Your SlideShare is downloading. ×
0
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Computer forensics published version cwru 02242011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Computer forensics published version cwru 02242011

1,138

Published on

Learn about computer fraud with this presentation by computer forensics experts at JurInnov (www.jurinnov.com).

Learn about computer fraud with this presentation by computer forensics experts at JurInnov (www.jurinnov.com).

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,138
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
81
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Sector is the smallest addressable container on a drive. Sector = 512 bytes.Cluster is a series of sectors. Cluster size is determined by the operating system and is related to the total size of the drive partition.On a floppy diskette 1 sector = 1 cluster.
  • Transcript

    • 1. Case Western Reserve University <br />Computer Fraud<br />February 24, 2011<br />Timothy M. Opsitnick, Esq.<br />Senior Partner and General Counsel<br />JurInnov Ltd.<br />John Liptak, ACE<br />Computer Forensics Analyst<br />© 2010 Property of JurInnov Ltd. All Rights Reserved<br />
    • 2. Who Are We?<br />JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). <br />Electronic Discovery<br />Computer Forensics<br />Document and Case Management<br />Computer &amp; Information Security<br />2<br />
    • 3. Presentation Overview <br />Understanding Computing Environments<br />Collecting Electronically Stored Information<br />Forensic Analysis Demonstration<br />Types of Cases When Forensics Are Useful<br />3<br />
    • 4. What is Computer Forensics?<br />Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.<br />4<br />
    • 5. Types of “ESI” <br />E-mail<br />Office Files<br />Database<br />Ephemeral<br />Legacy Systems<br />Metadata<br />5<br />
    • 6. Sources of “ESI”<br />Desktops<br />Laptops<br />CDs/DVDs<br />Network Attached Storage Devices (NAS)<br />Storage Area Networks (SAN)<br />Servers<br />Databases<br />Backup Tapes<br />E-Mail<br />Archives<br />Cell Phones/PDAs<br />Thumb Drives<br />Memory Cards<br />External Storage Devices<br />Cameras<br />Printers<br />GPS Devices<br />6<br />
    • 7. Why Computer Forensics?<br />Reasons to use Computer Forensics<br />Internal Company Investigations<br />Alleged criminal activity<br />Civil or Regulatory Preservation<br />Receivership, Bankruptcy<br />EEO issues<br />Improper use of company assets<br />Recovery of Accidentally or Intentionally Deleted Data<br />Deleted is not necessarily deleted<br />Recovery from Improper shutdowns<br />7<br />
    • 8. Types of Computer Fraud<br />Fraud by computer manipulation<br />Program or data manipulation<br />Common internal computer fraud schemes<br />Billing schemes<br />Inventory fraud<br />Payroll fraud<br />Skimming<br />Check tampering<br />Register schemes<br />8<br />
    • 9. Types of Computer Fraud<br />Fraud by damage to or modification of computer data or programs<br />Economic advantage over a competitor<br />Theft of data or programs<br />Holding data for ransom<br />Sabotage<br />Common external computer fraud schemes<br />Telecommunications fraud<br />Hacking<br />Internet fraud<br />Software piracy<br />9<br />
    • 10. How Does a Computer Operate?<br />Hardware<br />Processor<br />Memory (RAM)<br />Hard Drive<br />CD/DVD Drive<br />Motherboard<br />Mouse/Keyboard<br />Software<br />Operating System<br />Applications<br />10<br />
    • 11. How Does a Computer Operate?<br />How is data stored on a hard drive?<br />How is data “deleted” by the operating system? <br />11<br />
    • 12. 12<br />
    • 13. 13<br />
    • 14. 14<br />
    • 15. Collecting “ESI” <br />“Let’s let the IT staff do it.”<br />Forensic Harvesting <br />What is a forensic copy?<br />15<br />
    • 16. Collecting “ESI” <br />Forensic Harvesting - Logical v Physical<br />Logical / “Ghost” copy (Active Files)<br />Data that is visible via the O.S.<br />Physical<br />Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)<br />16<br />
    • 17. 17<br />
    • 18. Collecting “ESI” <br />Network Harvest<br />E-Mail Harvest<br />Cell Phone / Device Seizure<br />18<br />
    • 19. Computer Forensics Process<br />Interview Process/Needs Analysis<br />Maintaining Chain of Custody<br />Photograph Evidence<br />Record Evidence Information (users, S/Ns, etc.)<br />BIOS/CMOS Time<br />Utilize Sanitized (“Wiped”) Drives<br />Write Blocker<br />On-Site Acquisition<br />Forensic Lab Acquisition<br />19<br />
    • 20. Acquisition (Data Harvest)<br />Software Tools<br />EnCase (Guidance Software)<br />Forensic Tool Kit (AccessData)<br />Device Seizure (Paraben)<br />Network Email Examiner (Paraben)<br />Hardware Tools<br />Write Blockers (Tableau)<br />Talon (Logicube)<br />Cell-Dek (Logicube)<br />20<br />
    • 21. Types of Data Acquisitions<br />Image Types<br />EnCase Image (.E01)<br />DD Image (Linux)<br />Custom Content Image (.AD1)<br />ESI Locations<br />Hard Drives<br />Network Shares/Department Shares/Public Shares<br />Server E-Mail<br />Server Acquisition (On/Off)<br />Cell Phone/PDA<br />Thumb Drive/External Media<br />21<br />
    • 22. Forensic Considerations <br />Transfer Speeds<br />USB<br />FireWire<br />IDE<br />SATA/eSATA<br />Image Verification - MD5 Hash Values<br />Work Copies<br />Inventory Management<br />22<br />
    • 23. Forensic Considerations<br />Presentation Suspect Images<br />Description: Physical Disk, 39102336 Sectors, 18.6GB <br />Physical Size: 512<br />Starting Extent: 1S0<br />Name: Presentation Suspect Images<br />Actual Date: 03/24/09 03:17:21PM<br />Target Date: 03/24/09 03:17:21PM<br />File Path: E:Presentation image.E01<br />Case Number: Presentation Drive<br />Evidence Number: Presentation Suspect Images<br />Examiner Name: Stephen W. St.Pierre<br />Drive Type: Fixed<br />File Integrity: Completely Verified, 0 Errors<br />Acquisition Hash:5cfa3830c3af83741da4f9adcfb896e1 <br />Verify Hash:5cfa3830c3af83741da4f9adcfb896e1<br />GUID: 04d345276275524c8a111824be6eb170 <br />EnCase Version: 5.05j<br />System Version: Windows 2003 Server<br />Total Size: 20,020,396,032 bytes (18.6GB)<br />Total Sectors: 39,102,336<br />23<br />
    • 24. Forensic Considerations<br />Creating Work copy of original Backup Image<br />Evidence Mover Log:<br />03/25/09 16:20:14 - Source file: F:EvidencePresentation image.E01<br /> Destination file: G:EvidencePresentation image.E01.<br /> Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678<br />03/25/09 16:20:37 - Source file: F:EvidencePresentation image.E02<br /> Destination file: G:EvidencePresentation image.E02.<br /> Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842<br />03/25/09 16:20:59 - Source file: F:EvidencePresentation image.E03<br /> Destination file: G:EvidencePresentation image.E03.<br /> Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917<br />24<br />
    • 25. Forensic Considerations<br />Windows Encryption<br />Encrypted File System (XP)<br />BitLocker (Vista &amp; Windows 7)<br />Other Hardware or Software Encryption<br />Laptop hard drives<br />e.g., Truecrypt<br />25<br />
    • 26. Forensic Analysis <br />Indexing<br />Key Word Searching<br />Filters<br />AND/OR/NOT<br />Date Range<br />Specific File Types<br />26<br />
    • 27. Forensic Analysis <br />Deletion<br />Deleted Documents<br />Recycle Bin (Deleted Dates/Info 2)<br />Data Carving<br />Unallocated Space<br />Hard Drive Wiping<br />Signature Analysis: File Extension vs. File Signature<br />27<br />
    • 28. Forensic Analysis<br />File Hash Analysis: Comparing Files<br />Image Review/Analysis<br />Internet History Analysis<br />Analysis Examples …<br />28<br />
    • 29. Registry Overview<br />Windows Registry – central database of the configuration data for the OS and applications.<br />Gold Mine of forensic evidence<br />Registry Hive Keys<br />Software<br />System<br />SAM (Security Account Manager)<br />NTUSER.dat<br />29<br />
    • 30. Registry – Software <br />What Operating System Installed?<br />Date/Time OS Installed<br />Product ID For Installed OS<br />Programs That Run Automatically at Startup (Place to Hide Virus)<br />Profiles<br />30<br />
    • 31. Registry – System<br />Mounted Devices<br />Computer Name<br />USB Plugged-In Devices (USBSTOR)<br />Last System SHUT DOWN Time<br />Time Zone<br />31<br />
    • 32. Registry – SAM &amp; NTUSER.DAT<br />SAM<br />Local Accounts<br />NTUSER.DAT<br />Network Assigned Drive Letters<br />Typed URLs (websites)<br />Last Clean Shutdown Date/Time<br />Username and Passwords <br />Recent Documents<br />Registry examples …<br />32<br />
    • 33. Unallocated Space Analysis<br />Unallocated Space/Drive Free Space<br />File Slack<br />33<br />
    • 34. Data Transfer Analysis <br />FTP<br />E-Mail<br />External Drives<br />Link Files (external/server)<br />Internet History<br />Webmail<br />Created/Accessed/Modified Dates<br />34<br />
    • 35. Evidence/Analysis Reporting<br />FTK Report (html based report)<br />Evidence Presentation<br />Final Expert Report<br />Interpretation of Report<br />Expert Testimony<br />35<br />
    • 36. Forensic Analyst<br />Tips For Dealing With Your Forensics Analyst<br />What to Expect From A Forensics Analyst<br />Certifications<br />Training <br />Experience<br />Testimony<br />36<br />
    • 37. Types of Cases When Forensics Are Useful…<br />Financial<br />Receivership<br />Bankruptcy<br />General Litigation<br />Commercial Litigation<br />Product Liability<br />Corporate<br />Regulatory (SEC, Second Requests, FTC)<br />Mergers/Acquisitions<br />37<br />
    • 38. Types of Cases When Forensics Are Useful, cont.<br />Intellectual Property<br />Theft of Intellectual Property<br />Temporary Restraining Order (TRO)<br />Permanent Injunction<br />38<br />
    • 39. Types of Cases When Forensics Are Useful, cont.<br />Labor/Employment<br />Violation of Non-Compete Agreements<br />Sexual Harassment <br />Age Discrimination<br />Fraud/Embezzlement<br />Other Violations of Company Policy<br />39<br />
    • 40. Types of Cases When Forensics Are Useful, cont.<br />Domestic Relations<br />Divorce<br />Custody<br />Corporate Criminal<br />Other Criminal<br />40<br />
    • 41. For assistance or additional information<br />Phone: 216-664-1100<br />Web: www.jurinnov.com<br />Email: tim.opsitnick@jurinnov.com<br />john.liptak@jurinnov.com<br />JurInnov Ltd.<br />The Idea Center<br />1375 Euclid Avenue, Suite 400<br />Cleveland, Ohio 44115<br />41<br />

    ×