01 computer%20 forensics%20in%20todays%20world
Upcoming SlideShare
Loading in...5
×
 

01 computer%20 forensics%20in%20todays%20world

on

  • 3,005 views

 

Statistics

Views

Total Views
3,005
Views on SlideShare
3,005
Embed Views
0

Actions

Likes
2
Downloads
184
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    01 computer%20 forensics%20in%20todays%20world 01 computer%20 forensics%20in%20todays%20world Presentation Transcript

    • SAK 4801 SPECIAL TOPICS IN COMPUER SCIENCE II Chapter 1 Computer Forensics in Today’s World Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Room No: 2.28 Portions of the material courtesy EC-Council
    • Computer Forensics and Investigations
    • Learning Objectives
      • At the end of this chapter, you will be able to:
        • Understand the concept of computer forensics
        • Describe how to prepare for computer investigations
        • Explain the difference between law enforcement (public) agency and corporate (private) investigations
        • Explain the importance of maintaining professional conduct
    • Chapter 1 Outline
      • 1. Computer Forensics in Today’s World
        • 1.1. Introduction to Computer Forensics
        • 1.2. History of Computer Forensics
        • 1.3. Computer Forensics Flaws and Risks
        • 1.4. Cyber crime
        • 1.5. Reason for Cyber Attacks
        • 1.6. Modes of Attacks
        • 1.7. Role of Computer Forensics
    • 1.1 Introduction to Computer Forensics
    • 1. 1 Introduction to Computer Forensics
      • Computer combined with Internet has become an important part of everyday life of the general public.
      • Nowadays, more and more people are using computers and devices with computing capability.
      • The combination of the growth in the number of computerization of business processes and Internet users has created new opportunities for criminal.
      • According to the EC-Council:
        • 85% of business and government agencies detected security breaches
        • FBI estimates that the United States loses up to $10 billion a year to cyber crime.
    • 1. 1 Introduction to Computer Forensics (Cont.)
      • The digital age has produced many new professions, but one of the most unusual is computer forensics.
      • Computer forensics deals with the application of law to a science.
        • Although it is similar to other forms of legal forensics, the computer forensics process requires a vast knowledge of computer hardware and software in order to avoid the accidental invalidation or destruction of evidence and to preserve the evidence for later analysis.
    • 1.2 History of Computer Forensics
    • 1. 2.1 Forensics Science
      • Forensics science has been around since the dawn of justice .
        • Francis Galton (1822–1911) made the first recorded study of fingerprints,
        • Leone Lattes (1887–1954) discovered blood groupings (A, B,AB, and 0),
        • Calvin Goddard(1891–1955) allowed firearms and bullet comparison for solving many pending court cases,
        • Albert Osborn (1858–1946) developed essential features of document examination,
        • Hans Gross(1847–1915) made use of scientific study to head criminal investigations.
        • FBI(1932) set up a lab to provide forensic services to all field agents and other law authorities across the country
    • 1. 2.2 Evolution Computer Forensics
      • 1984 - FBI Computer Analysis and Response Team (CART) emerged
      • 1991 - International Law Enforcement meeting was conducted to discuss computer forensics & the need for standardized approach
      • 1994 – Department of Justice ( DOJ) - Federal Guidelines for Searching & Seizing Computers
      • 1997 - FBI- Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards in computer forensics.
      • 2001 - USAF - Digital Forensics Research Workshop was held,
      • 2003 - Academic - International Journal of Digital Forensics & Incident Response, Elsevier
    • 1. 2.3 Definition of Forensics Science
        • Forensic science is “the Application of physical sciences to law in the search for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done to any member of society ” (Source: Handbook of Forensic Pathology College of American Pathologists 1990)
        • Forensic science is “ the application of scientific techniques and principles to provide evidence to legal or related investigations and determinations ” (Forensic science : an encyclopedia of history, methods, and techniques, 2006)
        • Aim :
          • determining the evidential value of crime scene and related evidence
      • Computer forensics is defined as “a methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format ” (Dr. H.B. Wolfe)
      • A ccording to Steve Hailey, Cybersecurity Institute, computer forensics is “ The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.”
      1. 2.4 Definition of Computer Forensics
      • FBI defines computer forensics as an application of science and engineering to the legal problem of digital evidence.
      • James Borek (2001), computer forensics is “ equivalent of surveying a crime scene or performing an autopsy on a victim ”.
      • Computer forensics is “ the use of scientifically derived and proven methods toward the preservation , collection , validation , identification , analysis , interpretation , documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations .” (DFRWS 2001)
      1. 2.4 Definition of Computer Forensics (Cont.)
    • 1. 2.5 Computer Forensics Versus Other Related Disiplines
        • Computer forensics versus network forensics
          • Computer forensics involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court. (DIBS USA, Inc. – a corporation specializing n computer forensics)
            • Computer forensics investigates data that can be retrieved from a computer’s hard disk or other storage media.
            • Investigating computers includes collecting computer data securely, examining suspect data to determine details such as origin and content, presenting computer-based information to courts, and applying laws to computer practice.
            • Computer forensics investigators retrieve information from a computer or its component parts.
            • The information might not be easy to find or decipher though it might already be on the disk.
          • Network forensics produces information about how a culprit or an hacker gained access to a network.
            • Network forensics investigates logs files and also tries to determine what tracks or new files were left behind on a victim’s computer or what changes were made.
            • Network forensics investigators use log files to determine when users logged on and try to determine which URLs users accessed, how they logged on to the network, and from what location.
      1. 2.5 Computer Forensics Versus Other Related Disiplines (Cont.)
      • Computer forensics versus data recovery
        • Data recovery involves recovering information from a computer, for example, a file that was deleted by mistake or lost during a power surge or server crash.
          • In data recovery, an information that you are looking for are known.
        • Computer forensics is the task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so that it can be used as evidence. The evidence can be
          • inculpatory (in criminal cases, the expression is “incriminating”) or
          • exculpatory, meaning it might clear the suspect.
      1. 2.5 Computer Forensics Versus Other Related Disciplines (Cont.)
          • Investigators often examine a computer disk not knowing whether it contains evidence—they must search storage media.
            • if they find data, they piece it together to produce evidence.
          • Various forensics software tools can be used for most cases.
            • In extreme cases, investigators can use electron microscopes and other sophisticated equipment to retrieve information from machines that have been damaged or purposefully reformatted.
      1. 2.5 Computer Forensics Versus Other Related Disciplines (Cont.)
        • Computer forensics versus computer security
          • Computer forensics concerns with the proper acquisition, preservation and analysis of digital evidence, typically after an unauthorized access or use has taken place.
          • Computer security the main focus concerns with the prevention of unauthorized access, as well as the maintenance of confidentiality, integrity and availability of computer systems.
      1. 2.5 Computer Forensics Versus Other Related Disciplines (Cont.)
      • Need for computer forensics arises from:
        • Presence of a majority of electronic documents nowadays. According to a University of California study, during 1999:
          • 93% of information was generated in digital form, on computers
          • 7% of information originated in other media, such as paper
        • Search and identify data in a computer
          • Increasing trail of activities by perpetrators left on computers.
        • Digital Evidence is delicate in nature; therefore they must be recorded as early as possible to avoid loss of valuable evidence
          • Electronic information can be easily planted, created and stored
      1. 2.6 Need for Computer Forensics
        • Law enforcement officials, network and system administrators of IT firms, attorney and also private investigators depend upon qualified computer forensic experts to investigate their and civil cases.
          • An appropriate computer forensics specialist is called and extend them as much cooperative assistance as possible because if there is to be any chance of recovering property, locating and successfully prosecuting the criminal, there must be evidence of sufficient quantity and quality.
        • For recovering
            • Deleted,
            • Encrypted or,
            • Corrupted files from a system
        • This data will be helpful during presenting testimony in the court .
      1. 2.6 Need for Computer Forensics (Cont.)
    • 1.3 Computer Forensics Flaws and Risks
    • 1. 3 Computer Forensics Flaws and Risks
      • Computer forensics is in its early or development stages
      • It is different from other forensic sciences as digital evidence is examined
      • There is a little theoretical knowledge to base assumptions for analysis and standard empirical hypothesis testing when carried out
        • lacks of proper training
        • no standardization of tools
      • Designations are not entirely professional
      • It is still more of an “Art” than a “Science”
    • 1. 3 Computer Forensics Flaws and Risks (Cont.)
      • According to EC-Council, Corporate Espionage Statistics :
        • Corporate computer security budgets increased at an average of 48% in 2002
        • 62% of the corporate companies had their systems compromised by virus
        • FBI statistics reveal that more than 100 nations are engaged in corporate espionage against US companies
        • More than 2230 documented incidents of corporate espionage by the year 2003
    • 1.4 Cyber Crime
    • 1. 4.1 Definition of Cyber Crime
      • Definition
        • ” Any illegal act involving a computer, its systems, or its applications ” (EC-Council)
      • The crime must be intentional and not accidental.
      • Cyber crime is divided into 3 T’s
        •   Tools of the crime
        •   Target of the crime
        •   Tangential to the crime
    • 1. 4.1 Definition of Cyber Crime (Cont.)
      • Tools of the crime
        • Involve various hacking tools that have been used to commit a crime.
        • Include the computer or workstation from where the crime has been committed.
          • Take the whole system include hardware such as the keyboard, mouse and monitor.
        • Considered to be the evidence that the computer forensic investigator must analyze, process and then document.
    • 1. 4.1 Definition of Cyber Crime (Cont.)
      • Target of the crime
        • Also termed as the victim
          • The victim can be corporate organizations, websites, consultancy agencies and government bodies.
        • The target of the crime is usually the location where the computer forensic investigator goes about the process of examining the crime scene
      • Tangential of the crime
        • Means it was used as a secondary tool.
        • The computer creates a unique environment or unique form of assets.
        • The computer is not the primary instrument of the crime; it simply facilitates it.
        • The computer is used to store the evidence.
    • 1. 4.2 Digital Evidence
      •   What is Digital Evidence?
        • Information of probative value stored or transmitted in digital form
          • Probative Value - evidence which is sufficiently useful to prove something important in a trial
        • Type of Digital Evidence – What to seize?
          • Storage Media (i.e.. floppies, CD’s, thumb drives)
          • Computer (CPU)
          • Laptops (always seize power supply)
          • External Drives & Media
            • Corresponding Devices
            • i.e. tape/tape drive, jaz disk/jaz drive
          • Unique software and operating manuals
      • (might need to load software on forensic computer to view files)
    • 1. 4.2 Digital Evidence
      •   What is Digital Evidence?
        • Information of probative value stored or transmitted in digital form
          • Probative Value - evidence which is sufficiently useful to prove something important in a trial
        • Type of Digital Evidence – What to seize?
          • Storage Media (i.e.. floppies, CD’s, thumb drives)
          • Computer (CPU)
          • Laptops (always seize power supply)
          • External Drives & Media
            • Corresponding Devices
            • i.e. tape/tape drive, jaz disk/jaz drive
          • Unique software and operating manuals
      • (might need to load software on forensic computer to view files)
    • 1. 4.3 Examples of Cyber Crime
      •   Theft of intellectual property
        • Includes any act that would allow an individuals to get access to patents, trade secret, customer data, sales trends and any other confidential information that can be of monetary gain.
      •   Damage of company service networks
        • Take place by the attacker planting a trojan horse, conducting a denial of service attack, installing an unauthorized modem in the network to allow insiders a chance to gain access.
      •   Financial fraud
        • Refers to any type of criminal behavior that uses fraudulent solicitation to prospective victims to conduct fraudulent transactions.
    • 1. 4.3 Examples of Cyber Crime (Cont.)
      •   Hacker system penetrations
          • A network or system penetration occurs when an outsider gets access to the network and changes settings within the network.
          • Hacker attacks using tools that take advantage of the vulnerability in the security posture ot the network such as Trojans, rootkits, and sniffers
      •   Denial of Service Attacks
        • Aim at stopping legitimate requests to a network over the Internet by subjecting the network to illegitae requests.
        • Occur when several system take up useful network resources thereby rendering the network inaccessible.
    • 1. 4.3 Examples of Cyber Crime (Cont.)
      •    Planting of virus and worms
        • Virus can affect machines and seek to affect other vulnerable systems through applications such as an email client.
        • Worms seek to replicate themselves over the network thereby hogging resources apart from creating malfunctions.
        • Trojan horses and backdoors are programs that allow an intruder to retain access to a compromised machine.
    • 1.5 Reasons for Attacks
    • 1. 5 Reason for cyber attacks
      • Motivation for cyber attacks
        • Experimentation and a desire for script kiddies to learn
        • Psychological needs – to leave a mark
        • Misguided trust in other individuals
        •   Revenge and malicious reasons – disgruntled employee
        •   Desire to embarrass the target
        •   Espionage - corporate and governmental
          • Paid to gain information
    • 1.6 Modes for Attacks
    • 1. 6 Modes for attacks
      • Cyber crime falls into two categories depending on the ways attack take place
      • Following are the two types of attacks
        • Insider Attacks
          • Attack from the employee within an organization
        • External Attacks
          • Attack from the outside by persons who are not within the company
          • These involve hackers hired by either an insider or an external entity whose aim is to destroy a competitor’s reputation.
    • 1.7 Role of Computer Forensics
    • 1. 7.1 Stage of Forensic Investigation in Tracking Computer Crime
      • Identifying the crime
      • Gathering the evidence
      • Building a chain of custody
        • In this stage, data have been recovered
        • Data once recovered must be duplicated or replicated.
      • Analyzing the evidence – use duplicate one
      • Presenting the evidence
      • Testifying
      • Prosecution
        • In this stage, computer forensics investigator must act as an expert witness
    • 1. 7.1 Stage of Forensic Investigation in Tracking Computer Crime (Cont.)
        • An expert witness
          • A person who can investigate on a particular case, evaluate all findings, and educate the jury about his/her findings.
          • His/her most important functions is to present all his/her findings of the case in court.
          • When functioning as an expert witness, the forensic investigator is the actual tool that law enforcement agencies around the world use to track and prosecute cyber criminal.
    • 1. 7.2 Rules of Computer Forensics
      • A good forensic investigator should always follow these rules:
        • Minimize the option of examining the original evidence
          • Instead, examine the duplicate evidence
        • Obey rules of evidence and do not tamper with the evidence
        • Always prepare a chain of custody, and handle evidence with care
        • Never exceed the knowledge base of the forensic investigation
        • Document any changes in evidence
      • The 3 As of computer forensics methodologies
        • Acquire evidence without modification or corruption
        • Authenticate that the recovered evidence is same as the originally seized data
        • Analyze data without any alterations
      1. 7.3 The 3 As of Computer Forensics Methodology
      • Accessing computer forensics resources
        • Resources can be referred by joining various discussion groups such as:
          • Computer Technology Investigators Northwest –High Technology Crime Investigation Association
        • Joining a network of computer forensic experts and other professionals
        • News services devoted to computer forensics can also be a powerful resource
        • Other resources:
          • Journals of forensic investigators
          • Actual case studies
      1. 7.4 Accessing Computer Forensics Resources
      • Computing investigations fall under two distinct categories:
        • Public Investigation
        • Corporate Investigation
      • Public (Enforcement agency) investigations include:
        • Tools used to commit the crime
        • Reason for the crime
        • Type of crime
        • Infringement on someone else’s rights by cyberstalking
      1. 7.5 Preparing for Computer Investigations
        • Corporate investigations include:
          • Involve private companies who address company policy violations and litigation disputes
          • Company procedures should continue without any interruption from the investigation
          • After the investigation the company should minimize or eliminate similar litigations
          • Industrial espionage is the foremost crime in corporate investigations
      1. 7.5 Preparing for Computer Investigations (Cont.)
    • 1. 9 Preparing for Computing Investigations (Cont.)
      • Identification: Detecting/identifying the event/crime.
        • Asses the case, ask people questions, and documenting the results in an effort to identify the crime and the location of the evidence
      • Preservation of evidence: Chain of Custody/Evidence, Documentation.
        • A chain of custody/evidence must be prepared to know who handled the evidence, and every step taken by the forensic investigator must be documented for inclusion in the final report.
        • Sometimes a computer and its related evidence can determine the chain of events leading to a crime for the investigator as well as provide the evidence which can lead to conviction.
      1. 7.6 Investigation Process
        • Chain of custody is the accurate documentation of the movement and possession of a piece of evidence, from the time it is taken into custody until it is delivered to the court
          • Who collected it?
          • How and Where?
          • Who took possession of it?
          • How as it stored and protected?
          • Who took it out of storage and why?
      1. 7.6 Investigation Process (Cont.)
      • Collection: Data recovery, evidence collection.
        • Finding the evidence, discovering relevant data, preparing an Order of Volatility, eradicating external avenues of alteration, gathering the evidence, and preparing a chain of custody
        • Create MD5 hash of the evidence collected
        • Prior to collection, one should do preliminary assessment to search for the evidence.
        • Collect and seize the equipment used in committing the crime, document the items collected, such as floppy disks, thumb drives, CDs, DVDs, and external back up drives.
      1. 7.6 Investigation Process (Cont.)
        • Take photo of the crime scene before removing the evidence using Single len Reflex (SLR) camera.
      • Examination: Tracing, Filtering, Extracting hidden data.
        • Review registers and cache, routing tables, ARP, cache, process tables, and kernel statistics and modules
      • Analysis
        • Analyzing evidence
        • Can be carried out using various forensic analysis tools such Encase, Access Data etc.
      1. 7.6 Investigation Process (Cont.)
      • Presentation : Investigation report, Expert witness
        • Include what was done and the results in the final report. This include:
          • Who, what, when, where, and how of the crime.
          • Explain the computer and network processes
          • The log files generated by forensic tools to keep track of all the steps taken.
      • Decision
        • Report
      1. 7.6 Investigation Process (Cont.)
      • Use computer forensics when:
        • there is a need to provide real evidence such as reading bar codes, magnetic tapes and to identify the occurrence of electronic transactions and reconstruct an incidence with sequence of events.
        • a breach of contract occurs, or if copyright and intellectual property theft/misuse happens or during employee disputes where there is damage to resources.
      1. 7.7 Where and When Do You Use Computer Forensics
      • Professional conduct determines the credibility of a forensic investigator
      • Investigators must display the highest level of ethics and moral integrity
      • M aintaining objectivity
        • Sustain unbiased opinions of your cases
      • Confidentiality is an essential feature which all forensic investigators must display
      • Avoid making conclusions about the findings until all reasonable leads have been exhausted
      • Considered all the available facts
      • Ignore external biases to maintain the integrity of the fact-finding in all investigations
      1. 7.8 Maintaining Professional Conduct
      • Discuss the case at hand only with person who has the right to know
      • Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools
      • Learn about the latest investigation techniques that can be applied to the case
      • Record fact-finding methods in a journal
        • Include dates and important details that serve as memory triggers
        • Develop a routine of regularly reviewing the journal to keep past achievements fresh
      1. 7.8 Maintaining Professional Conduct (Cont.)
      • Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers
      • Monitor the latest book releases and read as much as possible about computer investigations and forensics
      1. 7.8 Maintaining Professional Conduct (Cont.)
    • Summary
      • The need for computer forensics has grown to a large extent due to the presence of a majority of digital documents
      • Differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective
      • A computer can be used as a tool for investigation or as evidence
      • Minimize the option of examining the original evidence
      • 3A’s of Computer forensics methodologies are – Acquire, Authenticate, and Analyze
      • A computer forensic investigator must be aware of the steps involved in the investigative process
    • Summary (Cont.)
      • To be successful, you must be familiar with more than one computing platform
      • To supplement your knowledge, develop and maintain contact with computer, network, and investigative professionals
      • Public investigations typically require a search warrant before the digital evidence is seized
      • During public investigations, you search for evidence to support criminal allegations
      • During private investigations, search for evidence to support allegations of abuse of a company or person’s assets and, in some cases, criminal complaints
      • Forensics investigators must maintain an impeccable reputation to protect credibility
    • Summary (Cont.)
      • Most information is stored on hard disks, floppy disks, and CD-ROMs in a nonvolatile manner
      • Peripheral components (video adapter cards, sound cards, mice, keyboards, NICs) attach to mainboard via an expansion slot or port
      • All peripherals must have a unique IRQ and I/O address to communicate with the processor
      • Hardware information can be gathered from computer manuals, BIOS, or other Oss
      • Computer forensics investigators must maintain professional conduct to protect their credibility
    • End of Chapter 1