Presentation is loading. Please wait.

Presentation is loading. Please wait.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish."— Presentation transcript:

1 COS/PSA 413 Day 3

2 Agenda Questions? Blackboard access? Assignment 1 due September 12 @ 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish Discussion on Understanding Computer Investigations Lab ednesday (September 10) will be in N105 –Hands-on Projects 2-1 through 2-6 on pages 68-71 –Make sure you have read and understand the exercises prior to the lab –Write ups will be due by the next lab (one week)

3 Guide to Computer Forensics and Investigations3 Understanding Data Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and data-recovery are related but different Computer forensics workstation –Specially configured personal computer –Loaded with additional bays and forensics software To avoid altering the evidence use: –Forensics boot floppy disk –Write-blockers devices

4 Guide to Computer Forensics and Investigations4 Setting Up your Computer for Computer Forensics Basic requirements –A workstation running Windows XP or Vista (or windows 98) –A write-blocker device –Computer forensics acquisition tool –Computer forensics analysis tool –Target drive to receive the source or suspect disk data –Spare PATA or SATA ports –USB ports

5 Guide to Computer Forensics and Investigations5 Setting Up your Computer for Computer Forensics (continued) Additional useful items –Network interface card (NIC) –Extra USB ports –FireWire 400/800 ports –SCSI card –Disk editor tool –Text editor tool –Graphics viewer program –Other specialized viewing tools

6 Guide to Computer Forensics and Investigations6 Conducting an Investigation Gather resources identified in investigation plan Items needed –Original storage media –Evidence custody form –Evidence container for the storage media –Bit-stream imaging tool –Forensic workstation to copy and examine your evidence –Securable evidence locker, cabinet, or safe

7 Guide to Computer Forensics and Investigations7 Gathering the Evidence Avoid damaging the evidence Steps –Meet the IT manager to interview him –Fill out the evidence form, have the IT manager sign –Place the evidence in a secure container –Complete the evidence custody form –Carry the evidence to the computer forensics lab –Create forensics copies (if possible) –Secure evidence by locking the container

8 Guide to Computer Forensics and Investigations8 Understanding Bit-Stream Copies Bit-stream copy –Bit-by-bit copy of the original storage medium –Exact copy of the original disk –Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments Bit-stream image –File containing the bit-stream copy of all data on a disk or partition –Also known as forensic copy

9 Guide to Computer Forensics and Investigations9 Understanding Bit-stream Copies (continued) Copy image file to a target disk that matches the original disk’s manufacturer, size and model

10 Guide to Computer Forensics and Investigations10 Acquiring an Image of Evidence Media First rule of computer forensics –Preserve the original evidence Conduct your analysis only on a copy of the data Using ProDiscover Basic to acquire a thumb drive –Create a work folder for data storage –Steps (starts on page 53 of text) On the thumb drive locate the write-protect switch and place the drive in write-protect mode Start ProDiscover Basic

11 Guide to Computer Forensics and Investigations11 Acquiring an Image of Evidence Media (continued)

12 Guide to Computer Forensics and Investigations12 Acquiring an Image of Evidence Media (continued) Using ProDiscover Basic to acquire a thumb drive (continued) –Steps (continued) In the main window, click Action, Capture Image from the menu Click the Source Drive drop-down list, and select the thumb drive Click the >> button next to the Destination text box Type your name in the Technician Name text box ProDiscover Basic then acquires an image of the USB thumb drive Click OK in the completion message box

13 Guide to Computer Forensics and Investigations13 Acquiring an Image of Evidence Media (continued)

14 Guide to Computer Forensics and Investigations14 Acquiring an Image of Evidence Media (continued)

15 Guide to Computer Forensics and Investigations15 Acquiring an Image of Evidence Media (continued)

16 Guide to Computer Forensics and Investigations16 Analyzing Your Digital Evidence \\Wallagrass\Software for N105 lab\COS413 Software\Chap02\\\Wallagrass\Software for N105 lab\COS413 Software\Chap02\ Your job is to recover data from: –Deleted files –File fragments –Complete files Deleted files linger on the disk until new data is saved on the same physical location Tool –ProDiscover Basic

17 Guide to Computer Forensics and Investigations17 Analyzing Your Digital Evidence (continued) Steps –Start ProDiscover Basic –Create a new case –Type the project number –Add an Image File Steps to display the contents of the acquired data –Click to expand Content View –Click All Files under the image filename path

18 Guide to Computer Forensics and Investigations18 Analyzing Your Digital Evidence (continued)

19 Guide to Computer Forensics and Investigations19 Analyzing Your Digital Evidence (continued)

20 Guide to Computer Forensics and Investigations20 Analyzing Your Digital Evidence (continued)

21 Guide to Computer Forensics and Investigations21 Analyzing Your Digital Evidence (continued) Steps to display the contents of the acquired data (continued) –Click letter1 to view its contents in the data area –In the data area, view contents of letter1 Analyze the data –Search for information related to the complaint Data analysis can be most time-consuming task

22 Guide to Computer Forensics and Investigations22 Analyzing Your Digital Evidence (continued)

23 Guide to Computer Forensics and Investigations23 Analyzing Your Digital Evidence (continued) With ProDiscover Basic you can: –Search for keywords of interest in the case –Display the results in a search results window –Click each file in the search results window and examine its content in the data area –Export the data to a folder of your choice –Search for specific filenames –Generate a report of your activities

24 Guide to Computer Forensics and Investigations24 Analyzing Your Digital Evidence (continued)

25 Guide to Computer Forensics and Investigations25 Analyzing Your Digital Evidence (continued)

26 Guide to Computer Forensics and Investigations26 Analyzing Your Digital Evidence (continued)

27 Guide to Computer Forensics and Investigations27 Completing the Case You need to produce a final report –State what you did and what you found Include ProDiscover report to document your work Repeatable findings –Repeat the steps and produce the same result If required, use a report template Report should show conclusive evidence –Suspect did or did not commit a crime or violate a company policy

28 Guide to Computer Forensics and Investigations28 Critiquing the Case Ask yourself the following questions: –How could you improve your performance in the case? –Did you expect the results you found? Did the case develop in ways you did not expect? –Was the documentation as thorough as it could have been? –What feedback has been received from the requesting source?

29 Guide to Computer Forensics and Investigations29 Critiquing the Case (continued) Ask yourself the following questions (continued): –Did you discover any new problems? If so, what are they? –Did you use new techniques during the case or during research?

30 Guide to Computer Forensics and Investigations30 Summary Always use a systematic approach to your investigations Always plan a case taking into account the nature of the case, case requirements, and gathering evidence techniques Both criminal cases and corporate-policy violations can go to court Plan for contingencies for any problems you might encounter Keep track of the chain of custody of your evidence

31 Guide to Computer Forensics and Investigations31 Summary (continued) Internet and media leak investigations require examining server log data For attorney-client privilege cases, all written communication should remain confidential A bit-stream copy is a bit-by-bit duplicate of the original disk Always maintain a journal to keep notes on exactly what you did You should always critique your own work

Download ppt "COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Computer & Network Forensics

Computer & Network Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.

COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
COMPREHENSIVE Windows Tutorial 10 Improving Your Computer’s Performance.

COMPREHENSIVE Windows Tutorial 10 Improving Your Computer’s Performance.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.

COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
®® Microsoft Windows 7 Windows Tutorial 10 Improving Your Computer’s Performance.

®® Microsoft Windows 7 Windows Tutorial 10 Improving Your Computer’s Performance.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Similar presentations

Ads by Google