Download Computer Forensics – Foundations What is computer forensic

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
Document related concepts
no text concepts found
Transcript 
8/19/2010
Computer Forensics –
Foundations
Thomas Mundt – [email protected]
What is computer forensic?


Computer forensic is not only a different name for digital
crime scene investigation process.
Computer forensic is the search for evidence which can
be found on a digital device that has been involved in an
incident.
What is computer forensics not

Pro-active (security)

About finding the bad guy


It is reactive to an event or request
It is about finding evidence of value
1
8/19/2010
Purposes of computer forensics



In legal cases, computer forensic techniques are used to
analyse computer systems.
To recover data in the event of a failure.
To analyse a computer system after an attack




To determine how the attacker gained access.
To determine what the attacker did.
To gather evidence against an employee that an
organization wishes to terminate.
To gain information about how computer systems work
(reverse-engineering).
Scope of this lecture


Learning about the processes and principles of computer
forensics.
Knowing which data are available in different systems.
Related topics (out of scope)






Crypto analytics.
Stegano analytics.
Social engineering.
Biological forensics.
Legal questions.
Surveillance.
2
8/19/2010
Content





Foundations
File system forensic
Network forensic
Device forensic
Toolkits
Further reading



Eoghan Casey: „Digital Evidence and Computer Crime:
Forensic Science, Computers, and the Internet“, Academic
Press, London, 2004
Warren G. Kruse, Jay Heiser: „Computer Forensics:
Incident Response Essentials“, Addison-Wesley Longman,
Amsterdam, 2002
Chris Prosise, Kevin Mandia: „Incident Response and
Computer Forensics“, McGraw-Hill Professional,
Emeryville, 2003
Further reading online







Guidance Software (EnCase) http://www.encase.com/
WinHex: http://www.x-ways.net/winhex/forensics.html
Foundstone (Forensic Toolkit)
http://www.foundstone.com/
E-Fense (HELIX) http://www.e-fense.com/helix/
Computer Forensics, Cybercrime and Steganoraphy
Resources http://www.forensics.nl/
Stego Resources http://www.stegoarchive.com/
GIAC Certified Forensic Analyst Practical Papers Review
http://www.giac.org/GCFA.php
3
8/19/2010
Phases of computer forensic


Typical phases are system preservation, evidence
searching, and event reconstruction.
Process can be used when investigating live and dead
computer systems.
System preservation
phase
Evidence searching
phase
Event reconstruction
phase
System preservation phase

Purpose of this phase is to reduce / eliminate the amount
of evidence that may be overwritten.



Live system requires to preserve data from volatile memory.
Dead system (static analysis) contain information on nonvolatile memory.
Typical actions during this phase are


Creating a memory dump.
Create an image (exact duplicate) of the original media.
Evidence searching phase

Searching is generally a fairly simple process



Define the characteristics of the object.
Look for that object in a collection of data.
If the collection is large, the investigator has to know
where to search.




Different storage media.
Different locations on media.
Filter addresses (eg. IP-address, port, destination)
Filter by keywords.
4
8/19/2010
Event reconstruction phase


Analysing data in order to determine what events
occured in the system.
Trying to answer questions like





Who owns a file?
Who created an account?
When did the system break down?
At which speed the car was running?
Correlating digitaly stored events with physical events.
Data analysis

Different layers of information.
Application data analysis
File system analysis
Volume analysis
Swap space analysis
Database analysis
Memory analysis
Physical storage media analysis
Network analysis
Computer analysis
Physical storage media analysis



The device that stores data.
Typically organised in blocks, (remember CHS – cylinder,
head, sector).
Examples:




HDD
USB-Memory-Sticks (Flash memory)
Tapes
CD / DVD / Bluray (in all flavours)
5
8/19/2010
Volume analysis




Storage area for a single file system.
Might span accross several media.
Typically resides in one partion (other setups are
possible).
Also known as „logical drive“.
File system analysis


Contains files and directories.
Also contains metadata.




Times.
Access rights.
Journals.
Directly vailable to the user through the operating
system.
Some more principles of computer
forensics

The act of collecting digital evidence should not result in
any alteration of the data in question, wherever this is
possible.

All handling of digital evidence (from collection through
to preservation and analysis) must be fully documented.

Access to original digital evidence should be restricted to
those deemed "forensically competent”.
6
8/19/2010
Users of computer forensics

Criminal justice agencies

Corporate Councils





Prosecutor’s Office/DA, Attorneys, and Judges
Company Legal resources
Human Resources
Auditors
Individuals

Crackers/Hackers
Users of computer forensics



Criminal Prosecutors use computer evidence in a variety
of crimes where incriminating documents can be found:
homicides, financial fraud, drug and embezzlement recordkeeping, and child pornography.
Civil litigations can readily make use of personal and
business records found on computer systems that bear
on: fraud, divorce, discrimination, and harassment cases.
Insurance Companies may be able to mitigate costs by
using discovered computer evidence of possible fraud in
accident, arson, and workman's compensation cases.
Users of computer forensics



Corporations often hire computer forensics specialists to
ascertain evidence relating to: sexual harassment,
embezzlement, theft or misappropriation of trade secrets
and other internal/confidential information.
Law Enforcement Officials frequently require assistance in
post-seizure handling of the computer equipment.
Individuals sometimes hire computer forensics specialists
in support of possible claims of: wrongful termination,
sexual harassment, or age discrimination.
7
8/19/2010
Sources of digital forensic data

Obvious sources – devices intended to store data
Sources of digital forensic data

Legacy media and old file formats.
Problems


Amount of data.
Structure of data unclear.
8
8/19/2010
Sources of digital forensic data

Not so obvious sources – data stored without explicit
consent.
Digital forensic utilities


Tools for data acquisition, file recovery, indexing/search,
and file parsing.
Some names



Helix3 Forensics – live CD based on Ubuntu
EnCase
AccessData Forensic Toolkit
EnCase
9
8/19/2010
Helix 3
AccessData Forensic Toolkit
WinHex
10
8/19/2010
First reponder‘s toolkit

Trusted shell



Users




cmd.exe
csh / bash
nbstat
who
logs
Traffic



windump
snort
tcpdump
Process explorer
Network analysis
Network
Sensor
Archive
Batch
analysis
Real-time
analysis
11
Related documents
Intro to Forensic Science
Intro to Forensic Science
FORENSICS Computer Forensics
FORENSICS Computer Forensics
Unit I: Forensic Science Introduction
Unit I: Forensic Science Introduction
Forensics INtroduction
Forensics INtroduction
Computer Forensics - FSU Computer Science
Computer Forensics - FSU Computer Science
Course Outline FOR FORENSIC SCIENCE
Course Outline FOR FORENSIC SCIENCE
Activity 3.1.3 Forensic Engineer
Activity 3.1.3 Forensic Engineer
Reynaldo Anzaldua
Reynaldo Anzaldua
FOS: Probability and Statistics in Forensic Science
FOS: Probability and Statistics in Forensic Science
File - Tennant Science Classes
File - Tennant Science Classes
Computer Forensics
Computer Forensics
Data Foresensics
Data Foresensics