Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response.

Published byCory Summers Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response."— Presentation transcript:

1 © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence

2 Page 2 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective and Key Concepts Learning Objective  Examine the evidence life cycle. Key Concepts  Differences between data and evidence  Types of evidence  Chain of custody requirements  Collection, transportation, and storage of evidence

3 Page 3 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONCEPTS

4 Page 4 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. 5 Rules of Evidence Admissibility Evidence must be admissible in court. Authenticity Evidence must relate to the incident. Completeness Evidence must be comprehensive. Reliability Evidence collected must be uncontaminated and consistent. Believability Evidence presented should be clearly understandable and believable by the jury.

5 Page 5 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: PROCESS

6 Page 6 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Life Cycle Collect or seize evidence Transport evidence Protect or store evidence Analyze evidence

7 Page 7 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Collection  Freeze the scene.  Comply with the five rules of evidence.  Minimize handling and corruption of original data.  Proceed from volatile to persistent evidence.  Don’t run any programs on the affected system.

8 Page 8 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Collection (Continued)  Account for any changes and keep detailed logs of actions.  Do not exceed current knowledge.  Follow local security policy.  Be prepared to testify.  Ensure that actions are repeatable.

9 Page 9 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Transport  Shut down computer  Document hardware configuration  Document all evidence handling  Pack evidence securely

10 Page 10 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Transport (Continued)  Photograph or videotape the scene from premises to transport vehicle.  Photograph or videotape the scene from vehicle to lab.  Transport computer to a secure location.

11 Page 11 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Protection and Storage  Keep evidence in possession or control at all times.  Document movement of evidence between investigators.  Secure evidence appropriately so that it can’t be tampered with or corrupted.  Mathematically authenticate data. (i.e., hash values)

12 Page 12 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Analysis  Make a list of key search words.  Work on image copies, never originals.  Capture an image of the system that is as accurate as possible, such as bit-stream backup.  Evaluate Windows swap file, file slack, and unallocated space.

13 Page 13 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Evidence Analysis (Continued)  Identify file, program, storage anomalies  Evaluate program functionality  Document findings Create a case  Retain copies of software used

14 Page 14 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONTEXTS

15 Page 15 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Sources for Data of Potential Evidentiary Value Access logsData transmissionsData on hard disks and storage devicesData on mobile devices

16 Page 16 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Locating Data in Access Logs  Manually review logs, or  Use a log analysis tool

17 Page 17 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Locating Data in Transmissions  For backed up data: Mirror to removable media with validation by system administrator  For live data: Uses packet sniffer or packet capture tool

18 Page 18 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Locating Data on Hard Disks and Storage Devices  Mirror to stable media  Use recovery software  Use data reconstruction software

19 Page 19 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Technical Issues  Life span of data  Collecting data quickly  Collecting bit-level data  Obscured data  Anti-forensics

20 Page 20 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Types of Potential Evidence  Logs  Windows swap files and file slack  Unallocated space and temporary files  E-mails, word processing documents, and spreadsheets  Network data packets

21 Page 21 System Forensics, Investigation, and Response © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary  Differences between data and evidence, and valid and invalid data  The rules of evidence  Chain of custody requirements in evidence handling  Methods for collection or seizure, transport, protection and storage, and analysis of evidence

Download ppt "© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
PMI Inventory Tracker™

PMI Inventory Tracker™
Computer Forensics BACS 371

Computer Forensics BACS 371
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Similar presentations

Ads by Google