Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.

Similar presentations


Presentation on theme: "Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics."— Presentation transcript:

1 Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics

2 Welcome! Welcome to BACS 371—Computer Forensics. This course will likely be one of the most challenging (and interesting) courses of your degree program. It is a mixture of law enforcement, technical computer science, and psychology.

3 Computer Forensics… … involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. 1 1 Kruse & Heiser, Computer Forensics: Incident Response Essentials, Lucent Technologies, 2002

4 Computer Crime in Pop Culture

5

6 Course Overview  Syllabus  Reading  Textbooks  Supplementary Articles  Grading  In-Class Assignments  Homework (papers, podcast write-ups, forensic problems, …)  Labs  Quizzes  Exams  Misc.

7 In-Class work  Periodically I will assign relatively small projects that are intended to be done during class.  These will be due at the beginning of the next class period.  Often, you won’t finish the project during class, so despite the “in-class” name, you will sometimes need to work on them out of class also.  To minimize this, I will partially “flip” the class so that some lectures and software demonstrations are recorded. You will need to watch these recordings before class in order to get the full benefit of the exercise.

8 Homework  Homework will periodically be assigned.  Homework problems are more elaborate than in-class work and generally take more time.  You will generally not be given class-time to work on homework.  It is due at the beginning of the period on the due date.  Most homework are “individual assignments.”

9 Lab Projects  Lab projects are more elaborate than in-class work and normally take several days to complete.  Most lab projects will be “group projects”.  A group consists of 2 people. One project is turned in for the group and both members share the same grade.  It is up to you to make sure that each member understands the project well enough to answer questions on the test.  Off-hour lab access can be arranged via your Bear Card.  Some special hardware may be assigned to your group. You are responsible for keeping track of it and making sure that it is put up after use.  You will each need to have a USB flash drive (8GB or more).  Optionally, you may also want to purchase a 2.5 inch external drive (80 GB minimum).

10 Quizzes  Quizzes are short, unannounced “tests” that are given over recently covered material.  They are normally given at the beginning of class.  If you arrive late, you do not have extra time to complete them.  There are no make-up quizzes (but I do drop the lowest quiz grade).  They are intended to help you know areas that you need to study prior to the tests.

11 Examinations  There are 3 examinations in this course.  The first 2 are worth 15% of your grade and the 3 rd (i.e., the “final”) is worth 25%.  The final is comprehensive. The first 2 examinations only cover the new material (to the extent possible).  There are rules that allow you to make up one of the first 2 examinations; but you cannot make up the final. See syllabus for details.

12 Course Expectations  This is a new field – help me create content for the semester!  Work hard, read all assignments, look for alternative sources of information  Ask Questions!! Be Curious! Be sure you understand as you go.  Fast pace!  Somewhat obscure material! (but it’s also very interesting)  Learn from your classmates  When you learn new things, Teach the rest of us!

13 Create a Course Binder*  Reading  Supplementary Articles  Notes distributed during class  Assignments  In-Class Activities  Labs  Homework Assignments  Presentation Slides  Class Notes  Document templates  Chain of custody  Evidence gathering notes  etc.  Other References * This is just a suggestion, it is not required

14 Key Points of Today’s Lecture  Computer Forensic Crime Resources  High Profile Cases Involving Computer Forensics  Legal Foundations of Computer Forensics  Technical Foundations of Computer Forensics  Computer Forensic Methods  Forensic Software  Certifications and Careers in Computer Forensics  Characteristics of the “perfect” Forensic Investigator

15 Internet Crime Complaint Center 2013 Internet Fraud Crime Report (latest available)  Internet Fraud Complaint Center (IFCC) began operation May 8, 2000  Partnership between National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI)  Vehicle to receive, develop, and refer criminal complaints in cyber crime  Renamed Internet Computer Crime Complaint Center (IC3) on December 1, 2003 http://www.ic3.gov http://www.ic3.gov  Data from January 1, 2012 – December 31, 2013  262,813 complaints received for $781,841,611 (48.8% $ increase over 2012)  119,457 of these involved a monetary loss  Average dollar loss: $6,245 Top 5 reported loss categories (as of 2011 report):  FBI-Relates scams: 35,764  Advanced fee fraud: 27,892  Identity theft: 28,915  Non-Auction, Non-delivery of merchandise: 22,404  Overpayment fraud: 18,511

16 Annual IC3 Complaints

17 Yearly Dollar Loss Trend

18 FBI Computer Forensics Lab in Colorado http://www.rcfl.gov/ http://www.rmrcfl.org/ CENTENNIAL, COLO. (AP) _ A NEW FORENSIC LABORATORY WILL OPEN NEXT MONTH TO HELP LAW ENFORCEMENT AUTHORITIES IN COLORADO AND WYOMING INVESTIGATE CRIMES INVOLVING TECHNOLOGY. ANALYSTS AT THE ROCKY MOUNTAIN REGIONAL COMPUTER FORENSIC LABORATORY IN CENTENNIAL CAN WORK WITH SEIZED COMPUTERS TO DREDGE UP DELETED FILES, SEE WHAT WEB SITES HAVE BEEN DISPLAYED AND FIND E-MAIL MESSAGES. DENVER (AP) _ THE NUMBER OF INCIDENTS INVOLVING NURSES AND OTHER MEDICAL PROFESSIONALS STEALING DRUGS MEANT FOR PATIENTS IS GROWING -- DESPITE TECHNOLOGY IN NARCOTICS DISPENSERS THAT MAKES THAT INCREASINGLY DIFFICULT. STATE OFFICIALS SAYS THERE WERE 76 CASES OF ``DIVERTED DRUGS'' IN COLORADO'S HOSPITALS THIS FISCAL YEAR -- ALMOST TRIPLE THE 26 reported in FISCAL YEAR 2001.

19 16 Regional Forensic Labs

20 http://www.rcfl.gov/

21 http://www.rmrcfl.org/

22 RCFL Statistics - 2012

23 http://www.ic3.gov/default.aspx

24 Famous Cases with Forensic Links  Enron  BTK Serial Killer  Chandra Levy  Wikileaks  Times Square bomber  Dr. Conrad Murray (Michael Jackson’s physician) ...

25 Laws and Statues Coverage Computer forensics deals with laws:  Regarding Computer Crime  Regarding Collection of Digital Evidence  Regarding Handling of Digital Evidence  Regarding Disposition & Analysis of Digital Evidence  Regarding Privacy And many of these laws are “dynamic”

26 Computer Basics  Hardware  Hard Drive  Removable Drives (“thumb drives”)  RAM  Networking (minimal classroom coverage)  Software  Operating Systems (DOS/Windows/UNIX)  File Systems (FAT32/NTFS/EXT3)  Applications (MS Word, Adobe, Outlook, …)

27 Computer Forensic Methods  Active Data  Data intentionally remaining on the computer  Data hidden in plain sight  Latent Data  Data unintentionally remaining on the computer  Data recoverable by forensic methods  “Live” vs. “Dead” (aka “static”) analysis

28 Forensic Tools - WinHex

29 Forensic Tools – Directory Snoop

30 Forensic Tools – Shadow Explorer

31 Forensic Tools – Partition Manager

32 Forensic Tools – FTK Imager

33 BACS 371 Will Not Cover  Network Forensics  File Systems other than FAT/NTFS  E.g.: no Mac, Solaris, DVD, CD, …  Malware  E.g.: Viruses, Trojan Horses, Spyware, …  Mobile Devices  Prevention  Advanced Data Hiding  Breaking Password Protection  Encrypted Files  Steganography

34 CertificationAgencyNotesWebsite CCE – Certified Computer Examiner ISFCE – International Society of Forensic Computer Examiners Pass online exam and hands-on test http://www.certified- computer- examiner.com/ CFCE – Certified Forensic Computer Examiner IACIS – International Association of Computer Investigation Specialists Must be sworn law enforcement officer or govt employee GIAC - Global Information Assurance Certification GCFA – GIAC Certified Forensic Analyst SANS Institute http://www.sans.org/ CCCI, CCFT – Certified Computer Crime Investigator, Certified Computer Forensic Technician HTCN – High Tech Crime Network http://www.htcn.org/ Tool Specific Certifications OSU – Oregon State University EnCase As part of the NTI Training Class Computer Forensics Certifications

35 Careers in Computer Forensics  Law Enforcement  Criminal Investigation  Corporate Computer Security  DoD/Military/Government  Information Technology  Consulting Firms  Expert Witness

36 Computer Forensics Job Trends* * As of January 2015

37 Computer Forensics Salary Average* * As of January 2015

38 Characteristics of a Good Cyber Investigator 1  Excellent observation skills  Good memory  Organization skills  Documentation skills  Objectivity  Knowledge  Ability to think like a criminal  Intellectually controlled constructive imagination  Curiosity  Stamina  Patience  Love of learning 1 Scene of the Cybercrime, Shinder & Tittel, p.136

39 Plus 1 …  A basic knowledge of computer science  An understanding of computer networking protocols  Knowledge of computer jargon  An understanding of hacker culture  Knowledge of computer and networking security issues  Knowledge of computer file systems (FAT, FAT32, NTFS, Ext2, etc) 1 Scene of the Cybercrime, Shinder & Tittel, p.136

40 The Perfect Forensics Candidate 1  Strong Computer Skills  Investigative Background  Understanding of state and federal statutes relating to the collection and preservation of evidentiary data  Understanding of criminal statues  High ethical and moral standards 1The Perfect Forensics Candidate, Computerworld, January 14, 2002, http://www.computerworld/com/printthis/2002/0,4814,67228,00.html

41 BACS 371 SO, are you ready to get started!


Download ppt "Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics."

Similar presentations


Ads by Google