Download Computer Forensics

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Trusted Computing wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Malware wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Information privacy law wikipedia , lookup

Data remanence wikipedia , lookup

Cyberattack wikipedia , lookup

Hacker wikipedia , lookup

Computer security wikipedia , lookup

Mobile device forensics wikipedia , lookup

Cybercrime wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Bretz 1
Kelsey Bretz
Dr. Oblitey
COSC 316
18 November 2013
Computer Forensics
Host security is the practice of securing different end systems that are attached to a
network like laptops, cellular devices, and tablets only to name a few. Sensitive information on
hosts or end systems needs to be treated with the appropriate range of caution. Access to that
sensitive information needs to be controlled and the use of that information needs to be
regulated. The extent of the control and regulations both depend on the importance of the
information. Individuals are not going to go to great lengths to protect end systems with
information that is already public knowledge; however on the other hand, information that is
highly secretive and essential to productivity and functionality will be protected very well. The
owner of those assets may sacrifice a great deal in order to keep their intellectual property safe.
The job of an administrator is to keep unauthorized users out of their system while
ensuring access to the appropriate people. The general idea of this job sounds easy, but
implementing it can be very difficult. For example, the same information that needs to be hidden
from some people needs to be readily available to others. Since these two demands lie at two
different ends of the spectrum, there has to be a happy medium and the system administrators are
the ones who decide where the line needs to be drawn. At least one, possibly both of the
requirements will ultimately be sacrificed at some level. If the information is completely secure
and locked away somewhere, there will be no availability to even authorized users. On the other
hand, if there are not constraints or protection on the information what so ever, there will not be
any security. The information will be readily available at all times, but using this method will
Bretz 2
leave it open and vulnerable. The way to handle this problem is to find a happy medium where
security and accessibility are both sacrificed to some degree.
The amount of security and
availability that are sacrificed depends on the individual’s needs and requirements of a particular
system and is usually left to the system administrators to decide. Sacrificing security at any level
in the long run leads to vulnerabilities. One way to deal with the vulnerabilities is through
computer forensics.
Computer forensics is the use of technology and specialized techniques for recovery,
authentication and analysis of electronic data. Computer forensics examines saved data, but it
also attempts to retrieve information that has been altered or erased. Recovery techniques take
advantage of computer devices because today, they are the foundation for recording and
communicating. Digital evidence is stored on devices and the information that is collected with
the use of computer forensics is commonly used in the pursuit of an attacker or a criminal.
There are many different professions involved with computer forensics in today’s society.
A few professions include law enforcement, government agencies, military, university programs,
private computer forensic organizations, IT and Computer Security professionals. These
professions can be very different, but they use the same computer forensic concepts in order to
reach different goals. For example, IT and Computer Security professionals’ goal is to protect
sensitive information so they need to use computer forensics at a corporate level. On the other
hand, law enforcements’ number one goal is to serve and protect society. In order to make
society a safer place, they use computer forensics to investigate crimes in order to find criminals
and bring them to justice.
IT and Computer Security professionals tend to concentrate on slightly different aspects
of technology than law enforcement does. IT and Computer Security professionals monitor
Bretz 3
network traffic, investigate compromised networks, disloyal employees and insider threats,
breach of contracts, malware, spam and email fraud, and finally theft of crucial company
information. Law enforcement strictly investigates criminal activity; however some aspects like
network traffic and malware are commonly seen in law enforcement investigations too.
Computer forensic Bachelor and Master programs at universities are starting to become popular.
Community colleges are even working with four year bachelor degree programs to make it very
easy for working professionals to obtain a degree. Community college is flexible and affordable.
Finally the military uses computer forensics in the field to gain international intelligence.
Computer forensics is present in law enforcement at the local, state, and federal levels.
Local and state levels typically have smaller units that are uniquely dedicated to computer
forensics. There are usually a few detectives in the unit that have special computer forensics
training and they are responsible for the computer forensic portion of the cases. Many
departments lack the funding needed to properly support a computer forensic unit, but the
Regional Computer Forensic Laboratories are an additional option where local, state and federal
computer forensic examiners all work together. The laboratories offer their services to law
enforcement around the United States so departments that do not have the means of properly
processing digital evidence will have access to the proper resources. All Regional Computer
Forensic Laboratories are run by the F.B.I. and all local, state, and federal examiners that work
there are trained by the F.B.I. Furthermore, the F.B.I. and other federal level government
agencies have additional examiners in their field offices around the world. Homeland Security
offices, the National Security Agency, and the Federal Bureau of Investigation continue to have a
growing need for examiners due to technologies exponential trend.
Bretz 4
Top rated software that computer forensic examiners use are ArcSight Logger,
NetWitness Investigator, Quest ChangeAuditor, Lantern, Cellebrite, Physical Analyzer, Access
Data’s Forensic Toolkit (FTK), and EnCase. ArcSight Logger automates analysis, alerts,
reports, and intelligence of logs and events. This software is normally used by IT Security
personnel. NetWitness Investigator is also used by IT Security professionals but law
enforcement and other public and private firms are starting to use it to analyze network traffic
too. Again, Quest ChangeAuditor is primarily an IT Security professional software that creates
reports and analyzes network traffic. This program translates raw data into user friendly data
very well. Lantern is a very good program that analyzes Apple products. A Cellebrite machine
collects data from mobile devices and a program like Physical Analyzer is used to analyze it.
Access Data’s Forensic Toolkit and EnCase are widely used in law enforcement because the
results are accepted in court. Both have a user friendly interface. FTK is database driven so an
examiner will not lose work if the computer crashes. EnCase has different versions of software
like EnCase Cyber Security, EnCase Portable for field analysis and EnCase Forensic, to name a
few. EnCase Forensic offers data acquisition, analysis and reporting. One of the most powerful
features of EnCase Forensic is EnScript, the scripting facility. This allows the examiner to create
a script for anything he or she intends to do. EnScript even allows the examiner to open and
close files outside of the program. Changing the original data is one of the only things EnScript
does not allow.
EnCase is a very powerful software that can retrieve, analyze and examine deleted data,
file slack, and unallocated space. Each file is stored in a specified length of data called clusters
and when the actual file size is smaller than the cluster, the left over is called file slack. This is
important because file slack can potentially contain data that was randomly dumped from the
Bretz 5
computer’s memory. The file slack can help the examiner find network logon names, passwords
and other sensitive information associated with computer usage. Larger drives can even hold
word processing documents and emails. Furthermore, when a file is deleted, the actual data is
not deleted, only the pointers to the data in the File Allocation Table or the Master File Table are
deleted. At this point the position of the pointers is set to “available” and the pointers to the data
that was supposedly “deleted” are gone. This type of data is now referred to as unallocated
space. The unallocated space and the file slack is of high interest to the computer forensic
examiners because many times a suspect will try to delete the incriminating evidence without
realizing the data is not actually deleted unless the data has been overwritten with new data.
Programs like EnCase are very good at recovering the data that has been deleted and
finding other sensitive information that is stored on a computer just through regular computer
usage, but when examiners are conducting their investigation, it is extremely important that the
original evidence is not tainted. This means nothing is changed, not even time and date stamps
which can occur when a file is simply opened. In order to ensure metadata and all other
evidence on the suspected device is not changed, there are several steps that need to be taken.
Two of the most important techniques are taking advantage of a write block and creating an
image or a copy of the original data. The function of the write block does exactly what the name
implies, stops all data from being written on the drive and ensures the data will not change. The
write block is a key tool for an examiner because it means investigations can be conducted
without having to be extremely cautious about each step. Likewise, imaging is another key
computer forensic tool that safeguards the original evidence. Once an image of the data is made,
the original data does not have to even be touched; the examinations can be done on the copy.
Bretz 6
This precaution is essential because it always leaves the original copy of digital evidence
untainted. Many times multiple images are made for extra precaution.
After ensuring that evidence will not be tainted, it is essential that the examination is
done on an exact image of the original data. The copy and the original must be the same or the
completed analysis will be void. EnCase verifies the duplicate image mirrors the original data by
hash and redundancy check values. Like an IP address is a unique identifier, hash and
redundancy check values are essentially a finger print of the evidence made up of a long string of
numbers and letters. In order to calculate the hash, an MD5 hash algorithm is used and written
into the evidence file. It then becomes a permanent part of the case documentation which proves
the data was not altered since the time of acquisition.
Many times an investigator knows what type of evidence he or she needs to find for a
conviction and EnCase offers the Search tools to meet these needs. There are two ways to
perform a search in EnCase, a Raw Search and an Indexed Search. A Raw Search searches the
entire drive for the examiner’s choice of specific key words. An Indexed Search requires the
drive to be indexed before the search is conducted. Indexing can take some time, depending how
big the dive is, but after the indexing is completed the searches are instantaneous. After finding
critical evidence, it is important that an examiner is able to save or bookmark that evidence so it
can easily be found again. EnCase provides seven ways to bookmark evidence, Raw Text
Bookmarks Data Structure Bookmarks, Notable File Bookmarks, Multiple Notable File
Bookmarks, Note Bookmarks, Table Bookmarks, and Transcript Bookmarks.
Ultimately, all the bookmarks, notes, and everything else found through EnCase are
automatically documented in a report through the EnCase report generator. The reports can be
exported for written proof when it comes to the final portion of a computer forensic
Bretz 7
investigation; for law enforcement for instance, the final part of an investigation is presenting the
evidence in court.
Overall, computer forensics is the collection, preservation, analysis and presentation of
computer related evidence. A computer forensic examiner is trained to use technology to extract
digital evidence from a media device in order to prove a certain incident took place. Today’s
computer forensic software and tools overcome difficult problems that would otherwise taint
digital evidence forcing it to be thrown out. In the practice of computer forensics, it is highly
recommended that an examiner uses the most up to date tools and software so processes and
procedures comply with all legal specifications. Whether it is law enforcement or security
professionals, computer forensic techniques are used when responding to an incident, either
corporately or criminally.
Bretz 8
Works Cited
"Best Computer Forensics Tool." SC Magazine. N.p., 15 Feb. 2011. Web. 11 May 2013.
"Center for Computer Forensics | Computer Forensics Company." Center for Computer Forensics |
Computer Forensics Company. Center For Computer Forensics, n.d. Web. 11 May 2013.
Ciampa, Mark, Ph.D. Security Guide to Network Security Fundamentals. Ed. Dave Garza. 4th ed. N.p.:
Course Technology Ptr, 2012. 510-15. Print.
Doherty, Sean. "Product Review: Encase Forensic 7." Law Technology News. Law Technology News, 29
Jan. 2013. Web. 11 May 2013.
"Law Enforcement & Computer Forensics." Law Enforcement & Computer Forensics. Westwood College,
n.d. Web. 11 May 2013.
"Leading EDiscovery, Forensic, and Cybersecurity Solutions - EnCase." Leading EDiscovery, Forensic, and
Cybersecurity Solutions - EnCase. N.p., n.d. Web. 11 May 2013.
Stambaugh,, Hollis, David Beaupre, and David J. Icove, Dr. "State and Local Law Enforcement Need to
Combat Electronic Crime." National Institute of Justice. US Department of Justice, Aug. 2000.
Web. 10 May 2013.
Vacca, John R. Securimetric. 2nd ed. Boston, Massachusetts: Charles River Media, 2005. Print.
"What Is Network Security?" Cisco. Cisco, n.d. Web. 10 May 2013.
Related documents
Intro to Forensic Science
Intro to Forensic Science
Reynaldo Anzaldua
Reynaldo Anzaldua
FORENSICS Computer Forensics
FORENSICS Computer Forensics
Computer Forensics
Computer Forensics
Unit I: Forensic Science Introduction
Unit I: Forensic Science Introduction
Forensics INtroduction
Forensics INtroduction
Computer Forensics - FSU Computer Science
Computer Forensics - FSU Computer Science
Activity 3.1.3 Forensic Engineer
Activity 3.1.3 Forensic Engineer
FOS: Probability and Statistics in Forensic Science
FOS: Probability and Statistics in Forensic Science
Course Outline FOR FORENSIC SCIENCE
Course Outline FOR FORENSIC SCIENCE
File - Tennant Science Classes
File - Tennant Science Classes
Data Foresensics
Data Foresensics