Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tammy Clark, Chief Information Security Officer

Published bySharyl Daniel Modified over 7 years ago

Similar presentations

Presentation on theme: "Tammy Clark, Chief Information Security Officer"— Presentation transcript:

1 Using the EnCase Field Intelligence Model in Assisting with Forensics Examinations
Tammy Clark, Chief Information Security Officer William Monahan, Lead Information Security Administrator Nancy Chang, Information Security Intermediate

2 Today’s Agenda A Little Background Info The Big Picture
Importance of Policy/Procedure Cooperation/Collaboration (The Force Multiplier) Tools of the Trade Recent Activities (Never a Dull Moment) EnCase, Not a Panacea (But Close) EnCase Demo References

3 A Little Background Info
GSU’s information security program launched in 2000 w/one staff member (now have three full-time and one contractor) Decentralized information technology environment – success through tools, governance, & cooperation/collaboration w/stakeholders Information Security Department & Office of Disbursements were initially ISO Certified by BSI in 2008 and passed reassessment in early 2009 (incrementally expanding the scope – Technical Operations Center in 2010) EnCase Field Intelligence Model was originally purchased in January Legal Affairs requested that the Information Security Department conduct E-Discovery activities as a byproduct of a faculty member being arrested for pedophilia

4 The Big Picture

5 Importance of Policy/Procedure
Incident Response Policy Electronic Evidence Seizure & Preservation Procedure Computer Security Incident Response Team Procedure Electronic Evidence Inventory Form University Sterilization Procedure

6 Cooperation/Collaboration (The Force Multiplier)
Georgia State University Office of Legal Affairs University Police University Auditing and Advisory Services Computer Security Incident Response Team Vendors – Microsoft, Dell, AOL, Apple…

7 Tools of the Trade Write Blocker Go Bag Evidence Safe
Forensics Computer EnCase Software Available Resources (Net Flows, AV Logs, FW Logs, Video Recordings, Subpoenas…) Common Sense

8 Recent Activities (Never a Dull Moment)
Stolen Computers (The Magic Macintosh) Policy Violations (Not an Extension of Law Enforcement, However…) Subpoenas Orders to Preserve Open Records Act Requests ( Keyword Searches) Hacked Systems (Are your sure it’s been hacked?)

9 EnCase, Not a Panacea (But Close)
Basic Features/Modules Acquire data in a forensically sound manner Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris… Manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack, unallocated space… Can automate complex and routine tasks with prebuilt EnScript® modules Reporting options enable professional/quick report generation Additional Features/Modules EnCase Physical Disk Emulator (PDE) – Boot Evidence File in VMware EnCase Decryption Suite (EDS) – EFS, Outlook PST passwords, automatic decryption and analysis of Windows registry protected storage, PGP Whole Disk Encryption (WDE) Support (need PGP credentials)…

10 EnCase Demo Example Case EnCase Activities
Suspect: Kevin Smith, ex-employee of Thunder Enterprises Research: Possible fraud Examiner’s job: To report any incriminating evidence that may be found on Mr. Smith’s hard drive (previously seized) EnCase Activities Create a Case Copy Evidence Add Device Acquire & Hash Recover Lost Data Search for Evidence Bookmark & Report

11 Create a Case With EnCase software open, fill in “Case Options” information. Link the locations of the export, temp, and index folders.

12 Use Write Blocker (FastBloc) or Crossover Cable (w/Helix Boot) to Copy Evidence
Attach FastBloc to hard drive and computer.

13 Add Device

14 Acquire & Hash

15 Recover Lost Data Look at the MBR to determine partition type and file system. bytes of MBR Bookmark the partition table

16 Recover Lost Data Cont’d
Hard drive space does not add up  total size is 7.2 GB while the current partition size is only 6.9 GB. A partition may have been deleted!

17 Recover Lost Data Cont’d
Go to sector = Add partition. Recover deleted “D” drive

18 Search for Evidence Signature verification analysis

19 Search for Evidence Cont’d
Compound documents

20 Search for Evidence Cont’d
Search for keywords “Smith” and “Bank”

21 Search for Evidence Cont’d
Search keywords results

22 Bookmark & Report Bookmark relevant data

23 Bookmark & Report Cont’d
Document recovered evidence in report format.

24 References Books Write Blockers Training
EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. Indianapolis, Indiana: Wiley Publishing, Inc., 2008 EnCase Computer Forensics II. Guidance Software, Inc., 2008 Write Blockers Tableau Write Blocker Guidance Software’s FastBloc®3 Training Guidance Software - EnCase® v6 Computer Forensics I Georgia State University - CIS 4000 (Computer Forensics)

25 Questions? Tammy Clark, Chief Information Security Officer
William Monahan, Lead Information Security Administrator Nancy Chang, Information Security Intermediate Copyright Georgia State University, Apr This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials.

Download ppt "Tammy Clark, Chief Information Security Officer"

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Complex Recovery/ Data Reduction DFRWS 2002. Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.

Complex Recovery/ Data Reduction DFRWS Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE

Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.

Computer Forensics By: Stephanie DeRoche Benjamin K. Ertley.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
The M57 Patents Case Investigating criminal activity within m57.biz

The M57 Patents Case Investigating criminal activity within m57.biz
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.

Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.

Similar presentations

Ads by Google