Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.

Slides:



Advertisements
Similar presentations
Guide to Computer Forensics and Investigations Fourth Edition
Advertisements

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition
Computer & Network Forensics
Guide to Computer Forensics and Investigations Fourth Edition
2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
A+ Guide to Software, 4e Chapter 4 Supporting Windows 2000/XP Users and Their Data.
Guide to Computer Forensics and Investigations Third Edition
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Guide to Computer Forensics and Investigations, Second Edition
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Guide to Computer Forensics and Investigations, Second Edition
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
Microsoft Office 2003 Illustrated Introductory with Programs, Files, and Folders Working.
Guide to Computer Forensics and Investigations, Second Edition Chapter 13 Investigations.
Windows XP Professional Windows XP Professional Overview Install and Upgrade Windows XP Pro Customize and Manage Windows XP Pro Troubleshoot Common Windows.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
SUMMER BRIDGE PROGRAM DR. HWAJUNG LEE DR. ASHLEY PODHRADSKY Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition
Mohd Taufik Abdullah Department of Computer Science
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
CHAPTER NT Installation Screens. Chapter Objectives Explain the installation in detail Focus on the three stages of installation Use screen images to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.
Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 2 Understanding Computer Investigations
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Guide to Computer Forensics and Investigations Fifth Edition Topic 1 Understanding The Digital Forensics Profession and Investigations All slides copyright.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Third Edition
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Presentation transcript:

Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation

Guide to Computer Forensics and Investigations, 2e 2 Objectives Prepare a case Begin an investigation Understand computer forensics workstations and software SOFTWARE: DriveSpy, Image, EnCase, FTK Find intact, deleted and hidden files

3 Objectives (continued) Conduct an investigation Conduct an investigation Complete a case Complete a case Critique a case Critique a case

Guide to Computer Forensics and Investigations, 2e 4 Preparing a Computer Investigation Role of computer forensics professional: gather evidence to prove a suspect committed a crime or violated a company policy Role of computer forensics professional: gather evidence to prove a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Investigate the suspect’s computer Preserve the evidence on a different computer Preserve the evidence on a different computer Acquisition of DIGITAL EVIDENCE see ( Acquisition of DIGITAL EVIDENCE see (

Guide to Computer Forensics and Investigations, 2e 5 Preparing a Computer Investigation (continued) Follow an accepted procedure to prepare a case Follow an accepted procedure to prepare a case Chain of custody Chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court Route the evidence takes from the time you find it until the case is closed or goes to court

Guide to Computer Forensics and Investigations, 2e 6 Examining a Computer Crime Computers can contain information that helps law enforcement determine: Chain of events leading to a crime Evidence that can lead to a conviction Law enforcement officers should follow proper procedure when acquiring the evidence Digital evidence can be easily altered by an overeager investigator

Guide to Computer Forensics and Investigations, 2e 7 Examining a Computer Crime (continued)

Guide to Computer Forensics and Investigations, 2e 8 Examining a Company Policy Violation Employees misusing resources can cost companies millions of dollars Employees misusing resources can cost companies millions of dollars Misuse includes: Misuse includes: Surfing the Internet Surfing the Internet Sending personal s Sending personal s Using company computers for personal tasks Using company computers for personal tasks

Guide to Computer Forensics and Investigations, 2e 9 Taking a Systematic Approach Steps for problem solving: Steps for problem solving: Make an initial assessment about the type of case you are investigating Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach to the case Determine a preliminary design or approach to the case Create a detailed design Create a detailed design Determine the resources you need Determine the resources you need Obtain and copy an evidence disk drive Obtain and copy an evidence disk drive

Guide to Computer Forensics and Investigations, 2e 10 Taking a Systematic Approach (continued) Steps for problem solving (continued): Steps for problem solving (continued): Identify the risks Identify the risks Mitigate or minimize the risks Mitigate or minimize the risks Test the design Test the design Analyze and recover the digital evidence Analyze and recover the digital evidence Investigate the data you recovered Investigate the data you recovered Complete the case report Complete the case report Critique the case Critique the case

Guide to Computer Forensics and Investigations, 2e 11 Assessing the Case Systematically outline the case details: Systematically outline the case details: Situation Situation Nature of the case Nature of the case Specifics about the case Specifics about the case Type of evidence Type of evidence OS OS Known disk format Known disk format Location of evidence Location of evidence

Guide to Computer Forensics and Investigations, 2e 12 Assessing the Case (continued) Based on case details, you can determine the case requirements: Based on case details, you can determine the case requirements: Type of evidence Type of evidence Computer forensics tools Computer forensics tools Special OSs Special OSs

Guide to Computer Forensics and Investigations, 2e 13 Planning your Investigation A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of custody Transport evidence to a computer forensics lab Secure evidence in an approved secure container

Guide to Computer Forensics and Investigations, 2e 14 Planning your Investigation (continued) A basic investigation plan (continued): A basic investigation plan (continued): Prepare a forensics workstation Prepare a forensics workstation Obtain the evidence from the secure container Obtain the evidence from the secure container Make a forensic copy of the evidence Make a forensic copy of the evidence Return the evidence to the secure container Return the evidence to the secure container Process the copied evidence with computer forensics tools Process the copied evidence with computer forensics tools

Guide to Computer Forensics and Investigations, 2e 15 Planning your Investigation (continued) An evidence custody form helps you document what has been done with the original evidence and its forensics copies An evidence custody form helps you document what has been done with the original evidence and its forensics copies There are two types: There are two types: Single-evidence form Single-evidence form Multi-evidence form Multi-evidence form

Guide to Computer Forensics and Investigations, 2e 16 Planning your Investigation (continued)

Guide to Computer Forensics and Investigations, 2e 17 Planning your Investigation (continued)

Guide to Computer Forensics and Investigations, 2e 18 Securing your Evidence Use evidence bags to secure and catalog the evidence Use evidence bags to secure and catalog the evidence Use computer safe products Use computer safe products Antistatic bags Antistatic bags Antistatic pads Antistatic pads Use well-padded containers Use well-padded containers

Guide to Computer Forensics and Investigations, 2e 19 Securing your Evidence (continued) Use evidence tape to seal all openings Use evidence tape to seal all openings Floppy disk or CD drives Floppy disk or CD drives Power supply electrical cord Power supply electrical cord Write your initials on tape to prove that evidence has not been tampered Write your initials on tape to prove that evidence has not been tampered Consider computer-specific temperature and humidity ranges Consider computer-specific temperature and humidity ranges

Guide to Computer Forensics and Investigations, 2e 20 Understanding Data-Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and data- recovery are related but different Computer forensics workstation Specially configured personal computer To avoid altering the evidence, use: Forensics boot floppy disk Write-blockers devices

Guide to Computer Forensics and Investigations, 2e 21 Setting Up your Workstation for Computer Forensics Set up Windows 98 workstation to boot into MS-DOS Set up Windows 98 workstation to boot into MS-DOS Display a Startup menu Display a Startup menu Modify Msdos.sys file using any text editor Modify Msdos.sys file using any text editor Install a computer forensics tool Install a computer forensics tool DriveSpy and Image DriveSpy and Image

Guide to Computer Forensics and Investigations, 2e 22 Setting Up your Workstation for Computer Forensics (continued)

Guide to Computer Forensics and Investigations, 2e 23 Setting Up your Workstation for Computer Forensics (continued)

Guide to Computer Forensics and Investigations, 2e 24 Conducting an Investigation Begin by copying the evidence using a variety of methods Begin by copying the evidence using a variety of methods Recall that no single method retrieves all data Recall that no single method retrieves all data The more methods you use, the better The more methods you use, the better

Guide to Computer Forensics and Investigations, 2e 25 Gathering the Evidence Take all necessary measures to avoid damaging the evidence Take all necessary measures to avoid damaging the evidence Place the evidence in a secure container Place the evidence in a secure container Complete the evidence custody form Complete the evidence custody form Transport the evidence to the computer forensics lab Transport the evidence to the computer forensics lab Create forensics copies (if possible) Create forensics copies (if possible) Secure evidence by locking the container Secure evidence by locking the container

Guide to Computer Forensics and Investigations, 2e 26 Understanding Bit-stream Copies Bit-by-bit copy of the original storage medium Bit-by-bit copy of the original storage medium Exact copy of the original disk Exact copy of the original disk Different from a simple backup copy Different from a simple backup copy Backup software only copy known files Backup software only copy known files Backup software cannot copy deleted files or messages, or recover file fragments Backup software cannot copy deleted files or messages, or recover file fragments

Guide to Computer Forensics and Investigations, 2e 27 Understanding Bit-stream Copies (continued) A bit-stream image file contains the bit-stream copy of all data on a disk or partition A bit-stream image file contains the bit-stream copy of all data on a disk or partition Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model

Guide to Computer Forensics and Investigations, 2e 28 Understanding Bit-stream Copies (continued)

Guide to Computer Forensics and Investigations, 2e 29 Creating a Forensic Boot Floppy Disk Goal is not to alter the original data on a disk Goal is not to alter the original data on a disk Preferred way to preserve the original data is to never examine it Preferred way to preserve the original data is to never examine it Make forensic copies Make forensic copies Create a special boot floppy disk that prevents OS from altering the data when the computer starts up Create a special boot floppy disk that prevents OS from altering the data when the computer starts up Windows 9x can also alter other files, especially if DriveSpace is implemented on a file allocation table (FAT) 16 disk Windows 9x can also alter other files, especially if DriveSpace is implemented on a file allocation table (FAT) 16 disk

Guide to Computer Forensics and Investigations, 2e 30 Assembling the Tools for a Forensic Boot Floppy Disk Tools: Tools: Disk editor such as Norton Disk Edit or Hex Workshop Disk editor such as Norton Disk Edit or Hex Workshop Floppy disk Floppy disk MS-DOS OS MS-DOS OS Computer that can boot to a true MS-DOS level Computer that can boot to a true MS-DOS level Forensics acquisition tool Forensics acquisition tool Write-block tool Write-block tool

Guide to Computer Forensics and Investigations, 2e 31 Assembling the Tools for a Forensic Boot Floppy Disk (continued) Steps: Steps: Make the floppy disk bootable Make the floppy disk bootable Update the OS files to remove any reference to the hard disk (using Hex Workshop or Norton Disk Edit) Update the OS files to remove any reference to the hard disk (using Hex Workshop or Norton Disk Edit) Modify the command.com file on the floppy disk Modify the command.com file on the floppy disk Modify the Io.sys file on the floppy disk Modify the Io.sys file on the floppy disk Add computer forensic tools Add computer forensic tools Test your floppy disk Test your floppy disk Create several backup copies Create several backup copies

Guide to Computer Forensics and Investigations, 2e 32 Assembling the Tools for a Forensic Boot Floppy Disk (continued)

Guide to Computer Forensics and Investigations, 2e 33 Retrieving Evidence Data Using a Remote Network Connection Bit-stream image copies can also be retrieved from a workstation’s network connection Bit-stream image copies can also be retrieved from a workstation’s network connection Software: Software: SnapBack SnapBack EnCase EnCase R-Tools R-Tools Can be a time-consuming process even with a 1000-Mb connection Can be a time-consuming process even with a 1000-Mb connection It takes less using a NIC-to-NIC connection It takes less using a NIC-to-NIC connection

Guide to Computer Forensics and Investigations, 2e 34 Copying the Evidence Disk A forensic copy is an exact duplicate of the original data A forensic copy is an exact duplicate of the original data Create a forensic copy using: Create a forensic copy using: MS-DOS MS-DOS Specialized tool such as Digital Intelligence’s Image Specialized tool such as Digital Intelligence’s Image First, create a bit-stream image First, create a bit-stream image Then, copy the image to a target disk Then, copy the image to a target disk

Guide to Computer Forensics and Investigations, 2e 35 Creating a Bit-stream Image with FTK Imager Start Forensic Toolkit (FTK) Imager by double-clicking the icon on your desktop Start Forensic Toolkit (FTK) Imager by double-clicking the icon on your desktop Click File, Image Drive from the menu; insert floppy disk labeled “Domain Name working copy #2” Click File, Image Drive from the menu; insert floppy disk labeled “Domain Name working copy #2” In the dialog box that opens, click the A: drive to select a local drive, then click OK In the dialog box that opens, click the A: drive to select a local drive, then click OK

Guide to Computer Forensics and Investigations, 2e 36 Creating a Bit-stream Image with FTK Imager (continued) A wizard walks you through the steps A wizard walks you through the steps Accept all the defaults Accept all the defaults Specify the destination folder Specify the destination folder If necessary, create a folder called Forensics Files If necessary, create a folder called Forensics Files Name the file Bootimage.1 Name the file Bootimage.1

Guide to Computer Forensics and Investigations, 2e 37 Analyzing Your Digital Evidence Your job is to recover data from: Your job is to recover data from: Deleted files Deleted files File fragments File fragments Complete files Complete files Deleted files linger on the disk until new data is saved on the same physical location Deleted files linger on the disk until new data is saved on the same physical location Tools: Tools: Digital Intelligence’s DriveSpy Digital Intelligence’s DriveSpy AccessData’s FTK AccessData’s FTK

Guide to Computer Forensics and Investigations, 2e 38 Analyzing Your Digital Evidence (continued) DriveSpy is a powerful tool that recovers and analyzes data on FAT12, FAT16, and FAT32 disks DriveSpy is a powerful tool that recovers and analyzes data on FAT12, FAT16, and FAT32 disks Can search for altered files and keywords Can search for altered files and keywords FTK is an easy-to-use GUI application for FAT12, FAT16, FAT32, and new technology file system (NTFS) disks FTK is an easy-to-use GUI application for FAT12, FAT16, FAT32, and new technology file system (NTFS) disks FTK Imager FTK Imager Registry Viewer Registry Viewer Password Recovery Toolkit Password Recovery Toolkit

Guide to Computer Forensics and Investigations, 2e 39 Analyzing Your Digital Evidence (continued)

Guide to Computer Forensics and Investigations, 2e 40 Analyzing Your Digital Evidence (continued)

Guide to Computer Forensics and Investigations, 2e 41 Completing the Case You need to produce a final report You need to produce a final report State what you did and what you found State what you did and what you found You can even include logs from the forensic tools you used You can even include logs from the forensic tools you used If required, use a report template If required, use a report template The report should show conclusive evidence that the suspect did or did not commit a crime or violate a company policy The report should show conclusive evidence that the suspect did or did not commit a crime or violate a company policy

Guide to Computer Forensics and Investigations, 2e 42 Critiquing the Case Ask yourself the following questions: Ask yourself the following questions: How could you improve your participation in the case? How could you improve your participation in the case? Did you expect the results you found? Did you expect the results you found? Did the case develop in ways you did not expect? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? Was the documentation as thorough as it could have been?

Guide to Computer Forensics and Investigations, 2e 43 Critiquing the Case (continued) Questions continued: Questions continued: What feedback has been received from the requesting source? What feedback has been received from the requesting source? Did you discover any new problems? What are they? Did you discover any new problems? What are they? Did you use new techniques during the case or during research? Did you use new techniques during the case or during research?

Guide to Computer Forensics and Investigations, 2e 44 Summary Use a systematic approach to investigations Use a systematic approach to investigations Plan a case by taking into account: Plan a case by taking into account: Nature of the case Nature of the case Case requirements Case requirements Gathering evidence techniques Gathering evidence techniques Do not forget that every case can go to court Do not forget that every case can go to court Apply standard problem-solving techniques Apply standard problem-solving techniques

Guide to Computer Forensics and Investigations, 2e 45 Summary (continued) Keep track of the chain of custody of your evidence Keep track of the chain of custody of your evidence Create bit-stream copies of the original data Create bit-stream copies of the original data Use the duplicates whenever possible Use the duplicates whenever possible Some tools: DriveSpy and Image, FTK, MS-DOS commands Some tools: DriveSpy and Image, FTK, MS-DOS commands Produce a final report detailing what you did and found Produce a final report detailing what you did and found

Guide to Computer Forensics and Investigations, 2e 46 Summary (continued) Always critique your work as a way of improving it Always critique your work as a way of improving it Apply these lessons to future cases Apply these lessons to future cases

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.