Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extract and Correlate Evidences in Computer Forensics

Published byChad Ellis Modified over 5 years ago

Similar presentations

Presentation on theme: "Extract and Correlate Evidences in Computer Forensics"— Presentation transcript:

1 Extract and Correlate Evidences in Computer Forensics
Alicia Castro Thesis Defense Master of Engineering in Software Engineering Department of Computer Science University of Colorado, Colorado Springs Alicia Castro/NICA Computer Forensic 11/13/2018

2 Computer Forensics Facts
Computer forensics is about investigating digital evidence related to criminal or suspicious behavior where computers or computer and related equipment may or may not be the target. Internet crime has increased 22.3% in 2009 over 2008. Alicia Castro/NICA Computer Forensic 11/13/2018

3 Computer Forensic Background
Digital evidence includes computer generated records such as the logs/output of computer programs and computer-stored records such as messages/chats It is difficult to attribute certain computer activities to an individual especially in a shared multi-access environment.  require establish timeline and correlating of events Add a viewgraph lists related work/computer forensic tools right after this. Later you mentioned other forensic tools but you never mentioned what they are! Alicia Castro/NICA Computer Forensic 11/13/2018

4 Comparable Forensic Tools
Cookie History Cache Browser Outlook IM Registry $ RegRipper free Galleta 1 Pasco EventLog Nica 3 Encase 4 $$$ Alicia Castro/NICA Computer Forensic 11/13/2018

5 Computer Forensics Legal Issues
Understand fundamentals of: Search and Seizure laws Electronic Communication Privacy Act Wiretap Statute Pen/Trap Statute Patriotic Act State Laws about Search and Seizure Alicia Castro/NICA Computer Forensic 11/13/2018

6 Forensic Investigation
Accessories to a Crime Alicia Castro/NICA Computer Forensic 11/13/2018

7 …Forensic Investigation
Suspect Accomplices of a Crime Alicia Castro/NICA Computer Forensic 11/13/2018

8 Utilities Used by Nica Forensic Tool
Nica is the nick name of Nicaraguan citizens, being that I am from Nicaragua I decided that this was a good name for it. Nica Forensic Tool uses external tools to help parse and extract info from the cache files of IE, Mozilla Firefox, Google Chrome browsers and Outlook .pst files IECacheView MozillaCacheView ChromeCacheView IEHV Outlook Redemption Microsoft Log Parser What is Nica stands for? Alicia Castro/NICA Computer Forensic 11/13/2018

9 Nica Forensic tool functionality
Use the cache files parser information and determine what information is valuable. Get cookies and history files of each web browser, Skype logs, Instant Messenger and Outlook logs. Store information in a database Display any output providing potential evidences. Design of GUI for easy assess to forensic evidences. Alicia Castro/NICA Computer Forensic 11/13/2018

10 Nica Forensic Tool Unlike similar forensic tools like Galleta and Pasco; it finds all the users on the computer not just the logged on users. Unlike similar forensic tools like Galleta, Pasco and RegRipper; it does not need the investigator to enter the path where the information would be found. Nica Forensic Tool does it for the investigator. What are similar forensic tools? Add them in Viewgraph 3 Alicia Castro/NICA Computer Forensic 11/13/2018

11 Nica Forensic Tool Design
Enter Case Number Case Description Forensic Investigator Notes Alicia Castro/NICA Computer Forensic 11/13/2018

12 Run the parser to find entries by activities.
Note the time stamp for date that the investigation was done and also the time it takes to find all the activities Alicia Castro/NICA Computer Forensic 11/13/2018

13 Provide Timeline Viewer Report by user, date time and activities
Alicia Castro/NICA Computer Forensic 11/13/2018

14 Facilitate Finding/Gathering of Evidences
Alicia Castro/NICA Computer Forensic 11/13/2018

15 Select the Evidences Alicia Castro/NICA Computer Forensic 11/13/2018

16 Display Selected Suspected Activities
Alicia Castro/NICA Computer Forensic 11/13/2018

17 Evidence Classification
Inclusion Criteria More than one activity Time between activities is less than 15 minutes Previous history of web sites visited Exclusion Criteria One isolated activity and no previous history Two or more activities with time intervals of more than 15 minutes between each activity Alicia Castro/NICA Computer Forensic 11/13/2018

18 Nica Forensic Tool Logic Flow Chart
Font too small at least font size 18. Use two viewgraphs. In each viewgraph, expand one side and minimize the other side. Alicia Castro/NICA Computer Forensic 11/13/2018

19 Nica Forensic Tool Logic Flow Chart (2)
Alicia Castro/NICA Computer Forensic 11/13/2018

20 Nica Forensic Tool Implementation
Number of End Users = 6 (it can be unlimited) Effects on change of task and responsibilities of End Users: Tool is portable, investigators can carry it with them. It works fast, that it can be run when a suspect just moves away from his/her computer for a few minutes. It is still a forensic tool, all the legal steps should be followed before trying to run the tool. Alicia Castro/NICA Computer Forensic 11/13/2018

21 Nica Forensic Tool Usage & Limitations
Nica Forensic Tool was used by one investigator during the investigation of a specific case. The investigator was amazed that the tool provided information about other activities like Outlook and IM. The investigator did not know that there was such a tool that provided all that information. (Used in a real case) Nica Forensic Tool can be used only on computers that are using the Windows platform. Currently set to use the most popular browsers, instant messengers, and Outlook client but more can be added easily to the scalable architecture. Alicia Castro/NICA Computer Forensic 11/13/2018

22 Performance Results Computer Name Activities Entries Total Time PC 1
IE, Firefox, Chrome, Outlook, IM, Skype 25,356 5 min, 10 sec. PC 2 IE, Firefox, Outlook 256 2 sec. PC 3 IE, Firefox, Outlook, IM 16,381 2 min, 12 sec The time depends on how many activities are storage on the computer and how many applications are installed. It can be as fast as two seconds or can take several minutes. Alicia Castro/NICA Computer Forensic 11/13/2018

23 Lessons Learned Difficulties encountered and overcome
Limited research documentation Forensic Tools are limited to specific activities Output information was not user friendly Mistakes to avoid Allow enough time for testing. Test and test again and carefully review your work. Test again with a third party. Alicia Castro/NICA Computer Forensic 11/13/2018

24 Future Directions Enhancements made: Future Works:
Automatically looks for path to each of the applications and files where evidence can be found. Gets all the user profiles, actual logged and not logged Produce timeline reports by user per activity. Future Works: Add more applications and/or tools to the scalable application Add more methods to look in to other parts of applications and give more evidence for investigations. Alicia Castro/NICA Computer Forensic 11/13/2018

25 Conclusion Only portable Forensic Tool that automatically looks for login paths and all user profiles Captures relevant Evidences Easy to use Assist Investigators in obtaining reliable evidence Alicia Castro/NICA Computer Forensic 11/13/2018

26 References Please refer to Thesis Document
Alicia Castro/NICA Computer Forensic 11/13/2018

Download ppt "Extract and Correlate Evidences in Computer Forensics"

Similar presentations

Computer Forensics Internet Artifacts.

Computer Forensics Internet Artifacts.
CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
BACS 371 Computer Forensics

BACS 371 Computer Forensics
E-commerce Web Site: Sales and Inventory Management System Markku Marjoneva.

E-commerce Web Site: Sales and Inventory Management System Markku Marjoneva.
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
© 2001-2012 InLoox ® InLoox PM Web App product presentation The Online Project Software.

© InLoox ® InLoox PM Web App product presentation The Online Project Software.
Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor.

Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, Writer : Cory Altheide Reporter : Yao Professor.
P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.

P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.
Medical Application Giant Squid Michal Cohen Robet Esho Chris Hogan Kate Kuleva Nisha Makwana Alex Rodrigues Rafal Urbanczyk.

Medical Application Giant Squid Michal Cohen Robet Esho Chris Hogan Kate Kuleva Nisha Makwana Alex Rodrigues Rafal Urbanczyk.
The aim We had to “build” a laptop from scratch. We needed to install the software and the Operating system needed. We came across all sorts of problems.

The aim We had to “build” a laptop from scratch. We needed to install the software and the Operating system needed. We came across all sorts of problems.
Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.

Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.
©2010 John Wiley and Sons www.wileyeurope.com/college/lazar Chapter 12 Research Methods in Human-Computer Interaction Chapter 12- Automated Data Collection.

©2010 John Wiley and Sons Chapter 12 Research Methods in Human-Computer Interaction Chapter 12- Automated Data Collection.
1 Email and Internet Evidence Mark Pollitt Associate Professor, Engineering Technology.

1 and Internet Evidence Mark Pollitt Associate Professor, Engineering Technology.
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.

Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
DIGITAL RECORDING SYSTEM Installation Setup Wizard About Our Software.

DIGITAL RECORDING SYSTEM Installation Setup Wizard About Our Software.
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
Technology in Computer Forensics  Alicia Castro  Thesis Defense  Master of Software Engineering  Department of Computer Science  University of Colorado,

Technology in Computer Forensics  Alicia Castro  Thesis Defense  Master of Software Engineering  Department of Computer Science  University of Colorado,

Similar presentations

Ads by Google