• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Computer forensics published version cwru 02242011
 

Computer forensics published version cwru 02242011

on

  • 1,180 views

Learn about computer fraud with this presentation by computer forensics experts at JurInnov (www.jurinnov.com).

Learn about computer fraud with this presentation by computer forensics experts at JurInnov (www.jurinnov.com).

Statistics

Views

Total Views
1,180
Views on SlideShare
1,167
Embed Views
13

Actions

Likes
3
Downloads
70
Comments
0

4 Embeds 13

http://www.jurinnov.com 9
http://jurinnovtest.com 2
http://www.linkedin.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Sector is the smallest addressable container on a drive. Sector = 512 bytes.Cluster is a series of sectors. Cluster size is determined by the operating system and is related to the total size of the drive partition.On a floppy diskette 1 sector = 1 cluster.

Computer forensics published version cwru 02242011 Computer forensics published version cwru 02242011 Presentation Transcript

  • Case Western Reserve University
    Computer Fraud
    February 24, 2011
    Timothy M. Opsitnick, Esq.
    Senior Partner and General Counsel
    JurInnov Ltd.
    John Liptak, ACE
    Computer Forensics Analyst
    © 2010 Property of JurInnov Ltd. All Rights Reserved
  • Who Are We?
    JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI).
    Electronic Discovery
    Computer Forensics
    Document and Case Management
    Computer & Information Security
    2
  • Presentation Overview
    Understanding Computing Environments
    Collecting Electronically Stored Information
    Forensic Analysis Demonstration
    Types of Cases When Forensics Are Useful
    3
  • What is Computer Forensics?
    Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.
    4
  • Types of “ESI”
    E-mail
    Office Files
    Database
    Ephemeral
    Legacy Systems
    Metadata
    5
  • Sources of “ESI”
    Desktops
    Laptops
    CDs/DVDs
    Network Attached Storage Devices (NAS)
    Storage Area Networks (SAN)
    Servers
    Databases
    Backup Tapes
    E-Mail
    Archives
    Cell Phones/PDAs
    Thumb Drives
    Memory Cards
    External Storage Devices
    Cameras
    Printers
    GPS Devices
    6
  • Why Computer Forensics?
    Reasons to use Computer Forensics
    Internal Company Investigations
    Alleged criminal activity
    Civil or Regulatory Preservation
    Receivership, Bankruptcy
    EEO issues
    Improper use of company assets
    Recovery of Accidentally or Intentionally Deleted Data
    Deleted is not necessarily deleted
    Recovery from Improper shutdowns
    7
  • Types of Computer Fraud
    Fraud by computer manipulation
    Program or data manipulation
    Common internal computer fraud schemes
    Billing schemes
    Inventory fraud
    Payroll fraud
    Skimming
    Check tampering
    Register schemes
    8
  • Types of Computer Fraud
    Fraud by damage to or modification of computer data or programs
    Economic advantage over a competitor
    Theft of data or programs
    Holding data for ransom
    Sabotage
    Common external computer fraud schemes
    Telecommunications fraud
    Hacking
    Internet fraud
    Software piracy
    9
  • How Does a Computer Operate?
    Hardware
    Processor
    Memory (RAM)
    Hard Drive
    CD/DVD Drive
    Motherboard
    Mouse/Keyboard
    Software
    Operating System
    Applications
    10
  • How Does a Computer Operate?
    How is data stored on a hard drive?
    How is data “deleted” by the operating system?
    11
  • 12
  • 13
  • 14
  • Collecting “ESI”
    “Let’s let the IT staff do it.”
    Forensic Harvesting
    What is a forensic copy?
    15
  • Collecting “ESI”
    Forensic Harvesting - Logical v Physical
    Logical / “Ghost” copy (Active Files)
    Data that is visible via the O.S.
    Physical
    Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)
    16
  • 17
  • Collecting “ESI”
    Network Harvest
    E-Mail Harvest
    Cell Phone / Device Seizure
    18
  • Computer Forensics Process
    Interview Process/Needs Analysis
    Maintaining Chain of Custody
    Photograph Evidence
    Record Evidence Information (users, S/Ns, etc.)
    BIOS/CMOS Time
    Utilize Sanitized (“Wiped”) Drives
    Write Blocker
    On-Site Acquisition
    Forensic Lab Acquisition
    19
  • Acquisition (Data Harvest)
    Software Tools
    EnCase (Guidance Software)
    Forensic Tool Kit (AccessData)
    Device Seizure (Paraben)
    Network Email Examiner (Paraben)
    Hardware Tools
    Write Blockers (Tableau)
    Talon (Logicube)
    Cell-Dek (Logicube)
    20
  • Types of Data Acquisitions
    Image Types
    EnCase Image (.E01)
    DD Image (Linux)
    Custom Content Image (.AD1)
    ESI Locations
    Hard Drives
    Network Shares/Department Shares/Public Shares
    Server E-Mail
    Server Acquisition (On/Off)
    Cell Phone/PDA
    Thumb Drive/External Media
    21
  • Forensic Considerations
    Transfer Speeds
    USB
    FireWire
    IDE
    SATA/eSATA
    Image Verification - MD5 Hash Values
    Work Copies
    Inventory Management
    22
  • Forensic Considerations
    Presentation Suspect Images
    Description: Physical Disk, 39102336 Sectors, 18.6GB
    Physical Size: 512
    Starting Extent: 1S0
    Name: Presentation Suspect Images
    Actual Date: 03/24/09 03:17:21PM
    Target Date: 03/24/09 03:17:21PM
    File Path: E:Presentation image.E01
    Case Number: Presentation Drive
    Evidence Number: Presentation Suspect Images
    Examiner Name: Stephen W. St.Pierre
    Drive Type: Fixed
    File Integrity: Completely Verified, 0 Errors
    Acquisition Hash:5cfa3830c3af83741da4f9adcfb896e1
    Verify Hash:5cfa3830c3af83741da4f9adcfb896e1
    GUID: 04d345276275524c8a111824be6eb170
    EnCase Version: 5.05j
    System Version: Windows 2003 Server
    Total Size: 20,020,396,032 bytes (18.6GB)
    Total Sectors: 39,102,336
    23
  • Forensic Considerations
    Creating Work copy of original Backup Image
    Evidence Mover Log:
    03/25/09 16:20:14 - Source file: F:EvidencePresentation image.E01
    Destination file: G:EvidencePresentation image.E01.
    Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678
    03/25/09 16:20:37 - Source file: F:EvidencePresentation image.E02
    Destination file: G:EvidencePresentation image.E02.
    Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842
    03/25/09 16:20:59 - Source file: F:EvidencePresentation image.E03
    Destination file: G:EvidencePresentation image.E03.
    Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917
    24
  • Forensic Considerations
    Windows Encryption
    Encrypted File System (XP)
    BitLocker (Vista & Windows 7)
    Other Hardware or Software Encryption
    Laptop hard drives
    e.g., Truecrypt
    25
  • Forensic Analysis
    Indexing
    Key Word Searching
    Filters
    AND/OR/NOT
    Date Range
    Specific File Types
    26
  • Forensic Analysis
    Deletion
    Deleted Documents
    Recycle Bin (Deleted Dates/Info 2)
    Data Carving
    Unallocated Space
    Hard Drive Wiping
    Signature Analysis: File Extension vs. File Signature
    27
  • Forensic Analysis
    File Hash Analysis: Comparing Files
    Image Review/Analysis
    Internet History Analysis
    Analysis Examples …
    28
  • Registry Overview
    Windows Registry – central database of the configuration data for the OS and applications.
    Gold Mine of forensic evidence
    Registry Hive Keys
    Software
    System
    SAM (Security Account Manager)
    NTUSER.dat
    29
  • Registry – Software
    What Operating System Installed?
    Date/Time OS Installed
    Product ID For Installed OS
    Programs That Run Automatically at Startup (Place to Hide Virus)
    Profiles
    30
  • Registry – System
    Mounted Devices
    Computer Name
    USB Plugged-In Devices (USBSTOR)
    Last System SHUT DOWN Time
    Time Zone
    31
  • Registry – SAM & NTUSER.DAT
    SAM
    Local Accounts
    NTUSER.DAT
    Network Assigned Drive Letters
    Typed URLs (websites)
    Last Clean Shutdown Date/Time
    Username and Passwords
    Recent Documents
    Registry examples …
    32
  • Unallocated Space Analysis
    Unallocated Space/Drive Free Space
    File Slack
    33
  • Data Transfer Analysis
    FTP
    E-Mail
    External Drives
    Link Files (external/server)
    Internet History
    Webmail
    Created/Accessed/Modified Dates
    34
  • Evidence/Analysis Reporting
    FTK Report (html based report)
    Evidence Presentation
    Final Expert Report
    Interpretation of Report
    Expert Testimony
    35
  • Forensic Analyst
    Tips For Dealing With Your Forensics Analyst
    What to Expect From A Forensics Analyst
    Certifications
    Training
    Experience
    Testimony
    36
  • Types of Cases When Forensics Are Useful…
    Financial
    Receivership
    Bankruptcy
    General Litigation
    Commercial Litigation
    Product Liability
    Corporate
    Regulatory (SEC, Second Requests, FTC)
    Mergers/Acquisitions
    37
  • Types of Cases When Forensics Are Useful, cont.
    Intellectual Property
    Theft of Intellectual Property
    Temporary Restraining Order (TRO)
    Permanent Injunction
    38
  • Types of Cases When Forensics Are Useful, cont.
    Labor/Employment
    Violation of Non-Compete Agreements
    Sexual Harassment
    Age Discrimination
    Fraud/Embezzlement
    Other Violations of Company Policy
    39
  • Types of Cases When Forensics Are Useful, cont.
    Domestic Relations
    Divorce
    Custody
    Corporate Criminal
    Other Criminal
    40
  • For assistance or additional information
    Phone: 216-664-1100
    Web: www.jurinnov.com
    Email: tim.opsitnick@jurinnov.com
    john.liptak@jurinnov.com
    JurInnov Ltd.
    The Idea Center
    1375 Euclid Avenue, Suite 400
    Cleveland, Ohio 44115
    41