Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Infosec Pro Guide

Published byGilbert Starley Modified over 10 years ago

Similar presentations

Presentation on theme: "Computer Forensics Infosec Pro Guide"— Presentation transcript:

1 Computer Forensics Infosec Pro Guide
Ch 3 Creating a Lab

2 Topics Where to put your lab Tools of the trade Forensic software
Storing evidence

3 Where to Put your Lab

4 Criminal v. Civil Investigations
Only law enforcement officers can perform criminal investigations And those they contact You can do forensic investigations for your employer Employee misconduct Or for customers you represent in civil court

5 Where to Put Your Lab Access controls Electric power Air Conditioning
Physical and network Electric power Air Conditioning Privacy

6 Access Controls You need to maintain chain of custody
A document stating who had possession of the evidence and where it was stored It must be securely stored at all times from collection to court, or it will lose its value as evidence Sample form at link Ch 3a

7

8

9 Information to Record About a Forensic Image
Information about the system the evidence was acquired from PC, laptop, DVD, thumb drive, phone, etc. Make, model. serial number Where the forensic image is stored Make, model, serial # of drive The forensic image itself With a hash value to verify integrity

10 Hash Algorithms MD5 is the most common SHA-1 is newer and better
Old and not 100% reliable 128 bits long SHA-1 is newer and better 160 bits long In practice, both are fine for forensic image verification, because you are only trying to detect copy errors, not malicious forgery

11 Physical Access Controls
Human guard, lock, proximity card sensor, etc. Do not let cleaning crew or facilities people have access to forensic lab Logging every entry and exit is desirable You need to testify in court that you made sure no one tampered with the evidence

12 Network Access Controls
You must make sure no one can tamper with your images over the network One good procedure Work in isolation (also called Air Gap) No Internet connection on any of your forensic devices Move files in and out on portable USB devices

13 Requirements for a Networked Forensic Workstation
You need administrator privileges on your workstation You need to deny other IT personnel access to your workstation Your workstation needs to be on a separate domain, and you need to control domain policies that get pushed to it You need to install and maintain your own firewall and antivirus software

14 Electrical Power As lab grows. more power is required
UPS (Uninterruptible Power Supply) protects your systems from brief power outages

15 Air Conditioning The more devices, the more heat they generate
Lab must be kept cool all times machines are on

16 Privacy You will be viewing materials that are sensitive and often offensive You need a real door, and you need to work with it closed Image from link Ch 3b

17 Tools of the Trade

18 Hardware Write Blocker
Hardware device that permits reading from a drive without writing to it Expensive ($1000 or so) Not always available for all hardware, such as cell phones

19

20 Original Evidence The actual real device that was seized at the crime scene Laptop computer Hard drive Phone CD, DVD, thumb drive, etc. A copy is much less useful in court, because it is not original evidence

21 Destroying Evidence If you mix up source and destination, you can erase the original drive instead of copying it Pros use expensive write-blockers to avoid this You can buy very expensive disk duplicators with write-blockers built in, and that are very fast

22 Software Write Blocker
We'll use software write-blocking A common feature of Linux-based Forensic LiveCDs such as DEFT Windows registry can block writes to USB drives Project 5 Drive kit allows you to connect SATA drives through USB 3

23 Test Your Equipment Try to write to a scratch drive to test write-blocker Make sure devices work before going to client site External drive dock More permanent alternative to a drive kit

24 Windows FE, a special version of Windows, can be used to make a forensically sound boot disk
Link Ch 3c

25 External Storage Fast connection is very handy
USB 3, eSATA, Thunderbolt Good heat dissipation Drive can overheat and crash Image from amazon.com

26 Tools Jeweler's Screwdrivers, including Torx and star heads
Antistatic bags Adaptors

27 Forensic Software

28 Forensic Workstation Any good PC works
Lots of processing power, RAM, and storage Larger cases require larger servers Processing a case on a laptop can take overnight

29 Forensic Software SIFT (SANS Investigative Forensics Toolkit)
Open source and free, Linux-based EnCase Forensic Expensive, proprietary, on Windows FTK USE MULTIPLE TOOLS, NEVER TRUST JUST ONE

30 SIFT and DEFT SIFT is from SANS, under constant vigorous development, and used in their classes Download at link Ch 3d DEFT is an Italian forensic live CD I used in this course previously Can image the MacBook Air Download at link Ch 3e

31 Other Tools ProDiscover – has a free version, runs on Windows
SMART Forensics X-Ways There are many others, but they all should end up finding the same evidence if used competently

32 Storing Evidence

33 Securing Your Evidence
Locking file cabinet, safe, evidence room All that matters is "who has access?" If file cabinet has a generic master key, you need to add a secondary lock to it File cabinets are notoriously easy to pick Safe is better, but can fill up fast

34 Evidence Room Walls must go to the ceiling Controlled access to room
No way to climb over Watch our for drop-down ceiling Controlled access to room Preferably a digital lock No unsupervised access by cleaning crew, etc. Fire suppression must be "dry pipe" to avoid damaging evidence

35 Organizing Your Evidence
Make sure you can find it Create standards for labeling evidence and drives Track evidence with a spreadsheet Or a shared Google document, etc. Record make, model #, serial # of drives Exact locationm shelf #, etc.

36 Disposing of Old Evidence
Ask client before destroying anything Keep or other document saying you can destroy it You can wipe and re-use the drives (!)

Download ppt "Computer Forensics Infosec Pro Guide"

Similar presentations

Sandycove Computer Club

Sandycove Computer Club
Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Choosing a PC Before you choose a PC you need to think about what it is going to be used for.

Choosing a PC Before you choose a PC you need to think about what it is going to be used for.
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Everything your business needs to know but probably doesn’t.

Everything your business needs to know but probably doesn’t.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
You can run that from a USB Drive ? Portable Applications: the good, the bad and the ugly Jeff Gimbel © 2007.

You can run that from a USB Drive ? Portable Applications: the good, the bad and the ugly Jeff Gimbel © 2007.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
PMI Inventory Tracker™

PMI Inventory Tracker™
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google