Download presentation
Presentation is loading. Please wait.
Published byChad Ellis Modified over 6 years ago
1
Extract and Correlate Evidences in Computer Forensics
Alicia Castro Thesis Defense Master of Engineering in Software Engineering Department of Computer Science University of Colorado, Colorado Springs Alicia Castro/NICA Computer Forensic 11/13/2018
2
Computer Forensics Facts
Computer forensics is about investigating digital evidence related to criminal or suspicious behavior where computers or computer and related equipment may or may not be the target. Internet crime has increased 22.3% in 2009 over 2008. Alicia Castro/NICA Computer Forensic 11/13/2018
3
Computer Forensic Background
Digital evidence includes computer generated records such as the logs/output of computer programs and computer-stored records such as messages/chats It is difficult to attribute certain computer activities to an individual especially in a shared multi-access environment. require establish timeline and correlating of events Add a viewgraph lists related work/computer forensic tools right after this. Later you mentioned other forensic tools but you never mentioned what they are! Alicia Castro/NICA Computer Forensic 11/13/2018
4
Comparable Forensic Tools
Cookie History Cache Browser Outlook IM Registry $ RegRipper free Galleta 1 Pasco EventLog Nica 3 Encase 4 $$$ Alicia Castro/NICA Computer Forensic 11/13/2018
5
Computer Forensics Legal Issues
Understand fundamentals of: Search and Seizure laws Electronic Communication Privacy Act Wiretap Statute Pen/Trap Statute Patriotic Act State Laws about Search and Seizure Alicia Castro/NICA Computer Forensic 11/13/2018
6
Forensic Investigation
Accessories to a Crime Alicia Castro/NICA Computer Forensic 11/13/2018
7
…Forensic Investigation
Suspect Accomplices of a Crime Alicia Castro/NICA Computer Forensic 11/13/2018
8
Utilities Used by Nica Forensic Tool
Nica is the nick name of Nicaraguan citizens, being that I am from Nicaragua I decided that this was a good name for it. Nica Forensic Tool uses external tools to help parse and extract info from the cache files of IE, Mozilla Firefox, Google Chrome browsers and Outlook .pst files IECacheView MozillaCacheView ChromeCacheView IEHV Outlook Redemption Microsoft Log Parser What is Nica stands for? Alicia Castro/NICA Computer Forensic 11/13/2018
9
Nica Forensic tool functionality
Use the cache files parser information and determine what information is valuable. Get cookies and history files of each web browser, Skype logs, Instant Messenger and Outlook logs. Store information in a database Display any output providing potential evidences. Design of GUI for easy assess to forensic evidences. Alicia Castro/NICA Computer Forensic 11/13/2018
10
Nica Forensic Tool Unlike similar forensic tools like Galleta and Pasco; it finds all the users on the computer not just the logged on users. Unlike similar forensic tools like Galleta, Pasco and RegRipper; it does not need the investigator to enter the path where the information would be found. Nica Forensic Tool does it for the investigator. What are similar forensic tools? Add them in Viewgraph 3 Alicia Castro/NICA Computer Forensic 11/13/2018
11
Nica Forensic Tool Design
Enter Case Number Case Description Forensic Investigator Notes Alicia Castro/NICA Computer Forensic 11/13/2018
12
Run the parser to find entries by activities.
Note the time stamp for date that the investigation was done and also the time it takes to find all the activities Alicia Castro/NICA Computer Forensic 11/13/2018
13
Provide Timeline Viewer Report by user, date time and activities
Alicia Castro/NICA Computer Forensic 11/13/2018
14
Facilitate Finding/Gathering of Evidences
Alicia Castro/NICA Computer Forensic 11/13/2018
15
Select the Evidences Alicia Castro/NICA Computer Forensic 11/13/2018
16
Display Selected Suspected Activities
Alicia Castro/NICA Computer Forensic 11/13/2018
17
Evidence Classification
Inclusion Criteria More than one activity Time between activities is less than 15 minutes Previous history of web sites visited Exclusion Criteria One isolated activity and no previous history Two or more activities with time intervals of more than 15 minutes between each activity Alicia Castro/NICA Computer Forensic 11/13/2018
18
Nica Forensic Tool Logic Flow Chart
Font too small at least font size 18. Use two viewgraphs. In each viewgraph, expand one side and minimize the other side. Alicia Castro/NICA Computer Forensic 11/13/2018
19
Nica Forensic Tool Logic Flow Chart (2)
Alicia Castro/NICA Computer Forensic 11/13/2018
20
Nica Forensic Tool Implementation
Number of End Users = 6 (it can be unlimited) Effects on change of task and responsibilities of End Users: Tool is portable, investigators can carry it with them. It works fast, that it can be run when a suspect just moves away from his/her computer for a few minutes. It is still a forensic tool, all the legal steps should be followed before trying to run the tool. Alicia Castro/NICA Computer Forensic 11/13/2018
21
Nica Forensic Tool Usage & Limitations
Nica Forensic Tool was used by one investigator during the investigation of a specific case. The investigator was amazed that the tool provided information about other activities like Outlook and IM. The investigator did not know that there was such a tool that provided all that information. (Used in a real case) Nica Forensic Tool can be used only on computers that are using the Windows platform. Currently set to use the most popular browsers, instant messengers, and Outlook client but more can be added easily to the scalable architecture. Alicia Castro/NICA Computer Forensic 11/13/2018
22
Performance Results Computer Name Activities Entries Total Time PC 1
IE, Firefox, Chrome, Outlook, IM, Skype 25,356 5 min, 10 sec. PC 2 IE, Firefox, Outlook 256 2 sec. PC 3 IE, Firefox, Outlook, IM 16,381 2 min, 12 sec The time depends on how many activities are storage on the computer and how many applications are installed. It can be as fast as two seconds or can take several minutes. Alicia Castro/NICA Computer Forensic 11/13/2018
23
Lessons Learned Difficulties encountered and overcome
Limited research documentation Forensic Tools are limited to specific activities Output information was not user friendly Mistakes to avoid Allow enough time for testing. Test and test again and carefully review your work. Test again with a third party. Alicia Castro/NICA Computer Forensic 11/13/2018
24
Future Directions Enhancements made: Future Works:
Automatically looks for path to each of the applications and files where evidence can be found. Gets all the user profiles, actual logged and not logged Produce timeline reports by user per activity. Future Works: Add more applications and/or tools to the scalable application Add more methods to look in to other parts of applications and give more evidence for investigations. Alicia Castro/NICA Computer Forensic 11/13/2018
25
Conclusion Only portable Forensic Tool that automatically looks for login paths and all user profiles Captures relevant Evidences Easy to use Assist Investigators in obtaining reliable evidence Alicia Castro/NICA Computer Forensic 11/13/2018
26
References Please refer to Thesis Document
Alicia Castro/NICA Computer Forensic 11/13/2018
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.