer Security Software Architect Scorpion Software Corp.
Use of IT Resources for Evidence Gathering & Analysis Use of IT Resources for Evidence Gathering & Analysis Raymond SO Wing-keung Assistant Director Independent.
COEN 252 Computer Forensics
What is FORENSICS? Why do we need Network Forensics?
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Data management in the field Ari Haukijärvi 2nd EHES training seminar.
1 Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Commonly defined.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Live Forensics Investigations Computer Forensics 2013.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
CS526: Information Security Chris Clifton December 4, 2003 Forensics.
An Introduction to Computer Forensics Jim Lindsey Western Kentucky University.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:
COEN 250 Computer Forensics Windows Life Analysis.
Evidence Preservation and Sampling
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 Nov 1, 2005 Computer Forensics (Lab 2 Related)
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 2 Securing Network Server and User Workstations.
COEN 250 Computer Forensics Windows Life Analysis.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Security fundamentals Topic 13 Detecting and responding to incidents.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
COEN 250 Computer Forensics Unix System Life Response.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
1 REMOTE CONTROL SYSTEM V7 2 Introduction.
Network management Network management refers to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance,
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Memory management. Linux Memory Management Total memory available for processes = real memory + paging space - 1MB. First megabyte of real memory is used.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Working at a Small-to-Medium Business or ISP – Chapter 8
UBUNTU INSTALLATION
Unit# 5: Internet and Worldwide Web
Digital Forensics CJ
Presentation transcript:

Tan COMPUTER FORENSICS

FORENSICS IS A FOUR STEP PROCESS  Acquisition  Identification  Evaluation  Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)

GROUND ZERO – WHAT YOU CAN DO  do not start looking through files  establish an evidence custodian - start a journal with the date and time, keep detailed notes  Designate equipment as “off-limits” to normal activity (if possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes.  collate mail, DNS and other network service logs to support host data  capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped)  contact security department or CERT,management,police or FBI, affected sites*  packaging/labeling and shipping  short-term storage

Incident Response – What the Pros Do  Identify designate or become the evidence custodian  Review any journal of what has been done to the system already and how the intrusion was detected  Start or maintain existing journal  Install a sniffer  Backdoors  If possible without rebooting, make two byte by byte copies of the physical disk  Capture network info  Capture process listings and open files  Capture configuration information to disk and notes  Receipt and signing of data

Data Collection with dd, TCT & cryptcat Script started on Fri Sep 29 16:39: # grave-robber –v –F –i –l –M –m –O –P –S –s –t –V / # tar –c $TCT_HOME/data/`hostname` |cryptcat –k f0renzikz juarez 33 ^C punt! # df -k Filesystem kbytes used avail capacity Mounted on /proc % /proc /dev/dsk/c0t0d0s % / /dev/dsk/c0t0d0s % /usr fd % /dev/fd /dev/dsk/c0t0d0s % /var /dev/dsk/c0t0d0s % /export/home swap % /tmp #./dd if=/dev/dsk/c0t0d0s0 bs=1024 |cryptcat -k f0renzikz juarez farm9crypt_init: f0renzikz records in records out ^C punt! # exit script done on Fri Sep 29 16:57: Script started on Fri Sep 29 16:35: juarez% cryptcat –k f0renzikz –l –p 33 >jezabelle_gr.tar ^C punt! Bus error (core dumped) juarez% df -k. Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0t8d0s % /export/home juarez% cryptcat -k f0renzikz -l -p >jezabelle.c0t0d0s0 ^C punt! Bus error (core dumped) juarez% exit script done on Fri Sep 29 16:54: Sending Side Receiving Side

Acquisition – Takin’ it Off-Line  SLR – take pictures  Considerations before pulling the plug  Unplug the system from the network  If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented  Unplug the system (power)  Packaging/labeling  Shipping

FBI List of Computer Forensic Laboratory Services  Content (what type of data)  Comparison (against known data)  Transaction (sequence)  Extraction (of data)  Deleted Data Files (recovery)  Format Conversion  Keyword Searching  Password (decryption)  Limited Source Code (analysis or compare)  Storage Media (many types)

Summarization of acquisition (1)

Summarization of acquisition (2)

Summarization of acquisition (3)

Summarization of acquisition (4)

Extraction with Lazarus Script started on Sat Sep 30 16:23: forensics]#../tct-1.03/bin/lazarus -B -h -H../www -D../blocks -w../www -t./valencia.hda1 www]# cd../www www]# netscape./valencia.hda1.html

Summarization of extraction (1)

Summarization of extraction (2)

Summarization of extraction (3)

Correlating Log Files  Where to look  What do log entries mean?  How to narrow your search  How reliable is the data?

Shipping and Storage  UPS/FEDEX Requirements  Laboratory Requirements  Latent Materials  Tamper Evident Packaging  Restricted Access and Low Traffic, Camera Monitored Storage.  Sign In/Out for Chain of Custody

Thinking Strategic  Preparing with procedures and checklists  Having an evidence locker  OS Accounting turned on  Log IP Numbers - DO NOT RESOLVE!  Clocks synchronized to GPS on GMT  Evidence Server  Use of encrypted file systems  Tools and materials

Pocket Security Toolkit

ADDITIONAL RESOURCES  RCMP Article on the Forensic Process. grc.gc.ca/tsb/pubs/bulletins/bull41_3.htmhttp:// grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm  Lance Spitzner’s Page: Forensic Analysis, Building Honeypots  Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts.  The Forensic Toolkit (NT).  Cryptcat.  Long Play Video Recorders.  FBI Handbook of Forensic Services.  Solaris Fingerprint Database for cryptographic comparison of system binaries.  Inspecting Your Solaris System and Network Logs for Evidence of Intrusion.  ONCTek List of possible Trojan/Backdoor Activity  Sixteen Tips for Testifying in Court from the “PI Mall”

Thank you … … very much.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.