Computer forensics (by Emory Casey Mullis)
Upcoming SlideShare
Loading in...5
×
 

Computer forensics (by Emory Casey Mullis)

on

  • 1,214 views

A famous entrepreneur +Guy Kawasaki once said that the only two reasons to start a business is to 1) right a wrong, or 2) prevent the end of something good. Only then, would we have the passion and ...

A famous entrepreneur +Guy Kawasaki once said that the only two reasons to start a business is to 1) right a wrong, or 2) prevent the end of something good. Only then, would we have the passion and clarity to endure the constant setbacks and rejections. Casey (+Emory Mullis) did a wonderful presentation today talking about cyber investigation and law enforcement. He asked a simple question: How far would you go to prove someone's innocence or to prosecute a known criminal (especially a child pornographer or child molester)? The answer is simple, "You never give up. You dig and dig until the Facts meet the Truth!" Computer forensics is much more than a technical challenge. We can't afford bystanders when our children's future is at stake.

Statistics

Views

Total Views
1,214
Views on SlideShare
1,108
Embed Views
106

Actions

Likes
0
Downloads
6
Comments
0

3 Embeds 106

http://www.lovemytool.com 99
http://feeds.feedburner.com 6
http://www.newsblur.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Give a brief overview of the presentation. Describe the major focus of the presentation and why it is important.Introduce each of the major topics.To provide a road map for the audience, you can repeat this Overview slide throughout the presentation, highlighting the particular topic you will discuss next.
  • This is another option for an Overview slides using transitions.
  • This is another option for an Overview slide.
  • What will the audience be able to do after this training is complete? Briefly describe each objective how the audiencewill benefit from this presentation.
  • Use a section header for each of the topics, so there is a clear transition to the audience.
  • Add slides to each topic section as necessary, including slides with tables, graphs, and images. See next section for sampletable, graph, image, and video layouts.
  • Keep it brief. Make your text as brief as possible to maintain a larger font size.
  • Add a case study or class simulation to encourage discussion and apply lessons.
  • Discuss outcomes of the case study or class simulation.Cover best practices.
  • Summarize presentation content by restating the important points from the lessons.What do you want the audience to remember when they leave your presentation?Save your presentation to a video for easy distribution (To create a video, click the File tab, and then click Share.  Under File Types, click Create a Video.)

Computer forensics (by Emory Casey Mullis) Computer forensics (by Emory Casey Mullis) Presentation Transcript

  • COMPUTER FORENSICS HOW FAR DO YOU GO?WHEN DO YOU GIVE UP? Emory “Casey” Mullis February 16th, 2013
  • Brief Introduction• Custom Building Computers for over 15 years• Trained at FLETC (Federal Law Enforcement Training Center)• Trained at GBI (Georgia Bureau of Investigation)• Trained Online and Training DVD’s• Designed and Setup Computer Lab for Coweta County Sheriff’s Office• Conducted Computer Forensics for Coweta County Sheriff’s Office and other agencies• Self Motivated in the area of Computer Forensics & Google• My passion is fulfilled by “GOOGLE”
  • When do you give up? View slide
  • This is for illustration purposes only. Data Evidence can be foundin all types of cases. This goes for Criminal and Civil cases.If you or a family member werethe victim of a sex crime orfraud over the internet and youwere tasked with finding theevidence on a suspectmachine, how far do you go? View slide
  • If you were a suspect in a crimeand you know you wereinnocent. How far would youwant the authorities to go?What corners would you wantthem to cut?
  • I will be the first to tell you the following: “You dig and dig until the Facts meet the Truth!”Because in todays digital world,the Facts are not always the Truth!
  • WORLD NEWS… 1 • Hackers Go Wild, CNET • President Bush Email 2 Hacked • Anonymous Hacks IRS 3 Database
  • Personal Experience…iPhone (Child Molestation Case)In this case we had a Federal Agencylook at the cell phone but they did notfind anything, so they said and sent backnothing.My gut instinct lead me to do a completeforensic exam at which time I foundimages a child described, in a hiddenlocation created by an app.This suspect almost got away with childmolestation, because the InvestigatingOfficer did not have any evidence tomove forward in the case.
  • Dell Computer Tower (Corruption and Obstruction)In this case it was alleged that an officer(s) had altered police records.Through my examination of the computer, I found that the accountson the system had been hacked / compromised.Based on the facts at hand it appeared that one or all of the officer(s)did in fact commit a crime. Due to a persistent computer forensicexaminer, the facts eventually met the truth.
  • The technology issues of todayIn today’s world with technology gettingsmaller and faster, it is easier and easier forsomeone to make it look like you didsomething, you did not.On the flip side of the coin because oftechnology, it is easier to hide a criminal actfrom prying eyes. So it takes skilledcomputer analysis to uncover the facts andtruth in a case. There are many ways to senda spoofed text message and make it looklike someone else did it.There are open source tools to spoof an IPAddress or even the MAC Address. How doI know these things? GOOGLE! & TRAINING!This is a Very Small example because we donot have time to talk about everything.
  • New MacBook ProRecently I was asked to assist another agencywith the imaging of a new model MacBook Pro.As you can see below, there are onlyUSB 3.0 and Thunderbolt connections.Now What? Do you give up?What about pulling the hard drive? Lets look at that.
  • New MacBook Pro Hard DriveImaging the hard drive is a good thought, if you knowhow to pull this type of drive and image it. Oh yeah, youhave to have the adapter also, if there is one. This is new!
  • Blackbag Technology There is no CD/DVD Rom to boot from, so Paladin and Raptor are out of the question. The only other tool at hand was Blackbag’s “MacQuasition”, which is a bootable USB drive. When you boot with this tool, the Mac would freeze. Now what? Do you give up? NO! We called Blackbag Tech Support and found out that this model was to new and MacQuasition did not support it. Tech Support did give us an option. We needed to by an adapter to convert from Thunderbolt to Firewire. We also needed another Mac with Firewire. Just so happen I had one and it was an older model that is supported by MacQuasition .
  • AdapterThe adapter to the rightwas purchased at a MacStore.This adapter allowed us todo a cross over connectionto a secondary MacBookcomputer, with the suspectcomputer set in targetmode.
  • Technology• Changes Fast• Getting Smaller• Getting Faster• Getting Cheaper• Getting EasierDo we give up or persevereto find Solutions?There are no problems,Only Solutions!
  • MacBook Imaged, How?1. Set suspect machine in “T”arget mode by booting the machine and holding the “T” key down.2. Connect the thunderbolt to Firewire cable to suspect machine.3. Run Firewire cable from adapter on suspect machine to your Macbook Firewire port.4. Plug Blackbag MacQuasition in to your Macbook.5. Turn your Macbook on and hold down the “Option”/”Alt” key down6. Select the MacQuasition USB drive from the list on your Macbook7. MacQuasition will see the connected (Suspect) computer in target mode. This gives you complete access to the hard drive in a forensically sound manner8. Connect external storage media to your computer and mount as read/write to dump suspect hard drive image to.
  • Follow UpNow as a follow up and for your edificationMacQuasition will have an update soon thatwill support the newer model Macbook’s.Another option on the market and FREE isPaladin and Raptor.Never give up, not while freedom is on the line.Give it everything you got and then when youthink you have done everything You can, call acouple other people to see if they have anyideas. Remember in this digital age “No oneperson can know it all. We need each other.”
  • QUESTIONS?