Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Computer Forensics Jim Lindsey Western Kentucky University.

Published byEric Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "An Introduction to Computer Forensics Jim Lindsey Western Kentucky University."— Presentation transcript:

1 An Introduction to Computer Forensics Jim Lindsey Western Kentucky University

2 What are we talking about? Forensic … Forensic …

3 What are we talking about? Forensic Science is the use of science to investigate and establish facts in criminal and civil cases. Forensic Science is the use of science to investigate and establish facts in criminal and civil cases.

4 What are we talking about? Computer Forensics is the discovery, collection, and analysis of evidence found on computers and networks. Computer Forensics is the discovery, collection, and analysis of evidence found on computers and networks.

5 Many Hats Law Investigative Skills Technology

6 An Exam May Explain … Hidden data Hidden data Most recently used applications Most recently used applications Origin of documents Origin of documents Evidence of “wiping” Evidence of “wiping” Visited Internet sites Visited Internet sites

7 An Exam May Require … Cloning Cloning Write Blocker Write Blocker MD-5 & SHA-1 MD-5 & SHA-1 Cataloging Cataloging Recovery of Deleted Files Recovery of Deleted Files Search for hidden, disguised or encrypted files Search for hidden, disguised or encrypted files Viewing files Viewing files Analysis of time/date stamps Analysis of time/date stamps

8 Deleted Files

9

10 An Examiner Should … Possess requisite training and equipment Possess requisite training and equipment Be able to provide training Be able to provide training Be knowledgeable of data relevant to computer-related crimes Be knowledgeable of data relevant to computer-related crimes Be able to effectively testify as an expert in a court of law Be able to effectively testify as an expert in a court of law

11 What to do? If the computer is off, do not turn on. If the computer is off, do not turn on. If the computer is on, do not shut down normally – call for instructions. If the computer is on, do not shut down normally – call for instructions. Do not “browse” the files! Do not “browse” the files!

12

13 What to do? Document, document, document - W H Y ? Document, document, document - W H Y ? Records chain of custody: Records chain of custody: Where the evidence came from Where the evidence came from When it was obtained When it was obtained Who obtained it Who obtained it Who secured it Who secured it Who has had control of it Who has had control of it Where it is stored Where it is stored

14 Final Notes Forensic Examinations Forensic Examinations Normally 1-2 hours to forensically image a hard drive Normally 1-2 hours to forensically image a hard drive Exams can take 4-40 hours, depending on requests Exams can take 4-40 hours, depending on requests Helpful if “keywords” provided Helpful if “keywords” provided Know what you want to search for….. Know what you want to search for…..

15 Final Notes Average HD Volume590 GB* Gigabyte1,073,741,824 bytes Subtotal633,507,676,160 bytes Page size3000 bytes Pages211,169,225 Ream500 pages Reams422,338 Reams Ream height2” Total height844,676” Height in feet70,389 feet Height of Mt Everest29,029 feet** Note these figures are conservative! * http://www.tomshardware.com/news/seagate-hdd-gigabyte-terabyte-quarter-result,13118.htmlhttp://www.tomshardware.com/news/seagate-hdd-gigabyte-terabyte-quarter-result,13118.html ** http://www.teameverest03.org/everest_info/index.htmlhttp://www.teameverest03.org/everest_info/index.html

16 Explain what the 'Chain of Custody' is in computer forensics. Furthermore, explain why it is important for forensic examiners to establish 'Chain of Custody' as soon as they arrive on a scene and maintain it throughout the life of a case. Explain what the 'Chain of Custody' is in computer forensics. Furthermore, explain why it is important for forensic examiners to establish 'Chain of Custody' as soon as they arrive on a scene and maintain it throughout the life of a case. We spent a day discussing computer forensics. How could knowledge of this topic help a human resources manager do their job? How could knowledge of this topic help a police officer do their job? We spent a day discussing computer forensics. How could knowledge of this topic help a human resources manager do their job? How could knowledge of this topic help a police officer do their job?

17 Are there any questions?

Download ppt "An Introduction to Computer Forensics Jim Lindsey Western Kentucky University."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Chapter 13: Advanced Security and Beyond

Chapter 13: Advanced Security and Beyond
FRAUD EXAMINATION ALBRECHT, ALBRECHT & ALBRECHT

FRAUD EXAMINATION ALBRECHT, ALBRECHT & ALBRECHT
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Police Investigator Vlada Aboymova. Table of Contents Slide 3: – What They Do Slide 4: – Similar Jobs Slide 5: – I AM Slide 6: – Skills Needed Slide 7:

Police Investigator Vlada Aboymova. Table of Contents Slide 3: – What They Do Slide 4: – Similar Jobs Slide 5: – I AM Slide 6: – Skills Needed Slide 7:
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
FORENSIC ACCOUNTING - BA124 - Spring 2011Slide 8-1 Today’s Topics n Concealment Investigation Methods.

FORENSIC ACCOUNTING - BA124 - Spring 2011Slide 8-1 Today’s Topics n Concealment Investigation Methods.
Some careers in… Scene of Crime Officer/ Crime Scene Investigator Fingerprint Examiner State Pathologist/ Forensic Pathologist/Medic al Examiner Forensic.

Some careers in… Scene of Crime Officer/ Crime Scene Investigator Fingerprint Examiner State Pathologist/ Forensic Pathologist/Medic al Examiner Forensic.
By: Logan Wilson.  Forensics is a science dedicated to the methodical gathering and analysis of evidence to establish facts that can be presented in.

By: Logan Wilson.  Forensics is a science dedicated to the methodical gathering and analysis of evidence to establish facts that can be presented in.
Private Detective & Investigator Quristain Hand. What Do They Do? (Duties)  Interview people to gather information  Do various types of searches, using.

Private Detective & Investigator Quristain Hand. What Do They Do? (Duties)  Interview people to gather information  Do various types of searches, using.
CHAIN OF CUSTODY Notes on Page 25. Important Points from Article  States that chain of custody is a set of procedures to ensure physical evidence is.

CHAIN OF CUSTODY Notes on Page 25. Important Points from Article  States that chain of custody is a set of procedures to ensure physical evidence is.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Similar presentations

Ads by Google