Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics

Published byAlaina Wade Modified over 7 years ago

Similar presentations

Presentation on theme: "CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics"— Presentation transcript:

1 CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics
Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

2 Digital Forensics You will learn in this module:
The principals of computer and digital forensics a theoretical and practical perspective. The skills to apply analytical and evaluative techniques in the use of digital forensic tools within a variety of computer environments. The fundamental ethical and professional issues associated with the use of digital forensics, as well as the role of related professional and regulatory bodies.

3 Practical Work You will learn practical skills using some well known forensic tools. Mostly the practicals using the Caine environment. This uses The Forensic Sleuth Toolkit (FST), including autopsy. This allows you to perform forensics on a variety of information sources. Caine is a Linux environment, based on Ubuntu/Debian. The first few weeks of the module includes an introduction to Linux appropriate to get you going with Caine. The majority of the remainder of the module focuses on the use of linux-based tools to perform computer forensics.

4 Recommended Text For Linux, any book introducing the linux command line would be fine. We are not going deeply into Linux during this module. Recommended book for Forensics: Britz, M. J. (2008) Computer Forensics and Cyber Crime: an introduction. 2nd Edition. New Jersey, USA: Pearson Prentice Hall. Carrier, B., File System Forensic Analysis, March , Addison-Wesley Professional Casey, E. (2011) Digital Evidence and Computer Crime. 3rd Edition. London, UK: Academic Press Nelson, B., Phillips, A., Enfinger, F., Steuart, C. (2008) Guide to Computer Forensics and Investigation. 3rd Edition. Boston, USA: Thomson Course Technology.

5 Online Resources Digital Forensic Research Workshop (DFRWS)
Challenges Projects National Institute of Standards and Technology (NIST) Journal - Digital Investigation Forensics Wiki

6 Elements Covered The module covers some a variety of topics:
Basic Linux command line and GUI. Static Forensics: Introduction to concepts of Computer Forensics and Digital Forensics with respect to digital evidence Introduction to principles involved in Digital Forensic investigations Ethical and professional issues related to Digital Forensics Introduction to forensic techniques used in the examination of end-devices covering boot disks, file systems, system registry, timeline of events, web browsers, , log files, and network traces. Introduction to open source and commercial forensic tools

7 Timetable You should attend 2 hours of lectures + 2 hours of practicals per week. Lectures will be mostly “lecturing”, but will also include group tutorial sessions and deminstrations. Attendance will be taken at all events.

8 Practicals These run using any networked PCs.
You must have Java installed and allow java applets. Your network must allow direct HTTP (including HTTP Connect), and at least 1 of either Telnet (port 23) or SSH (port 22). You need a good reliable network connection. The environment is available online from We are following the Caine tutorials. Other tutorials are used in other modules.

9 Assessment There are 2 assessments in this module:
A supervised class test in the form of a Short Answer Written Exam. This is worth 40% of the module. This runs in week 7 during your timetabled practical session. The test covers your theoretical understand of Forensics, as well as the initial aspects of practical forensics. This is a closed-book exam. A supervised practical test This is worth 60% of your module marks. This runs in week 13 in your normal practical event. This test asks you to perform various forensic-related tasks within a Caine environment, and you are marked on your ability to produce the data requested. This is an OPEN BOOK exam.

10 Lectures The lectures are 1-2 hours long.
Lectures are not the source of all knowledge. You need to do some reading on your own, and to practice with the Linux machines. If you don’t attend the practicals and lectures, and practice what you have learned right from week 1, you will struggle with this module.

11 Presentation Plan Module Week Lecture Tutorials in Caine 2.5.1 list 1
A: Introduction to Forensics (RL) B: Linux Overview + Caine (GR) Essentials 2 Essential Linux for Forensics (GR) Basic 3 Linux Filesystem + Searching (GR) Search 4 A: Forensic Processes (RL) B: Advanced Search in Linux (GR) AdvSearch 5 A: PC Boot Process (RL) B: Advanced Linux (GR) CaineEssentials 6 Forensic Acquisition (RL) Capture

12 Module Week Lecture Tutorials in Caine list 7 Disk Analysis (RL) store * Short Answer Exam 8 Filesystem Analysis (RL) files1 9 Data Analysis (RL) files2 10 A: Registry Forensics (RL) B: Activity/Browser/app/Timeline (RL) data 11 Encase (RL) browser 12 Real-World forensic walkthrough (RL) * Practical Exam

13 Forensics - Introduction
Forensic definitions Forensic history Main forensic concepts

14 Definitions Forensic:
“…a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).” The aim of forensic science is: “…to demonstrate how digital evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent, and understand criminal motivations.” Ref: Casey, “Digital Evidence and Computer Crime”

15 Computer Forensics vs Digital Forensics
“Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud.” Robbins, Judd , PC Software Forensics The use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from the digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. Digital Forensics Research Workshop

16 Locard’s Exchange Principle
It is impossible for the criminal to act, especially considering the intensity of a crime, without leaving traces of his presence With contact between two items, there will be an exchange Locard’s Exchange Principle. Edmond Locard was the director of the first crime laboratory, located in France. One of the first practitioners of forensic scientific techniques. Locard was instrumental in the development of a criteria for establishing the reliability of fingerprint evidence. Forensic science developed from the late 18th century onwards. The original forensic scientists were medical practitioners who used analysis techniques to understand the cause of death from disease via autopsy.

17 History of Computer/Digital Forensics
Electronic crimes were increasing, especially in the financial sector. Most law enforcement officers didn’t know enough about computers to ask the right questions or to preserve evidence for trial. 1980s PCs gained popularity and different OSs emerged. Disk Operating System (DOS) was available. Forensics tools were simple, and most were generated by government agencies. Mid-1980s Xtree Gold appeared on the market able to recognize file types and retrieve lost or deleted files. Norton DiskEdit soon followed and became the best tool for finding deleted files.

18 History of Computer/Digital Forensics
1984 Scotland Yard: Computer Crime Unit FBI computer forensics departments Early 1990s Tools for computer forensics were available International Association of Computer Investigative Specialists (IACIS) Training on software for forensics investigations IRS created search-warrant programs ExpertWitness for the Macintosh First commercial GUI software for computer forensics Created by ASR Data. Recovers deleted files and fragments of deleted files 1990 Computer Misuse Act (CMA) Although digital computing systems process and store virtual, not physical, material, Locard’s principle applies perfectly well. The discipline of computer forensics is well established, and is starting to diverge into specialities. In the UK, the first computer crime squad, the Computer Crime Unit, was set up by Scotland Yard in 1984 In the US, at this time, the FBI had set up their own computer forensic departments. In the UK, it was due to the pioneering work of the investigators, that lead to the Computer Misuse Act of This was a recognition of the impact that technology was having, the changing nature of crimes, and the outdated manner in which these crimes were being dealt with.

19 Investigative Context
Primary Objectives Secondary Objectives Environment Law Enforcement Prosecution Post-Mortem Military IW Ops Continuity of Operations Real-Time/Post-Mortem Business and Industry Continuity of Service However, the term forensics relates to evidence and use of techniques in order to satisfy the outcome of digital proceedings. As Carrier states, this imposes a set of highly restrictive principles on the investigator, as it is specific to a certain context. The problems facing DF do not solely relate to the variance within DCS. Different domains require distinctive outcomes from a DF investigation. Broadly, these domains can be defined as: civilian; and organisational. The civilian context normally involves law enforcement agencies investigating individual(s) with the intent of solving or prosecuting an alleged crime. The distinction between these two domains is the manner in which crime is detected, reported, and controlled. Within the civilian context, crimes are reported to, and therefore investigated by, law enforcement agencies. Within the organisational context, a crime can constitute a number of different types of digression, all of which have differing levels of severity. A circumvention of an IT usage policy would be a transgression against the organisation. Depending on the policy circumvention type, it may also break various laws. If this is the case, the organisation may seek prosecution, which means the necessary law enforcement groups would be contacted. Yet, the organisation may chose to deal with the policy circumvention itself, as it may have the necessary technical and operational expertise to conduct such an investigation in-house, or possibly because of the sensitive nature of the operations or incidents involved. Because an organisation typically has internal control over its own IT infrastructure, the focus of this thesis will be on the DF investigation within an organisational context.

20 Digital Investigation
A digital investigation is a process where we develop and test hypotheses that answer questions about digital events. This is done using the scientific method where we develop a hypothesis using evidence that we find and then test the hypothesis by looking for additional evidence that shows the hypothesis is impossible. Digital Evidence is a digital object that contains reliable information that supports or refutes a hypothesis. Thus, what we are not going to learn is how to give evidence in court, what the specific laws are in relation to computer misuse. Nor are we going to cover the various organisational policies that you may encounter. Instead, we are here to focus solely on the area of digital investigation. Evidence, thus, has a meaning in investigative context, and not in terms of the context of legal admissibility. Thus this leads to the idea that digital investigation is influenced by the context in which it is undertaken. This module is concerned with Digital investigation. The outcome of this investigation may be used for a Forensic Investigation as part of a criminal case against an individual, or it may be used as part of an internal process. This is something that we are not going to teach as part of this course, as it is out of our remit. B. Carrier, 2006 File System Forensic Analysis,

21 Characteristics of Evidence
Data can be viewed at different levels of abstraction Data requires interpretation Data is Fragile Data is Voluminous Data is difficult to associate with reality Why is this a challenging discipline? Not only are the systems upon which we are working highly complex, but the evidence we collect has the following characteristics.

22 Characteristics of Evidence
Data can be viewed at different levels of abstraction Data requires interpretation Data is Fragile Data is Voluminous Data is difficult to associate with reality

23 Characteristics of Evidence
Data can be viewed at different levels of abstraction Data requires interpretation Data is Fragile Data is Voluminous Data is difficult to associate with reality Data is fragile – it’s really very malleable, which means it must be handled with the utmost care to ensure that processes and activities do no overwrite the data contained within the files.

24 Characteristics of Evidence
Data can be viewed at different levels of abstraction Data requires interpretation Data is Fragile Data is Voluminous Data is difficult to associate with reality

25 Characteristics of Evidence
Data can be viewed at different levels of abstraction Data requires interpretation Data is Fragile Data is Voluminous Data is difficult to associate with reality

26 Investigation Process
According to many professionals, Computer Forensics is a four (4) step process: Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites

27 Investigation Process
According to many professionals, Computer Forensics is a four (4) step process: Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws

28 Tool Requirements Usability - Present data at a layer of abstraction that is useful to an investigator Comprehensive - Present all data to investigator so that both inculpatory and exculpatory evidence can be identified Accuracy - Tool output must be able to be verified and a margin of error must be given Deterministic - A tool must produce the same output when given the same rule set and input data. Verifiable - To ensure accuracy, one must be able to verify the output by having access to the layer inputs and outputs. Verification can be done by hand or a second tool set. Brian Carrier, 2003, Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

29 Challenges Size of storage devices Embedded flash devices
Proliferation of operating systems and file formats Multi-device analysis Pervasive Encryption Cloud computing RAM-only Malware Legal Challenges decreasing the scope of forensic investigations Research Challenges facing the investigation community S.L. Garfinkel, Digital forensics research: The next 10 years, Digital Investigation, vol. 1, no. 7, pp , 2010 “The coming Digital Forensics Crisis”

30 Any Questions …

31 Assessment: Short-Answer Examples
Question: Describe a role of Acquisition process in Computer Forensic Investigation.

32 Assessment: Short-Answer Examples
Question: Describe a role of Acquisition process in Computer Forensic Investigation. Answer: Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices

33 Assessment: Short-Answer Examples
Question: List and describe minimum two challenges facing Digital Forensics in the next 10 years.

34 Assessment: Short-Answer Examples
Question: List and describe minimum two challenges facing Digital Forensics in the next 10 years. Answer: Size of storage devices – due to technical advances the size of the storage devices increases with every year. The bigger the storage the more time is required to acquire the storage device and to analyse the data on it. RAM-only Malware – this type of code is executed in the RAM and it is not written to any storage devices. To be able to trace/analyse the malware live forensic examination is required while the computer device is switched on. It is not possible to analyse the malware using post-mortem forensics.

Download ppt "CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics"

Similar presentations

The Messy World of Grey Literature in Cyber Security 8 th Grey Literature Conference 4-5 December 2006 New Orleans, Louisiana Patricia Erwin – I3P Senior.

The Messy World of Grey Literature in Cyber Security 8 th Grey Literature Conference 4-5 December 2006 New Orleans, Louisiana Patricia Erwin – I3P Senior.
Action Research Not traditional educational research often research tests theory not practical Teacher research in classrooms and/or schools/districts.

Action Research Not traditional educational research often research tests theory not practical Teacher research in classrooms and/or schools/districts.
National Academic Reference Standards

National Academic Reference Standards
MSc in Business Information Technology

MSc in Business Information Technology
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Advances research methods and proposal writing Ronan Fitzpatrick School of Computing, Dublin Institute of Technology. September 2008.

Advances research methods and proposal writing Ronan Fitzpatrick School of Computing, Dublin Institute of Technology. September 2008.
The Forensic Laboratory. K-Fed sez: Quiz on Friday.

The Forensic Laboratory. K-Fed sez: Quiz on Friday.
Diploma of Project Management Course Outline NSW Course Number 17872 Qualification Code BSB51407.

Diploma of Project Management Course Outline NSW Course Number Qualification Code BSB51407.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.

T OWARDS S TANDARDS IN D IGITAL F ORENSICS E DUCATION.
CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011
Margaret J. Cox King’s College London

Margaret J. Cox King’s College London
CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.

CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
Diploma of Project Management Course Outline NSW Course Number 17872 Qualification Code BSB51407.

Diploma of Project Management Course Outline NSW Course Number Qualification Code BSB51407.
2006 06 16 LEFIS W2 Posgraduate Workshop 1 LEFIS, WG 2 Postgraduate studies Meeting, Rotterdam.

LEFIS W2 Posgraduate Workshop 1 LEFIS, WG 2 Postgraduate studies Meeting, Rotterdam.
Defining Digital Forensic Examination & Analysis Tools Brian Carrier.

Defining Digital Forensic Examination & Analysis Tools Brian Carrier.
Computer Forensics Iram Qureshi, Prajakta Lokhande.

Computer Forensics Iram Qureshi, Prajakta Lokhande.

Similar presentations

Ads by Google