1 www.vita.virginia.gov Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 www.vita.virginia.gov 1.

Slides:



Advertisements
Similar presentations
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Advertisements

Introduction Lesson 1 Microsoft Office 2010 and the Internet
Microsoft Office 2010 Basics and the Internet
1 2 In a computer system, a file is a collection of information with a single name, such as addresses.doc, or filebackup.ppt, or ftwr.exe, or guidebook.xls.
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Troubleshooting Startup Problems
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
In The Name Of Allah, The Most Beneficent, The Most Merciful
XP New Perspectives on Introducing Microsoft Office 2003 Tutorial 1 1 Using Common Features of Microsoft Office 2003 Tutorial 1.
1 Online communication: remote login and file transfer.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Services Course Windows Live SkyDrive Participant Guide.
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Technology for Computer Forensics by Alicia Castro.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computers They're Not Magic! (for the most part)‏ Adapted from Ryan Moore.
Operating System & Application Files BACS 371 Computer Forensics.
By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
OS and Application Files BACS 371 Computer Forensics.
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Chapter Three OPERATING SYSTEMS.
Your Interactive Guide to the Digital World Discovering Computers 2012.
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Explain the purpose of an operating system
With Windows 7 Introductory© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Windows 7 Introductory Chapter 2 Managing Libraries Folders, Files.
Computer Forensics Principles and Practices
Your Interactive Guide to the Digital World Discovering Computers 2012.
COEN 250 Computer Forensics Windows Life Analysis.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Computer Forensics Peter Caggiano. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How.
Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
COEN 250 Computer Forensics Windows Life Analysis.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Chapter 7: Investigating Theft Acts
Computer Forensics 1 1.
Guide to Computer Forensics and Investigations Fifth Edition
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Presentation transcript:

1 Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/09 1

2 Overview Purpose behind computer forensics Challenges faced within the field Basic information about how to conduct an investigation and the tools used Quick tips for performing Windows forensic investigations

3 Purpose Collection of evidence in a manner that can be relied upon –Law enforcement will likely duplicate it but they will use it if they have to To remove doubt that the evidence has been tampered with or altered in any way Find evidence that a system and ultimately the systems user were involved in the action under investigation

4 Computer Forensics Principles for dealing with digital evidence –Actions taken to secure and collect digital evidence should not affect the integrity of that evidence. –Persons conducting an examination of digital evidence should be trained for that purpose. –Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review. Source: Forensic Examination of Digital Evidence: A Guide for Law Enforcement

5 Evidence Challenges Physically collecting the evidence –How do you prevent being accused of tampering? Taking actions that do not modify any evidence –Specialized tools for collecting digital evidence Making sure a devices state does not change while in possession –Cell phones and remote signals Preserving evidence –Systems cant be shut off without losing volatile data

6 Legal Challenges Different laws throughout different states Wiretap laws Federal vs. state Important laws to note –Fourth Amendment – unreasonable search and seizure –Fifth Amendment – protection against self incrimination –Wiretap Act (18 U.S.C ) –Pen Registers and Trap and Trace Devices Statute (18 U.S.C ) –Stored Wired and Electronic Communication Act (18 U.S.C )

7 Organization Challenges No expectation of privacy –Requires detailed policies –Periodic renewal of consent to policies Personal equipment use Teleworking Data management

8 Performing a Forensic Investigation Persistent Data – Data that is preserved when the system does not have power –Typically data stored on a drive Hard Drive USB Drive Floppy Drive Volatile Data – Transient data that is lost when power is no longer available –Volatile data may exist in memory after the computer powers down in certain situations

9 Forensic Tools Data collection tools –EnCase –Forensic Toolkit (FTK) –Write blockers –Disk imagers Network analysis tools –Wireshark, tcpdump Distributions –Knoppix, Helix

10 Collecting Evidence Take pictures Have a witness –Preferably a non-technical witness Establish chain of custody Secure evidence storage Log evidence access Create a forensic image of the system –Create a working copy of the image

11 Analyzing a Windows System Thumbnails Windows Registry –Application and system information storage AppData –Persistent application data stored here Indexing Wireless Interface Connections –C:\Users\All Users\Microsoft\Wlansvc\Profiles\Interfaces

12 Interesting Registry Locations RunMRU –The commands entered into the run dialog box. The MRUList shows the order of execution OpenMRU/LastVisitedMRU – post WinXP only –Opens and saves from the OS dialog box HKLM\SYSTEM\ \Enum –Subkey 1394 for firewire devices –Subkey USB for Universal Serial Bus devices

13 Devices Connected to the System How do I find when a device was FIRST connected to a computer? –Examine setupapi.log %windir%\setupapi.log in XP and 2003 Server %windir%\inf\setupapi.dev.login in Vista List of USB Vendor IDs and associated ProductIDs – This list may be somewhat out of date Devices typically have their own serial number –Windows Generated Serial Number Windows generated serial numbers have amperstands as the 2 nd, 10 th, and 12 th characters in a serial number –X&XXXXXXX&X&P

14 Internet Explorer Data Data Recorded by Internet Explorer –IE 6 – complete history retained even with clear history –IE 7 – most history removed with delete all option –IE 8 – InPrivate browsing can prevent data from being recorded Temporary Internet Files Index.dat –Contains all sites visited

15 Windows Gotchas Defragment –Will overwrite slack disk areas –Touches every file –Scheduled for 3AM every Wednesday by default Last access time – Vista only –Turned off by default Self healing file systems –Will replace windows files that look to be damaged or that dont have the correct metadata Bitlocker –Whole disk encryption can impeded forensic imaging

16 Review Purpose behind computer forensics Challenges faced within the field Basic information about how to conduct an investigation and the tools used Quick tips for performing Windows forensic investigations

17 Questions For more information please contact me at: Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.