Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Discovery and recovery of digital evidence

Published byMoris Potter Modified over 5 years ago

Similar presentations

Presentation on theme: "Computer Forensics Discovery and recovery of digital evidence"— Presentation transcript:

1 Computer Forensics Discovery and recovery of digital evidence
Usually post facto Sometimes real time Types of forensic investigations Liturgical Going to court Crimes, etc. Non-Liturgical Administrative adjudication Industry

2 Skills and Knowledge Be aware of the many types of digital devices and their components and potential contents Develop a Web behavior profile Learn how to seize a computer and other devices Proper handling of digital evidence How to search a computer for evidence Analyze a phishing scam Become more knowledgeable about the digital/information world 06/11/2018

3 Purpose Prove or disprove criminal activity
Prove or disprove policy violation Prove or disprove malicious behavior to or by the computer/user If the evidence is there, the case is yours to lose with very little effort.

4 Legal and Ethical Issues
Computer Forensic Exams are Illegal. Without the cover of Law 4th Amendment You will learn dual use technology. All tools can be used to commit crime All procedures can be used to hide crime It is unethical to breach some ones expectation of privacy. 06/11/2018

5 Responsibilities Evidence Respect for suspects privacy and rights
All of it Emphasis on exculpatory Respect for suspects privacy and rights Beware of collateral damage Be very very careful if you demonstrate what you can do.

6 Privacy Issues Rights of the suspect Liabilities of the investigator
Public versus private storage of information Expectation of privacy

7 Evidence Forensics is all about evidence.
Something that tends to prove or disprove the existence of an alleged fact. Federal Rules of Evidence govern proceedings in the courts of the United States. 06/11/2018

8 Evidence Admissible Reliable Authentic Complete Believable
must be legally obtained and relevant Reliable has not been tainted (changed) since acquisition Authentic the real thing, not a replica Complete includes any exculpatory evidence Believable lawyers, judge & jury can understand it 06/11/2018

9 Evidence Admissible Reliable Authentic Complete Believable
Search Warrant, Wire Tap, NSL Reliable Chain of custody, protected, properly handled Not tainted, not changed, MD5 Authentic Computer data is different Complete Must search entire hard disk Believable Impossible for geeks

10 Conviction Must Prove: Actus Reaus - The criminal act
Mens Rea - The criminal intent 06/11/2018

11 Intro to WinHex WinHex – A hexadecimal editor for Windows
A general purpose forensic analysis tool we will use for this course. Excellent professional grade tool. You can download a trial version. It has limited capability But you can do a lot with it. Then complete your assignments in the lab. The license is good for a limited time.

12 WinHex Main Screen

13 Open a File

14 Navigate to the Desired File

15 Select and Open What have we done?

16 WinHex Display of file WinHex displays the entire contents of the file. Extreme left is the offset (position) relative to the beginning of the file. In this display the position is in hexadecimal. We will change this in a little bit. The central panel is the data display in hexadecimal. The far right panel is an attempt to display the file contents in characters, i.e. ASCII characters.

17 Offset Change Select General Options from the Options menu.

18 General Options We are interested in offsets.
Unselect Hexadecimal offsets.

19 Magic

20 View as Text Only

21 Text

22 Open an Image File Find an image somewhere
Maybe an image from a camera or cell phone Open in WinHex To close right click on tab Choose Close - all gone

23 Open an Image

24 Actual Image Data

25 MAC Information All files carry information about the file itself
Metadata This info is contained in the file or in the directory MAC Create time Modify time Access time This information is very important to case development.

26 MAC & Evidence The MAC time info is changed when the file is opened, viewed or changed. Consequently, when a drive is opened it is changed. Be very careful when handling digital evidence.

27 MAC Data

28 More Metadata Pictures from cameras have it Called EXIF data

29 Exif Data

30 Exif Cont’d

31 Search File for Text Offset in decimal, go find the text.

32 Find Text Position  Go To Offset Type in desired offset. Select OK

33 JPEG Found JPEG

34 Physical Media vs. Logical Drives
Raw memory No structure No contents – only a stream of data Logical Drives Structured File system Files

35 Tools Menu

36 Physical Opened Not Terribly Useful

37 Opening whatever is on the Drive

38 Closer Check the Windows Explorer box.

39 Now We can See Stuff

40 Double Click on a File Beginning of file.

41 Cruising Through Deleted Files - Dimmed Interesting $$$

42 A Closer Look Maybe we have a business!

43 Computer Forensics Be careful You are Law Enforcement
Protect all parties Evidence must be Admissable Reliable Authentic Complete Believable

44 Lab Play with WinHex Open a device Open a file Open an image Explore
Like this presentation

Download ppt "Computer Forensics Discovery and recovery of digital evidence"

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
E-Discovery in Government Investigations and Criminal Law JOLT Symposium February 22, 2013 1.

E-Discovery in Government Investigations and Criminal Law JOLT Symposium February 22,
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.

Computer Forensics 101 Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Computer Forensics CS 407 MW 10:30 – 12:30 Texts: File System Forensic Analysis, Brian Carrier Windows Forensics Analysis, 2 nd editiion, Harlan Carvey.

Computer Forensics CS 407 MW 10:30 – 12:30 Texts: File System Forensic Analysis, Brian Carrier Windows Forensics Analysis, 2 nd editiion, Harlan Carvey.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Similar presentations

Ads by Google