Download COEN 152 Computer Forensics - Santa Clara University's

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Computer security wikipedia, lookup

Mobile device forensics wikipedia, lookup

Hacker wikipedia, lookup

Computer and network surveillance wikipedia, lookup

Cybercrime countermeasures wikipedia, lookup

Cybercrime wikipedia, lookup

Transcript
COEN 252 Computer Forensics
Introduction to Computer
Forensics
Thomas Schwarz, S.J. 2009 w/ T. Scocca
Computer Forensics

Digital Investigation

Focuses on a digital device






Computer
Router
Switch
Cell-phone
SIM-card
…
Computer Forensics

Digital Investigation

Focuses on a digital device involved in an incident
or crime


Computer intrusion
Generic criminal activity


Perpetrator uses internet to gather information used in the
perpetration of a crime.
Digital device is an instrument of a crime




Perpetrator uses cell-phone to set-off a bomb.
 Details are sensitive to national security. If you get
clearance, I can tell you who to ask.
Email scams
Internet auction fraud
Computer is used for intrusion of another system.
Computer Forensics

Digital Investigation

Has different goals

Prevention of further intrusions.


Assessment of damage.


Goal is to reconstruct modus operandi of intruder to
prevent further intrusions.
Goal is to certify system for safe use.
Reconstruction of an incident.


For criminal proceedings.
For organization-internal proceedings.
Computer Forensics

Digital Investigation

Process where we develop and test
hypotheses that answer questions about
digital events.

We can use an adaptation of the scientific
method where we establish hypotheses based
on findings and then (if possible) test our
hypotheses against findings resulting from
additional investigations.
Computer Forensics

Evidence

Procedural notion


That on what our findings are based.
Legal notion

Defined by the “rules of evidence”


Differ by legislation
“Hear-say” is procedurally evidence, but
excluded (under many circumstances) as
legal evidence.
Computer Forensics

Forensics

Used in the “forum”, especially for judicial
proceedings.

Definition: legal
Computer Forensics

Digital Crime Scene Investigation
Process



System Preservation Phase
Evidence Searching Phase
Event Reconstruction Phase

Note:
 These phases are different activities that
intermingle.
Computer Forensics

Who should know about Computer Forensics

Those involved in legal proceedings that might use
digital evidence


Judges, Prosecutors, Attorneys, Law Enforcement, Expert
Witnesses
Those involved in Systems Administration



Systems Administrators, Network Administrators,
Information Security Officers
Those writing procedures
Managers
Computer Forensics

Computer Forensics presupposes skills in



Ethics
Law, especially rules of evidence
System and network administration

Digital data presentation


Systems



OS, especially file systems.
Hardware, especially disk drives, memory systems, computer
architecture, …
Networking


Number and character representation
Network protocols, Intrusion detection, …
Information Systems Management
Computer Forensics

Swiss Army Knife for Investigations

Useful in the following areas:











HR Policy Violations
Insider Trading Allegations
Compliance Audits / Validation
Network Misuse
Workplace Harassment
Intellectual Property Protection
IT Check & Balance
Ombudsman’s Office
Whistleblower Allegations
Internal Fraud
eDiscovery
COEN 252
Prerequisites

Required:





Good moral character. Ability and willingness to respect
ethical boundaries.
Familiarity with at least one type of operating system.
(Windows, Unix/Linux, DOS experience preferred.)
Some programming.
Access to a computer with Hex editor.
Desired:



Familiarity with OS Theory.
Familiarity with Networking.
Some Knowledge of U.S. Legal System.
COEN 252
Text Books


COHEN, F. Digital Forensic Evidence
Examination. 2nd edition. Fred Cohen &
Associates, 2010.
(Optional)
COEN 252
Text Books - Optional

NELSON, B., PHILLIPS, A., STEUART, C.
Guide to Computer Forensics And
Investigations. 2nd edition. Course
Technology, 2010.
COEN 252
Text Books – Of Interest

Carrier, Brian: File System Forensic
Analysis. Addison-Wesley Professional.
2005.
Computer Forensics Software

Commercial








FTK – Forensic Toolkit
http://www.accessdata.com/
WinHex http://www.winhex.com/
EnCase
http://www.guidancesoftware.com/
Paraben http://www.paraben.com/
NTI
http://www.forensics-intl.com/tools.html
Maresware http://www.dmares.com/
Digital Intelligence http://www.digitalintel.com/
Open Source





Coroner’s Toolkit http://www.porcupine.org/forensics/tct.html
Knoppix http://www.knoppix.com/
The Sleuth Kit http://www.sleuthkit.org/sleuthkit/index.php
Penguin Sleuth Kit http://www.linux-forensics.com/
BackTrack http://www.remote-exploit.org/backtrack.html