Computer Forensics BACS 371

Slides:



Advertisements
Similar presentations
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Advertisements

OC RIMS Cyber Safety & Security Incident Response.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Computer Forensics.
COEN 252 Computer Forensics
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Legal, Regulations, Compliance and Investigations.
Guide to Computer Forensics and Investigations Fourth Edition
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Computer Forensics Principles and Practices
Incidence Response & Computer Forensics, Second Edition
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies,
Chapter 14: Computer and Network Forensics
Computer Forensics BACS 371
COEN 252 Computer Forensics Writing Computer Forensics Reports.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
* 07/16/96 The production of ESI continues to present challenges in the discovery process even though specific rules have been drafted, commented on, redrafted.
Phases of Computer Forensics 1 Computer Forensics BACS Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005,
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
COEN 252 Computer Forensics
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Computer Forensics Iram Qureshi, Prajakta Lokhande.
Digital Crime Scene Investigative Process
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Forensics Principles and Practices
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
AJ 104 Crime Scene Evidence, Experiments, and Models.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Records Management for Paper and ESI Document Retention Policies addressing creation, management and disposition Minimize the risk and exposure Information.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Crime Scene Basics Forensic Science.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Why do I need a Chain of Custody (COC)? Presentation to: KWWOA Department for Environmental Protection Energy & Environment Cabinet To Protect and Enhance.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
PhD Oral Exam Presentation
Computer Forensics By: Chris Rozic.
Computer Forensics 1 1.
Guide to Computer Forensics and Investigations Fifth Edition
Introduction to Computer Forensics
Introduction to Computer Forensics
Digital Forensics CJ
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Presentation transcript:

Computer Forensics BACS 371 Evidentiary Methods I Incident Response

The Nature of Computer Evidence “Evidence is what distinguishes a hypothesis from a groundless assertion.” Determining what is actually the crime Too many potential suspects Too much potential evidence Evidence is easily contaminated Contaminating some evidence may ruin all evidence

Computer Forensics… is the discipline of acquiring, preserving, retrieving, and presenting electronic data. Three C’s of evidence: Care Control Chain of Custody

Computer Forensics Investigation Process Intelligence Basic understanding of issues surrounding incident Hypothesis Formulation Formulated with regard to “5 Ws” Evidence Collection Supporting and non supporting Testing Support or refute hypothesis Conclusion

Computer Security Incident Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network. Theft of trade secrets Email spam or harassment Unlawful or unauthorized intrusion into computing systems Embezzlement Possession or dissemination of child pornography Denial-of-service (DoS) attacks Tortuous interference of business relations Extortion Any unlawful action when the evidence of such action may be stored on computer media such as fraud, threats, and traditional crimes

Events may include… Violations of public law Actionable in criminal or civil proceedings Grave impact on an organization’s reputation and its business operations Intense pressure, time, and resource constraints

Goals of Incident Response Prevent disjointed, non-cohesive response Confirms or dispels whether incident occurred Promotes accumulation of accurate information Establishes controls for handling evidence Protects privacy rights Minimizes disruptions to business Allows for criminal and civil action Provides reports and recommendations Provides rapid detection and containment Minimizes compromise of proprietary data Protects organizations reputation and assets Educates senior management Promotes rapid detection and/or prevention of future incidents

Components of Incident Response

Seven Major Components of Incident Response Pre-incident preparation Detection of incidents Initial response Formulate response strategy Investigate the incident Reporting Resolution

Components of Incident Response Pre-incident preparation Proactive measures before incident to ensure assets and information are protected Detection of incidents Report by end user Report by system administrator Internal Detection System Incident response checklist

Incident Response Checklist

Components of Incident Response Initial Response Interviewing System administrator Personnel Suspect Review Internal Detection System report Network logs Access control Formulate a Response Strategy

Investigate the Incident Data Collection Sound forensic methods Host-Based Information System date/time Applications currently running Open network connections and ports Applications listening on ports Initial live response – volatile data In-depth response – log files Full live response – live forensic analysis

Request for Forensic Examination http://www.rmrcfl.org/Downloads/Documents/Shaded%20PDF.pdf This form is from the Rocky Mountain Regional Computer Forensic Laboratory. It is used to request official help on a case.

Performing Forensic Analysis

Forensic Analysis Reviewing all data collected Techniques include Log files System configuration files Trust relationships Web browser history files Email messages Installed applications Graphics files Techniques include Software analysis Review time/date stamps Keyword searches Review free space, deleted files, slack space

Components of Incident Response Reporting Document immediately Write concisely and clearly Use a standard format Employ technical editors Resolution Prevent further damage Return to secure, healthy operational status Apply countermeasures and update security standards

The Five Mistakes of Incident Response Not having a plan Failing to increase monitoring and surveillance Being unprepared for a court battle Putting it back the way it was Not learning from mistakes

Basic Forensic Methodology Acquire the evidence – maintain chain of custody Authenticate that it is the same as the original Analyze the data without modifying it

Evidence Handling Process

E-Evidence Acquisition and Authentication Objectives† Document the scene, evidence, activities, and findings Acquire the evidence Authenticate the copy Analyze and filter evidence Be objective and unbiased Present the evidence and an evaluation of the findings in an understandable and legally acceptable manner †Volonino, p. 85

NYS Police Forensic Procedures Stage Tools Discussion Seizing the computer None Computer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC). Backup Safeback, Expert Witness, Snapback Backup is done using one of the listed tools. A case file is created on an optical disk (CD). Evidence extraction Expert Witness The FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence. (Continued)

NYS Police Forensic Procedures (Cont.) Stage Tools Discussion Case creation Expert Witness The case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media. Case analysis None Investigators use experience and training to search the computer evidence for documents, deleted files, images, e-mail, slack space, etc., that will help in the case. Correlation of computer events Timeline, order of events, related activities, and contradictory evidence are the components of this stage. (Continued)

NYS Police Forensic Procedures (Cont.) Stage Tools Discussion Correlation of noncomputer events None Phone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated. Case presentation Standard Office Finally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury.

Computer Evidence Worksheet

Digital Photos

Evidence Tag Place or person from whom item was received If item requires consent for search Description of items taken Information contained on storage device Data and time item was taken Full name and signature of individual initially receiving evidence Case and tag number

Evidence Label Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope

Evidence Log Tag # Date Action Taken By Location Case Number: 123412 13 Jan 01 Initial Submission Matt Pepe Maxtor 60GB (593843420) 15 Mar 01 Moved evidence to tape 4mm tape #01101 Examined Evidence using EnCase FRED #7 Evidence Tag Number Date Action Taken Person performing action Identifying information

Documentary Evidence1 Chain of custody of documents Marking of evidence Organization of documentary evidence Rules concerning original versus copies of documents 1Albrecht, Albrecht, Albrecht, Fraud Examination 2e, Thompson South-Western, 2006, p. 226

Chain of Custody Procedures Record or Evidence Lot Release Dates recorded Access to Evidence restricted Original Hard Drive placed in Locker All forensics performed on bit stream copies

Chain of Custody Document

Admissibility of Computer Forensic Evidence A forensic examiner’s qualifications can be challenged or the tools or methodologies used in a forensic investigation can be objected to. Whether the theory or technique has been tested Whether it has been subjected to peer review and publication The known or potential error The general acceptance of the theory in the scientific community Whether the proffered testimony is based upon the expert’s special skill

Maintaining a Defensible Approach Performed in accordance with forensic science principles Based on standards or current best practices Conducted with verified tools Conducted by individuals who are certified Documented thoroughly

Problems with Poorly Collected Evidence1 If evidence is not collected and handled according to the proper standards, the judge may deem the evidence inadmissible when it is presented. If the evidence is admitted, the opposing attorney will attack its credibility during questioning of the witnesses who testify regarding it. Such an attack can create doubt in the jury members’ mind. 1Scene of the Cybercrime, Shinder & Tittel, p.546

Evidence Disposition Initial Disposition Final Disposition After final report completed Dispose of working copies Maintain “best evidence” Final Disposition 5 years from date case was opened Unless…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.