Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Forensics Principles and Practices"— Presentation transcript:

1 Computer Forensics Principles and Practices
by Volonino, Anzaldua, and Godwin Chapter 3: Tools, Environments, Equipment, and Certifications

2 Objectives Explain how to manage e-evidence throughout the life-cycle of a case Identify the requirements for acquiring and authenticating evidence Describe acceptable methods for searching and analyzing evidence Explain investigative environments and analysis modes © Pearson Education Computer Forensics: Principles and Practices

3 Objectives (Cont.) Explain the functions and features of forensics tools and toolkits Describe the types of equipment a forensics lab should have available Describe types of certification programs and credentials available for a computer forensics investigator © Pearson Education Computer Forensics: Principles and Practices

4 Introduction In this chapter you will learn how to manage a case, authenticate evidence, and search and analyze data. You learn about computer forensics tools and toolkits, equipment, and specially designed environments that are needed to avoid damaging or contaminating electronic data when it is being handled or transported. Introduce the chapter. © Pearson Education Computer Forensics: Principles and Practices

5 Managing the Life-Cycle of a Case
A defensible (objective, unbiased) approach is: Performed in accordance with forensic science principles Based on standard or current best practices Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use of verified tools, if such certification exists Documented thoroughly Discuss each element of the defensible approach to investigation. © Pearson Education Computer Forensics: Principles and Practices

6 Managing the Life-Cycle of a Case (Cont.)
Preserving the chain of custody for e-evidence requires proving that: No information has been added, deleted, or altered in the copying process or during analysis A complete copy was made and verified A reliable copying process was used All media were secured All data that should have been copied have been copied Discuss each element of evidence preservation. © Pearson Education Computer Forensics: Principles and Practices

7 Managing the Life-Cycle of a Case (Cont.)
Many factors affect the choice of tools selected for a case: Type of device Operating system Software applications Hardware platforms State of the data Domestic and international laws Concerns about bad publicity or liability Discuss the factors that determine which tools are selected for a case. © Pearson Education Computer Forensics: Principles and Practices

8 In Practice: Easy Access to Criminal Tools
Many tools are freely available that help criminals hide evidence of cybercrimes Nuker Anonymous r ers Password cracker Scanner Spoofer Steganography Trojan horse Explain what some of these tools do and how they help criminals hide their tracks. © Pearson Education Computer Forensics: Principles and Practices

9 Investigation Objectives and Chain of Custody Practices
Document the scene, evidence, activities, and findings Document everything that is done; keep detailed records and photographs, etc. Acquire the evidence Collect and preserve the original data, and create an exact copy Authenticate the copy Verify that the copy is identical to the original Discuss the practices and objectives of acquiring and authenticating evidence. (Continued) © Pearson Education Computer Forensics: Principles and Practices

10 Investigation Objectives and Chain of Custody Practices (Cont.)
Analyze and filter the evidence Perform the technical analysis while retaining its integrity Be objective and unbiased Ensure that the evaluation is fair and impartial to the person or people being investigated Present the evidence/evaluation in a legally acceptable manner Interpret and report the results correctly Continue the discussion regarding the practices that should be followed in authenticating evidence and reporting it properly in a courtroom environment. © Pearson Education Computer Forensics: Principles and Practices

11 Document and Collect Data
Documentation needs to be precise and organized Document each of the following: Location, date, time, witnesses System information, including manufacturer, serial number, model, and components Status of the computer, such as whether it was running and what was connected to it Physical evidence collected Explain each of the things that should be documented when acquiring and authenticating evidence. © Pearson Education Computer Forensics: Principles and Practices

12 Power Down or Unplug? If a PC is running, the decision has to be made as to how to power it down Using the operating system to power down is risky because temporary files might be deleted and date/time stamps changed Current best practice is to unplug the PC from its power source, preserving the data environment Explain here the importance of the decision to power down the computer or unplug it. If using the OS to properly shut down the machine, you run the risk of losing temporary files. © Pearson Education Computer Forensics: Principles and Practices

13 Exceptions to the “Copy Rule”
Best practice is to work with a copy of the original data Exceptions to this rule may occur when it is more important to contain an attack or stop a crime It may also be impossible to copy an entire system The exception means that at the time of a crime you may be more concerned with stopping the intrusion instead of preserving evidence. In the case of network intrusions, it may not be economically feasible to copy the entire system. Discuss this caution and what you might do to reduce these types of situations. They are not entirely avoidable, but the risk might be reduced associated with these types of intrusions or crimes. © Pearson Education Computer Forensics: Principles and Practices

14 In Practice: Write Blocking and Protection
Never turn on a PC without having write-blocking software or devices in place Write-blocking devices prevent any writes to a drive such as may occur when simply turning on a system If possible, construct an in-class activity that would enable students to see how a write-blocker works. Discuss this with the students. © Pearson Education Computer Forensics: Principles and Practices

15 Create a Drive Image Original data must be protected from any type of alteration To protect original data, work from a forensic copy of the original drive or device Ways to make forensic copies Drive imaging or mirror imaging Sector-by-sector or bit-stream imaging Discuss the importance of imaging a drive with the proper software in order to make a valid forensic copy of the drive and preserve any evidence that might be found on the computer. © Pearson Education Computer Forensics: Principles and Practices

16 Residual Data Residual data is data that has been deleted but not erased Residual data may be found in unallocated storage or file slack space File slack consists of: RAM slack—area from the end of a file to the end of the sector Drive slack—additional sectors needed to fill a cluster Explain what file slack is and its relationship to residual data, and why it is important. Mention the importance of being precise in the terminology used. (See the In Practice: Be Precise about Terminology in the chapter.) © Pearson Education Computer Forensics: Principles and Practices

17 Acquiring a Forensic Copy
Use a forensically clean hard drive for copying Simple format does not meet acceptable or best practices Verify the accuracy of the copy Cyclic redundancy check Cryptographic hash verification Message digest (MD5) Discuss the proper way to prepare a hard drive for a forensic copy. Also discuss ways that the copy can be verified to maintain its integrity. Mention the “legal duty” that parties of a case have to “utilize the method which would yield the most complete and accurate results” (Gates Rubber Co. v. Bando Chemical Industries) This is in relation to computer forensics investigations. © Pearson Education Computer Forensics: Principles and Practices

18 Effective Data Searches
Carefully prepare and plan the search Interview the IT staff to learn how and where data has been stored, if applicable Confirm or define the objective of the investigation Identify relevant time periods and the scope of the data to be searched Identify the relevant types of data Discuss some of the common practices that help the efficiency of data searches. © Pearson Education Computer Forensics: Principles and Practices

19 Effective Data Searches (Cont.)
Identify search terms for data filtering to help locate relevant data and filter out what is irrelevant Metadata can be invaluable to the filtering process Find out usernames and passwords for network and accounts Check for other computers or devices that might contain relevant evidence Continue the discussion about effective data searches. At this point, you might also have an in-practice activity on search strategies. (See the In Practice on page 92 in the text for ideas.) © Pearson Education Computer Forensics: Principles and Practices

20 Identify Data Types Active data Deleted files
Hidden, encrypted, and password-protected files Automatically stored data and instant messages Background information Discuss the different data types that you might have to deal with when gathering evidence. You might mention the Smoot v. Comcast Cablevision case regarding just cause for dismissal of an employee based on instant message transcripts. © Pearson Education Computer Forensics: Principles and Practices

21 Investigative Environments and Analysis Modes
Trusted environments Dead analysis or postmortem analysis Nonvolatile data or persistent data Untrusted environments Live analysis Discuss trusted and untrusted environments and the terms used in each situation. © Pearson Education Computer Forensics: Principles and Practices

22 Forensic Tools and Toolkits
Tools support the investigator by helping to: Recreate a specific chain of events or sequence of user activities Search for key words and dates and determine which of the data is relevant Search for copies of previous document drafts Search for potentially privileged information Search for the existence of certain programs Authenticate data files and their date and time stamps Begin the discussion of tools and toolkits. © Pearson Education Computer Forensics: Principles and Practices

23 Forensic Tools and Toolkits (Cont.)
EnCase® Forensic Version 5 A DOD-approved tool for gathering and evaluating electronic information Supports the following investigation file types: MSN Hotmail Outlook and Outlook Express Yahoo! AOL 6, 7, 8, and 9 Netscape mBox (Unix) Discuss EnCase software, an industry standard. Explain how it can support investigations and the steps to install the software on a computer. © Pearson Education Computer Forensics: Principles and Practices

24 Forensic Tools and Toolkits (Cont.)
EnCase Cybercrime Arsenal is a customizable package of software, hardware, and training Available in three packaged solutions Offers four views of collected data: Table view displays files in a spreadsheet-style format Gallery view provides a view of all images Timeline view provides a calendar-style picture of file activity Report view helps create tailored reports Discuss EnCase Cybercrime Arsenal’s different modes and abilities. © Pearson Education Computer Forensics: Principles and Practices

25 Forensic Tools and Toolkits (Cont.)
Other toolkits for Windows: Forensic Toolkit® (FTK™)—used for finding and examining computer evidence Ultimate Toolkit™—contains FTK plus other modules for recovering passwords, analyzing registry data, and wiping hard drives WinHex—used for forensics, data recovery and processing, and IT security Discuss other toolkits available for Windows. Provide examples if you have them. This might be a good place for some in-class activities using these tools, depending on availability. © Pearson Education Computer Forensics: Principles and Practices

26 Forensic Tools and Toolkits (Cont.)
Toolkits for UNIX and Linux: Autopsy and Sleuth Kit—for investigating file systems and volumes of suspect computers dtSearch—for combing through large amounts of data for up to 250 different file types Discuss toolkits for UNIX and Linux. Provide examples if you have them. © Pearson Education Computer Forensics: Principles and Practices

27 Forensic Tools and Toolkits (Cont.)
Macintosh forensic software: BlackBag—a set of 19 tools for examining Macintosh computers, including Directory Scan FileSpy HeaderBuilder MacQuisition—forensic acquisition tool used to safely image Macintosh systems Discuss toolkits for Macintosh. Provide examples if you have them. © Pearson Education Computer Forensics: Principles and Practices

28 Forensic Tools and Toolkits (Cont.)
PDA Seizure A comprehensive forensic tool from Paraben for investigating Palm, Pocket PCs, and BlackBerry devices Can produce forensic images and perform data searches as well as crack passwords for Palm Outline how PDA Seizure can help retrieve data from Palm, PocketPC, and BlackBerry devices. © Pearson Education Computer Forensics: Principles and Practices

29 In Practice: Do Nothing Without Competence
Prosecutions may be jeopardized if untrained personnel compromise data by not following correct procedures Companies should have a proper incident response plan and policies in place Discuss the In Practice activity regarding how companies should have policies in place that would help preserve e-evidence in case it is needed. There are some selected items mentioned as to what companies should do to prepare for collecting and reporting e-evidence. © Pearson Education Computer Forensics: Principles and Practices

30 Forensics Equipment Computer forensics labs should include the following equipment: Workstations Assortment of power cables USB 2.0, FireWire cables, and power supplies Electrostatic mats Hard disks, and spare expansion cards (PCI, ISA, etc.) Discuss some of the equipment that should be found in any computer forensics lab. Explain why these should be there, if needed. © Pearson Education Computer Forensics: Principles and Practices

31 Forensics Equipment (Cont.)
Forensics labs should have the following operating systems available: Windows XP, 2000, NT 4.0, NT 3.5, 98, 3.11, and DOS 6.22 Apple Macintosh OS 10.x, Tiger, and older Linux, including Fedora, Caldera Open Linux, Slackware, and Debian Discuss the operating systems that should be in the lab. Also caution the students about licensing issues, and point out that they still apply in the lab. © Pearson Education Computer Forensics: Principles and Practices

32 Forensics Equipment (Cont.)
Forensics labs should have the following applications available: Microsoft Office 2003, XP, 2000, 97, and 95 Corel Office Suite Quicken and Peachtree accounting software Visual Basic and Visual C++ Quick View, ACDSee, ThumbsPlus, IrfanView StarOffice/OpenOffice Discuss the applications that should be in the lab. Also caution the students about licensing issues. © Pearson Education Computer Forensics: Principles and Practices

33 Forensics Equipment (Cont.)
Type Tool or Toolkit Free Demo Web Site Password cracker Passware kit Yes John the Ripper Portable hard disk duplicator Disk Jockey Portable hard drive and media duplicator Logicube Forensic intrusion detection, and scanning tools Foundstone resources/forensics.htm Discuss the different tools that are available for a computer forensics lab. If need be, explain what password crackers and portable hard disk duplicators can do. © Pearson Education Computer Forensics: Principles and Practices

34 Certification and Training Programs
EnCE®—EnCase Certified Examiner Global Information Assurance Certification (GIAC) Computer Hacking Forensic Investigator (CHFI) Computer Forensic External Certification (CCE) Discuss the different certification and training programs and where the students might go to get these certifications. You might also mention their value in the industry. © Pearson Education Computer Forensics: Principles and Practices

35 Certification and Training Programs (Cont.)
TruSecure ICSA Certified Security Associate Computer Forensic Training Center Online Certified International Information Systems Forensics Investigator (CIFI) Continue the discussion of certification programs. © Pearson Education Computer Forensics: Principles and Practices

36 Summary Quality of e-evidence depends on skilled investigators
Maintaining the integrity of e-evidence requires a defensible approach There can be no weak links in the investigative process It is vital for the investigator to be able to extract and analyze data quickly and present the evidence in an understandable format © Pearson Education Computer Forensics: Principles and Practices

37 Summary (Cont.) Investigators frequently have to defend their findings, methods, tools, and techniques Technologies and methodologies must be well documented and repeatable Specialized software and hardware tools are needed for documentation, collection, authentication, analysis, preservation, and production and reporting of findings and e-evidence © Pearson Education Computer Forensics: Principles and Practices

38 Summary (Cont.) There are several certification and training programs that computer forensics investigators can complete to help them become credible in the field © Pearson Education Computer Forensics: Principles and Practices

Download ppt "Computer Forensics Principles and Practices"

Similar presentations

Working with Disks and Devices

Working with Disks and Devices
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics

Similar presentations

Ads by Google