1. Computer Forensics (Digital Forensic)
SUMMER BRIDGE PROGRAM
DR. HWAJUNG LEE
DR. ASHLEY PODHRADSKY
Image Source: thecomputerforensics.info

2. DAY ONE

3. Who am I? Dr. Hwajung Lee Associate Professor
in the department of Information Technology
at Radford University
Image Source: computerforensicsinfo.org
Korean American
I am __ years old
Christian, Bible Study Leader
I have two female dogs: Sa-rang and Coco

4. Sa-rang, Coco, and Emma

5. Who are your TAs? Ms. Jude Armstrong Jessica Wood
in the department of Information Technology
at Radford University
Jessica Wood
Image Source: racktopsystems.com

6. Our Plan for This Week DAY ONE (Monday) DAY TWO (Tuesday)
Lecture and TWO activities
Activity One: Who are you?
Activity Two: Digital Forensic Cases
DAY TWO (Tuesday)
Lecture and ONE activity
Activity Three: Acquiring an Image of Evidence Media and Recovering a Deleted File
DAY THREE (Wednesday)
Lecture and THREE activities
Activity Four: Cookies and Grabbing Passwords with Wireshark
Activity Five: Encryptor and Decryptor
Activity Six: Steganography
DAY FOUR (Thursday)
Activity Seven: Digital Photo Scavenger Hunt
Activity Eight: Writing a wrap-up report
Activity Nine: Preparing the Friday Presentation
DAY Five (Friday)
Presentation in the closing session
Summer Bridge Program at Radford University

7. Activity ONE: Who are you?
- Networking and banding
What is your name?
What is your school?
What is your favorite indoor/outdoor activity?
What is your favorite time of day/day of the week/month of the year? Why?
When you have 2 hours of free-time, how do you pass the time?
What do you expect from this class or Summer Bridge Program?
Anything else?
Image Source: newenglandcomputerforensics.com

8. Activity ONE: Who are you?
What is your name?
What is your school?
What is your favorite indoor/outdoor activity?
What is your favorite time of day/day of the week/month of the year? Why?
When you have 2 hours of free-time, how do you pass the time?
What do you expect from this class and Summer Bridge Program?
Anything else?
Image Source: newenglandcomputerforensics.com

9. In This week, We will talk about…
What is computer forensics?
Computer Forensics in the news
When is computer forensics used?
History of computer forensics
Describe how to prepare for computer investigations
Computer Forensics Example- AccessData FTK Imager, Wireshark, Encryptor & Decryptor
Image Source: e-crimebureau.com

10. Forensic
Adj. - “of, relating to, or used in courts of law or public debate or argument"
From the Latin term forensis (forum)
Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun
Digital Forensics – still poor English expression
I think “Forensic IT” is a better expression
Correct term would be “Forensic Ana~”
Source: class note by Rob Guess

11. Understanding Computer Forensics (1)
Involves obtaining and analyzing digital information
Investigates data that can be retrieved from a computer’s hard disk or other storage media, including tasks of recovering data that users have hidden or deleted and using it as envidence. Evidence can be inculpatory (“incriminating”) or exculpatory
Image Source: en.wikipedia.org

12. Understanding Computer Forensics (2)
Types of Evidence
Exculpatory
Proves Innocence
Inculpatory
Proves Guilt
Tampering
Proves Malfeasance or Mishandling
Source: class note by Rob Guess

13. Understanding Computer Forensics (3)
Related Fields
Network forensics
Yields information about how a perpetrator or an attacker gained access to a network
Data recovery
Recovers information that was deleted by mistake or intentionally
Typically you know what you’re looking for
Disaster recovery
Uses computer forensics techniques to retrieve information their clients have lost due to natural or man made disaster

14. Computer Crime Computer as an Instrument of Crime
Remote System Penetration
Instrument of Fraud
Used to Deliver Threats / Harassment
DoS Attacks
Computer as a Victim of a Crime
System Compromise
Repository of Evidence Incidental to Crime
Contraband Items
Electronic Discovery in Civil Litigation
Source: class note by Rob Guess

15. The Importance of Being Digital
People live and work in increasingly digital modes
Nearly every crime now involves some form of digital evidence
3~4% of people will commit a crime given the opportunity
Internet based crime presents a lower overall risk to the offender when compared to “real world” crime
This naturally encourages criminals to adapt digital modes
Source: class note by Rob Guess

16. Digital Evidence Name some examples of digital evidence
________________________
Hard drive
History files
Logs
Metadata
Cookies
Windows mobile cell phone
Disk
Image Source: nacvaquickread.wordpress.com
Source: class note by Rob Guess

17. Sources of Digital Evidence
Open Computer Systems
PC’s, Servers, Etc
Communication Systems
Telecommunications Systems
Transient Network (content) Data
Non-transient (log) Data
Embedded Computer Systems
PDAs, Cell Phones, iPods, iPhone, Etc
Source: class note by Rob Guess

18. Crimes Involving Digital Evidence
Traditional crimes
Theft of Trade Secrets
Harassment
Intrusion Events
Malicious Code
Child Pornography
Inappropriate Use
Others?
NIST Special Publication Computer Security Incident Handling Guide
Handbook for Computer Security Incident Response Teams (CSIRTs)
Source: class note by Rob Guess

19. Crimes Involving Digital Evidence
Traditional crimes
Theft of Trade Secrets
Rights Infringement
Harassment
Intrusion Events
Tortious Interference
Malicious Code
Embezzlement
Child Pornography
Denial of Service
Extortion
Inappropriate Use
Unlawful Solicitation
Others?
NIST Special Publication Computer Security Incident Handling Guide
Handbook for Computer Security Incident Response Teams (CSIRTs)
Source: class note by Rob Guess

20. Activity TWO: Digital Forensic Cases (1)
BTK Killer
Caylee Anthony

21. Activity TWO: Digital Forensic Cases (2)
The Dangers of Internet
Facebook and Skype Forensics
Findings of a Facebook Forensic Analysis
Chat History
Key page:

22. Activity TWO: Digital Forensic Cases (3)
What Computer Forensics Can Do For You
Corporate Fraud – A Case Study
Corporate Investigation – A Case Study
Key page:

23. DAY TWO

24. Origins of Forensic Science
700 AD Chinese Use Fingerprints for ID
1248 AD First recorded application of medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation
Image Source: thecomputerforensics.info
Source: class note by Rob Guess

25. Eugene Francois Vidoca
Outlaw son of a Baker
In return for a suspension of arrest and a jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)
Introduced record keeping, ballistics, plaster casts for footprint analysis, etc
Founded the first modern detective agency and credit bureau
bal·lis·tics
   /bəˈlɪstɪks/ Show Spelled[buh-lis-tiks] Show IPA
noun ( usually used with a singular verb ) 1. the science or study of the motion of projectiles, as bullets, shells, or bombs.
2. the art or science of designing projectiles for maximum flight performance.
Source: class note by Rob Guess

26. Alphonse Bertillon (1853~1914)
French Law Officer
Anthropometry/Bertillonage - Early system of biometrics using measurements of body parts to ID perpetrators / victims
Introduced use of crime scene photography and mug shots
an·thro·pom·e·try
   /ˌænθrəˈpɒmɪtri/ Show Spelled[an-thruh-pom-i-tree] Show IPA
noun the measurement of the size and proportions of the human body.
per·pe·tra·tor
  /ˈpɜrpɪˌtreɪtər/ Show Spelled[pur-pi-trey-ter] Show IPA
noun a person who perpetrates, or commits, an illegal, criminal, or evil act: The perpetrators of this heinous crime must be found and punished to the fullest extent of the law.
mug shot
noun Slang . 1. Also called headshot. an identifying photograph of a suspect or criminal, often one of a set showing a frontal view, a profile view, and a view of the back of the head.
2. any closeup photograph of someone's face.
Source: class note by Rob Guess
Image Source:

27. Edmond Lacard Student of Bertillon
Professor of forensic medicine at the University of Lyons
Established the First Crime Laboratory
Developed Edgeoscopy and Poreoscopy
Standard 12 Points to ID a fingerprint
Developed Forensic Microscopy
Edgeoscopy
Edgeoscopy is a method of identification through the examination of the unique details and characteristics found along the edges of individual fingerprint ridges. These characteristics are the result of the alignment and shape of the individual ridge units and the relationship between them, as well as the effects of pores that are close to the edge of the ridges. These shapes are only of use when quality of the friction ridges found in both the latent fingerprint and the exemplar print is high. The method was pioneered by Salil Chatterjee in 1962, who created it while researching the possibility of a new criminal identification method.[1]
Microscopy is the technical field of using microscopes to view samples and objects that cannot be seen with the unaided eye (objects that are not within the resolution range of the normal eye).
---
Forensic Science Timeline
“ONE day in 1915 a priest came to the Code Section of the War Ministry in Paris to offer a cipher of his own invention. He was a lover of literature, he explained, and his hobby was cryptography. He had worked for years on his code, and believed that no specialist would ever be able to break it. He informed the officer in charge that he had coded a famous text from French literature and that he would leave the sample overnight for the specialists to judge for themselves. A 39-year-old reserve lieutenant immediately took up the challenge. To his experienced eyes the code seemed watertight indeed, so he decided to tackle it another way: `What famous text would the priest be likely to choose?' he asked himself. Undoubtedly it would be a passage with which he is very familiar. Quite probably one of La Fontaine's fables. Les deux pigeons might well be a favourite of such a man, and the length seems about right. The lieutenant went to the window. The priest was just going down the front steps when he called after him: "Wait a minute, Father! Deux pigeons s'aimaient d'amour tendre!" The priest was thunderstruck, then he sat down heavily on the second step. deeply shaken. The officer who had solved the puzzle with such astonishing speed was Dr. Edmond Locard, director of the Laboratoire de Police Technique in Lyons and one of the founders of modern criminology. He was interested not only in crime but in graphology, music, art, stamp-collecting, mathematics, botany and, above all, people.”
From
Source: class note by Rob Guess

28. Edgeoscopy and Poreoscopy
The figure below shows a high resolution fingerprint image and images, highlighting the pores, ridge contours, and edgeoscopic points.
Pores
Ridge contours
Edgeoscopic points
Input
Source:
Summer Bridge Program at Radford University

29. Microscopy
the technical field of using microscopes to view samples and objects that cannot be seen with the unaided eye (objects that are not within the resolution range of the normal eye).
Source:
Summer Bridge Program at Radford University

30. A Brief History of Computer Forensics (1)
1970s, electronic crimes were increasing, especially in the financial sector
Most law enforcement officers didn’t know enough about computers to ask the right questions
Or to preserve evidence for trial
Fraction of a penny crime

31. A Brief History of Computer Forensics (2)
Norton DiskEdit soon followed
And became the best tool for finding deleted file
Apple produced the Mac SE
A Macintosh with an external EasyDrive hard disk with 60 MB of storage

32. A Brief History of Computer Forensics (3)
Since 1990s
Tools for computer forensics were available
International Association of Computer Investigative Specialists (IACIS)
Training on software for forensics investigations
ExpertWitness for the Macintosh
First commercial GUI software for computer forensics
Created by ASR Data (
Portable Forensic Tools
Image Source: atp-p51.com

33. Understanding Case Law
Technology is evolving at an exponential pace
Existing laws and statutes can’t keep up change
Case law used when statutes or regulations don’t exist
Case law allows legal counsel to use previous cases similar to the current one
Because the laws don’t yet exist
Each case is evaluated on its own merit and issues

34. Preparing for Computer Investigations
Computer investigations and forensics falls into two distinct categories
Public investigations
Private or corporate investigations
Involve government agencies responsible for criminal investigations and prosecution
Organizations must observe legal guidelines
Law of search and seizure
Protects rights of all people, including suspects

35. Preparing for Computer Investigations
Private or corporate investigations
Deal with private companies, non-law-enforcement government agencies, and lawyers
Aren’t governed directly by criminal law or Fourth Amendment issues
Governed by internal policies that define expected employee behavior and conduct in the workplace
Private corporate investigations also involve litigation disputes
Investigations are usually conducted in civil cases
lit·i·ga·tion
   /ˌlɪtɪˈgeɪʃən/ Show Spelled[lit-i-gey-shuhn] Show IPA
noun 1. the act or process of litigating: a matter that is still in litigation.
2. a lawsuit.

36. Understanding Corporate Investigations
Private or corporate investigations
Involve private companies and lawyers who address company policy violations and litigation disputes
Corporate computer crimes can involve:
harassment
Falsification of data
Gender and age discrimination
Embezzlement
Sabotage
Industrial espionage
fal·si·fy
   /ˈfɔlsəfaɪ/ Show Spelled [fawl-suh-fahy] Show IPA verb, fal·si·fied, fal·si·fy·ing.
verb (used with object) 1. to make false or incorrect, especially so as to deceive: to falsify income-tax reports.
2. to alter fraudulently.
3. to represent falsely: He falsified the history of his family to conceal his humble origins.
4. to show or prove to be false; disprove: to falsify a theory.
verb (used without object) 5. to make false statements.
em·bez·zle
   /ɛmˈbɛzəl/ Show Spelled[em-bez-uhl] Show IPA
verb (used with object), em·bez·zled, em·bez·zling. to appropriate fraudulently to one's own use, as money or property entrusted to one's care.
fraud·u·lent
   /ˈfrɔdʒələnt/ Show Spelled[fraw-juh-luhnt] Show IPA
adjective 1. characterized by, involving, or proceeding from fraud, as actions, enterprise, methods, or gains: a fraudulent scheme to evade taxes.
2. given to or using fraud, as a person; cheating; dishonest.
sab·o·tage
   /ˈsæbəˌtɑʒ, ˌsæbəˈtɑʒ/ Show Spelled [sab-uh-tahzh, sab-uh-tahzh] Show IPA noun, verb, sab·o·taged, sab·o·tag·ing.
noun 1. any underhand interference with production, work, etc., in a plant, factory, etc., as by enemy agents during wartime or by employees during a trade dispute.
2. any undermining of a cause.
verb (used with object) 3. to injure or attack by sabotage.

37. Understanding Corporate Investigations
Establishing company policies
One way to avoid litigation is to publish and maintain policies that employees find easy to read and follow
Published company policies provide a line of authority
For a business to conduct internal investigations
Well-defined policies
Give computer investigators and forensic examiners the authority to conduct an investigation
Displaying Warning Banners
Another way to avoid litigation

38. Maintaining Professional Conduct
Determines your credibility
Includes ethics, morals, and standards of behavior
Maintaining objectivity means you must form and sustain unbiased opinions of your cases
Maintain an investigation’s credibility by keeping the case confidential
In the corporate environment, confidentiality is critical
In rare instances, your corporate case might become a criminal case as serious as murder

39. Maintaining Professional Conduct
Role of computer forensics professional is to gather evidence
Forensic Investigators are not police officers, it is our duty to show what happened, not prove guilt or innocence.
Collect evidence that can be offered in court or at a corporate inquiry
Investigate the suspect’s computer
Preserve the evidence on a different computer
Chain of custody
Route the evidence taken from the time you find it until the case is closed or goes to court

40. Taking a Systematic Approach
Steps for problem solving
Make an initial assessment about the type of case you are investigating
Determine the resources you need
Obtain and copy an evidence disk drive
Identify the risks- Mitigate or minimize the risks
Analyze and recover the digital evidence
Investigate the data you recover
Complete the case report
Critique the case

41. Planning Your Investigation
A basic investigation plan should include the following activities:
Acquire the evidence
Complete an evidence form and establish a chain of custody
Secure evidence in an approved secure container
Prepare a forensics workstation
Make a forensic copy of the evidence
Return the evidence to the secure container
Process the copied evidence with computer forensics tools

42. Securing Your Evidence
Use evidence bags to secure and catalog the evidence
Use computer safe products
Antistatic bags
Antistatic pads
Use well padded containers
Use evidence tape to seal all openings
Power supply electrical cord.
Write your initials on tape to prove that evidence has not been tampered with
Consider computer specific temperature and humidity ranges
an·ti·stat·ic
   /ˌæntiˈstætɪk, ˌæntaɪ-/ Show Spelled[an-tee-stat-ik, an-tahy-] Show IPA
adjective pertaining to a material or procedure that disperses, or inhibits the accumulation of, static charges on textiles, phonograph records, paper products, etc.

43. Understanding Data Recovery Workstations and Software
Investigations are conducted on a computer forensics lab (or data-recovery lab)
Computer forensics and data-recovery are related but different
Computer forensics workstation
Specially configured personal computer
Loaded with additional bays and forensics software
To avoid altering the evidence use:
Forensics boot disk, Write-blockers devices, Network interface card (NIC), Extra USB ports, FireWire 400/800 ports, SCSI card, Disk editor tool, Text editor tool, Graphics viewer program, Other specialized viewing tools

44. Sources of File System Evidence
File Slack
Free Space - “Unallocated” Clusters
Deleted Files
Page File / Swap Partition
Unpartitioned “Free” Space
Host Protected Areas
Google:
slacker
Source: class note by Rob Guess

45. Understanding Bit-Stream Copies (1)
Bit-stream copy
Bit-by-bit copy of the original storage medium
Exact copy of the original disk
Different from a simple backup copy
Backup software only copy known files
Backup software cannot copy deleted files, messages or recover file fragments

46. Understanding Bit-Stream Copies (2)
Bit-stream image
File containing the bit-stream copy of all data on a disk or partition
Also known as forensic copy

47. Class Activity THREE: Acquiring an Image of Evidence Media and Recovering a Deleted File
First rule of computer forensics
Preserve the original evidence
Conduct your analysis only on a copy of the data
Use FTK Imager to create a forensic image
Your job is to recover data from deleted files

48. DAY THREE

49. Web Browsing Application
World Wide Web allows users to access resources (i.e. documents) located in computers connected to the Internet
Documents are prepared using HyperText Markup Language (HTML)
A browser application program is used to access the web
The browser displays HTML documents that include links to other documents
Each link references a Uniform Resource Locator (URL) that gives the name of the machine and the location of the given document
Let’s see what happens when a user clicks on a link
Source: Communication Networks, Leon-Garcia and Widjaja

50. 1. DNS User clicks on http://www.nytimes.com/A Q.
User clicks on
URL contains Internet name of machine ( but not Internet address
Internet needs Internet address to send information to a machine
Browser software uses Domain Name System (DNS) protocol to send query for Internet address
DNS system responds with Internet address
Source: Communication Networks, Leon-Garcia and Widjaja

51. 2. TCP
ACK
ACK, TCP Connection Request
From: Port 80 To: Port 1127
TCP Connection Request
From: Port 1127
To: Port 80
Browser software uses HyperText Transfer Protocol (HTTP) to send request for document
HTTP server waits for requests by listening to a well-known port number (80 for HTTP)
HTTP client sends request messages through an “ephemeral port number,” e.g. 1127
HTTP needs a Transmission Control Protocol (TCP) connection between the HTTP client and the HTTP server to transfer messages reliably
Source: Communication Networks, Leon-Garcia and Widjaja

52. 3. HTTP HTTP client sends its request message: “GET …”
Content
200 OK
GET / HTTP/1.1
HTTP client sends its request message: “GET …”
HTTP server sends a status response: “200 OK”
HTTP server sends requested file
Browser displays document
Clicking a link sets off a chain of events across the Internet!
Let’s see how protocols & layers come into play…
Source: Communication Networks, Leon-Garcia and Widjaja

53. ACTIVITY FOUR: Cookies and Grabbing Passwords with Wireshark
Grabbing cookies
Source: The website is provided By Heaton Research, Inc.
Grabbing Password
Summer Bridge Program at Radford University

54. Attacking Analysis Evasion of Detection Evidence Hiding Insertion
Avoid Writing to Disk
Make Data look Innocent
Evidence Hiding
Presence of Encrypted Data*
Evidence of Steganography*
ADS*, Files Within Files, Slack Space, Bad Blocks
Insertion
Insert Erroneous or Misleading Data
Randomize / Modify File System MAC Times
ADS: Alternate Data String
Red Flags*
Source: class note by Rob Guess

55. Encryption Terms Plaintext – Original Message
Algorithm – Transformation Procedure
Key – Variable used to scramble message
Ciphertext – Resulting garbled output
Algorithm - A step-by-step procedure used for solving a problem
Source: class note by Rob Guess

56. ACTIVITY FIVE: Encryptor and Decryptor
PKI Demo Applet
Summer Bridge Program at Radford University

57. Steganography (1) The Science of Hiding Information
History – Tablets, shaved heads
Now - Images, sounds, other files
Data is frequently encrypted
Frequency analysis can detect this
Google:
SNOW Steganography
Source: class note by Rob Guess

58. Steganography (2)
The image in which we want to hide another image: ‘Arctic hare’ – Copyright photos courtesy of Robert E. Barber, Barber Nature Photography
Google:
SNOW Steganography
Source:

59. Steganography (3)
The image we wish to hide: ‘F15’ – Copyright photo courtesy of Toni Lankerd, Woodland Ridge Dr. Apt #7, Spring Lake, MI 49456, U.S.A.
Google:
SNOW Steganography
Source:

60. ACTIVITY SIX: Steganography
Download Steganography software
Sample Execution
Summer Bridge Program at Radford University

61. DAY FOUR

62. ACTIVITY SEVEN: Digital Photo Scavenger Hunt
First, make sure you have location based services enabled on the students phones. Then they can take their phones and snap pictures around landmarks on your campus.  Afterwards, they could connect their phones and transfer the image, or them to themselves.  Then all they have to do is upload the images to the address above. The images with EXIF data will then plot on a Google Map. 
Activity Overview:
Digital Forensics: Digital Photo Scavenger Hunt
In this fun session you will make your way around campus and take pictures of the landmarks. After the hunt is over, you will come back to the lab and learn how to extract EXIF data from your images.  EXIF data includes date time, GPS, and camera information.  Afterwards, we will delete our pictures from the disks then learn how to recover the deleted files.
Website:
Note:  First, make sure you have location based services enabled on the students phones. Then they can take their phones and snap pictures around landmarks on your campus.  Afterwards, they could connect their phones and transfer the image, or them to themselves.  Then all they have to do is upload the images to the address above. The images with EXIF data will then plot on a Google Map. 
Summer Bridge Program at Radford University

63. Activity EIGHT: Write a Wrap-up report: 1 hour
Please include the following in your report and it to me at
What is your name?
What did you learn from this class?
What do you like most in this class?
Do you have any suggestions to improve this class?
Any memo to me (Instructor) and TA?
Anything else?
Summer Bridge Program at Radford University

64. Activity NINE: Prepare the Friday presentation
Today’s plan
Brainstorming: about 30 minutes
Prepare the presentation: about 2 hours
Presentation Length: 10 minutes
Summer Bridge Program at Radford University

65. Any Questions?