Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Organise Workplace Information
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Backing up and Archiving Data Chapter 1. Introduction This presentation covers the following: – What is backing up – What is archiving – Why are both.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Maintaining Security While Using Computers What all of Our Computer Users Need to Know.
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Gathering digital evidence by the EU Commission in inspections
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics
Developing a Records & Information Retention & Disposition Program:
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
PMI Inventory Tracker™
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
1 Enabling Secure Internet Access with ISA Server.
Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics
Property Control Asset Forms
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Chapter 10: Authentication Guide to Computer Network Security.
Guide to Computer Forensics and Investigations, Second Edition
Security Threats Connecting Computers Copyright Law & Ethics Storage & Memory Computer System
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Data management in the field Ari Haukijärvi 2nd EHES training seminar.
Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.
Digital Crime Scene Investigative Process
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Human Resources Administration Department of Social Services 1 Eligibility Data and Image Transfer System EDITS November 6, 2008.
INFORMATION MANAGEMENT IN THE DISCOVERY PHASE A.HOW TO HANDLE INFORMATION GAINED THROUGH INFORMAL DISCOVERY What is informal discovery and what are the.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Data Integrity Lesson 12. Skills Matrix Maintaining Data Integrity Maintaining data integrity is your most important responsibility. –Performing backups.
Computer Forensics Principles and Practices
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Version Advanced User Training. Instructions This training module contains additional key concepts that are an extension to the concepts in the.
Guide to Computer Forensics and Investigations Fourth Edition
© Sapphire 2006 Computer Misuse in the Workplace You only get one chance..... David Horn You only get one chance...
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Forensics Jeff Wang Code Mentor: John Zhu (IT Support)
Legal Holds Department of State Division of Records Management Kevin Callaghan, Director.
FILE MANAGEMENT Computer Basics 1.3. FILE EXTENSIONS.txt.pdf.jpg.bmp.png.zip.wav.mp3.doc.docx.xls.xlsx.ppt.pptx.accdb.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
ONLINE COURSES - SIFS FORENSIC SCIENCE PROGRAMME - 2 Our online course instructors are working professionals handling real-life cases related to various.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
RECORDS MANAGEMENT TRAINING City of Oregon City. INTRODUCTION TO RECORDS MANAGEMENT
Electronic Records Management Alan Cameron Records Management Consultant.
RECORDS MANAGEMENT TRAINING City of Oregon City. INTRODUCTION TO RECORDS MANAGEMENT.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Chapter 7: Investigating Theft Acts
Red Flags Rule An Introduction County College of Morris
Jeopardy Data Hardware & Software Files and Folders Networking Q $100
Property Control Asset Forms
Why do we need to keep records
On-Site Investigations
Presentation transcript:

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified

Overview Definition of Computer Forensics Definition of Computer Forensics Computer Forensics & IT Auditing Computer Forensics & IT Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Dos & Donts) The Process (Dos & Donts) Identification Identification Collection of Evidence Collection of Evidence Required Documentation Required Documentation Imaging Imaging Examination Examination Report Preparation Report Preparation Returning of Evidence Returning of Evidence

Definition of Computer Forensics Computer forensics involves the: Computer forensics involves the: Identification Identification Collection Collection Preservation Preservation Examination, and Examination, and Analysis of digital information Analysis of digital information Digital Information becomes Digital Evidence

What is Digital Evidence? Digital evidence is any information of value that is either stored or transmitted in a binary form, including digital audio, image, and video. Digital evidence is any information of value that is either stored or transmitted in a binary form, including digital audio, image, and video.

Computer Forensic Examination The Computer forensic examination is: The Computer forensic examination is: Locating digital evidence Locating digital evidence Evidence can withstand close scrutiny or a legal challenge. Evidence can withstand close scrutiny or a legal challenge.

Computer Forensics & IT Audit Incorporate computer forensic services Incorporate computer forensic services Cases are requiring computer forensics Cases are requiring computer forensics IT Auditors have: IT Auditors have: authority authority technical know how technical know how

Reasons for Computer Forensic Services Inappropriate Use of State Systems Inappropriate Use of State Systems Determining a Security Breach Determining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed Dismissals Evidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information Assets Theft of Information Assets Forgeries of Documents Forgeries of Documents

The Process Identification Identification Collection of Evidence Collection of Evidence Required Documentation Required Documentation Imaging Imaging Examination Examination Report Preparation Report Preparation Returning of Evidence Returning of Evidence

Identification IT AUDITORS ROLE (Forensic Specialist) 1. 1.Determine if reason for computer forensics is appropriate Identify where additional digital evidence may reside. CLIENTS ROLE (ex. State University) 1.Determine when to use Computer Forensic Services: 2.Identify where digital evidence may reside.

Collection of Evidence IT AUDITORS ROLE – –Help Client Secure the computer to be examined – –Require and Complete Necessary Forms – – Securely Collect Computer from Client CLIENTS ROLE –Ensure that computer to be examined remains secure until collected –Notify Appropriate Personnel –Complete Chain of Custody Form

Collection of Evidence – (Do's & Don'ts) Do not disturb the computer in question. Do not disturb the computer in question.

Computer is off, Leave it off Computer is off, Leave it off Collection of Evidence – Do's & Don'ts (cont)

Computer is on, Leave it on Computer is on, Leave it on Collection of Evidence – Do's & Don'ts (cont)

Do not run any programs on the computer. Do not run any programs on the computer. Collection of Evidence – Do's & Don'ts (cont)

Do not make any changes Do not make any changes Collection of Evidence – Do's & Don'ts (cont)

Do Not Insert Anything Into The Computer Do Not Insert Anything Into The Computer Collection of Evidence – Do's & Don'ts (cont)

Secure the computer Secure the computer Collection of Evidence – Do's & Don'ts (cont)

Required Documentation Computer Forensic Request Form Computer Forensic Request Form Chain of Custody Form Chain of Custody Form Signatures Signatures Disclosures and Disclaimers Disclosures and Disclaimers

Required Documentation

IT Auditors Role Assign a Case Number Assign A Team Date & Time When device was secured Clients Role Document Date & Time of Request Name of Requestor Date & Time Client secured the device Agency Name Head of the Agency Name

Required Documentation IT Auditors Role Document Hard Drive Serial Numbers Clients Role Document computers: Mac Address -Static IP Address Serial Number -Make & Model Reason For Request Desired Objectives

Approval From OSA ISA Director & Legal Counsel We also obtain approval from both the ISA director and legal counsel before commencing Computer Forensic services. We also obtain approval from both the ISA director and legal counsel before commencing Computer Forensic services. This approval will be documented on the requisition forms and filed with the case evidence as well. This approval will be documented on the requisition forms and filed with the case evidence as well.

IT Auditors Role Sign and Date form Obtain Director and Legal Counsel approval Clients Role Sign and Date form Obtain Agency Head Approval Required Documentation

Additional Chain of Custody Form Chain of Custody form continued on the reverse side of the computer forensic request form. Device Serial# FAS Make Model SignaturePrint Name ReasonDateTime Relinquished By: Received By:

Why Are These Documents Necessary? Collect important information Collect important information Legal Aspects Legal Aspects Get out of jail free card Get out of jail free card

Imaging IT AUDITORS ROLE – –Determine where to perform the image: – –Onsite – –In the Lab CLIENTS ROLE –escort our staff to physically collect the computer from the computers secure location.

Hardware Imaging

Imaging Here are some of the procedures we use during imaging to ensure that evidence collected is clearly identified and preserved: Here are some of the procedures we use during imaging to ensure that evidence collected is clearly identified and preserved:

Scan Hardcopies We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence. We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.

Tag Evidence We manually tag all evidence items with an assigned case number using the following naming convention: We manually tag all evidence items with an assigned case number using the following naming convention: Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., Agency Name – HDD Serial#) (Ex., Agency Name – HDD Serial#)

Connect Suspect Drive to Write Blocker

Connect Write Blocker to the suspects hard drive

Imaging Regular Hard Drive To image a regular sized hard drive, implement the following procedures: To image a regular sized hard drive, implement the following procedures: Request the client to purchase a storage device. Request the client to purchase a storage device. Reduces Cost Reduces Cost Ensure enough space is available to process the evidence. Ensure enough space is available to process the evidence. Easy transfer of images to client Easy transfer of images to client

Storage Device

Organize Evidence Information Create the following folders on the destination drive for every case: Create the following folders on the destination drive for every case: Case Name-Evidence Item Number (Folder) Case Name-Evidence Item Number (Folder) 1. Evidence (sub-folder) 1. HDD1 (sub-folder) 2. HDD2 (sub-folder) 2. Export (sub-folder) 3. Temp (sub-folder) 4. Index (sub-folder) 5. Drive Geometry (sub-folder) 6. Report (sub-folder) 7. Case Back-up (sub-folder) Place all images produced in the Evidence Folder

Use FTK Imager Create the image using FTK imager Create the image using FTK imager Through experience, we have found this to be one of the easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Through experience, we have found this to be one of the easiest and most portable software to create images. Also, this image can be used in both FTK and Encase.

Image Physical Drive Always image the Physical drive. Always image the Physical drive.

Imaging A Raid Server Redundant Array of Inexpensive Disks Have the systems administrator to help you review the RAID information. Have the systems administrator to help you review the RAID information. You need to gather the following information: You need to gather the following information: Stripe Size Stripe Size Element Order (Disk Order) Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or dynamic disk. Right hand, left hand, forward, back, or dynamic disk.

Imaging A Raid Server (cont) RAID Recontructor RAID Recontructor

Examination/Analysis Remove hard drive from the Write Block device. Remove hard drive from the Write Block device. Reassemble the computer Reassemble the computer Ensure evidence remains tagged. Ensure evidence remains tagged.

Examination/Analysis (cont) FTK FTK

Examination/Analysis (cont) FTK can take a few days to process your image. FTK can take a few days to process your image. During this time, we return to our normal audit work During this time, we return to our normal audit work

Examination/Analysis (cont) Run Keyword Searches Run Keyword Searches Obtain from Client Obtain from Client Review Corroborating Evidence Review Corroborating Evidence s s Surveillance Video Surveillance Video DVD & CDs DVD & CDs

Examination/Analysis (cont) Encase Encase

Examination/Analysis (cont) Do not answer or Do not answer or Provide additional information to agency personnel. Provide additional information to agency personnel. Agency personnel can accidentally leak information. Agency personnel can accidentally leak information.

Forensic Report The IT Auditor will issue a report to appropriate personnel once the examination is completed. The IT Auditor will issue a report to appropriate personnel once the examination is completed.

If court action is anticipated, inform Agency Head to preserve the original evidence if possible. If court action is anticipated, inform Agency Head to preserve the original evidence if possible. If original evidence cannot be preserved, NC Court Rules of evidence allow for the image to be admitted as evidence. If original evidence cannot be preserved, NC Court Rules of evidence allow for the image to be admitted as evidence.

Questions????

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.