• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Computer Forensics

Computer Forensics







Total Views
Views on SlideShare
Embed Views



1 Embed 5

http://www.slideshare.net 5



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Computer Forensics Computer Forensics Presentation Transcript

    • Computer Forensics By Rob Ferrill
    • Forensics in a Nutshell
      • Evidence Seizure
      • Investigation and Analysis
      • Reporting Results
      “ Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system” Farmer and Venema www.fish.com/security/forensics.html
    • Do You Have a Plan
      • Planning and Policy
        • Do you have an incident response policy in place?
        • External Incident
          • Intrusions, viruses, denial of service, theft of service
        • Internal Incident
          • Intellectual property theft, malicious intent, policy abuse
    • Forensic Fortifying Your Network
      • System time
        • GMT or local
        • Use Network Time Protocol
      • Network logs
        • Firewalls, IDS, e-mail, file servers
      • Backups
        • Critical servers and tertiary servers
      • Hash databases
    • Forensic Definitions
      • Evidence
      • Best Evidence
      • Chain of custody
      • Images
      • Dirty word list
      • Incident response forensics
      • Media analysis
    • Evidence
      • Definition: Something that tends to establish or disprove a fact
      • What potentially can be the smallest piece of evidence?
        • 4 bytes
        • An IP address in hex
    • Best Evidence Rule
      • Definition: Original writing must be offered as evidence unless it is unavailable, in which case other evidence, like copies, notes, or other testimony can be used.
      • Accurate representation of original data on a system
      • Extracted data may be introduced as evidence
    • Chain of Custody
      • Chain of custody
        • Establishes each person who has had custody of the evidence
        • Establishes continuity of possession
        • Proof of integrity of the handling of the evidence collected
    • Chain of Custody Items (2)
      • Chain of custody items
        • Full name and signature of person receiving evidence
        • Case number and item (tag) number of evidence
        • Hash values (if available, MD5sum is fine) of evidence if able to obtain
        • Pertinent technical data (drive geometry)
    • Chain of Custody Items
      • Chain of custody items
        • Date and time item was seized
        • Location and who it was obtained from
        • Make, model, and serial number
        • Name of individual(s) who collected evidence
        • Description of evidence
    • Image
      • What is an “image”?
      • Bit-for-bit copy of the original evidence gathered from a system
      • Could include:
        • Hard drive (logical or physical)
        • Memory
        • Removable media
    • Dirty Word Lists
      • Specific keywords to your case
      • List that is used to search for hits on your hard drive
      • Modified during an investigation while you perform your analysis
    • Evidence Integrity
      • Ensure that the evidence has not been altered
      • Bit-image copies
      • Locked and limited access cabinet
      • Use cryptographic hashes to ensure integrity of original evidence and copies
    • Evidence Hashes
      • Electronic evidence is used as input
      • Non-reversible
      • No two “different” files can create the same hash
      • Ideal way to ensure integrity
    • Forensic Incident Response
      • Incident response
        • Initially focuses on verification of incident
        • Techniques highlight gathering evidence
          • Minimize data and evidence loss
          • Avoid adding data to the system through actions
          • Recovery and downtime major concerns
        • Initial concern is to triage the incident to prevent further potential damage to evidence
    • Media Analysis
      • Media analysis
        • Focuses on processing copies of evidence gathered at incident scene (i.e. an image)
        • Is not considered evidence gathering but evidence analysis
        • Primarily used to find specific data pertaining to the crime
        • Uses forensic workstations and automated tools to parse through gigabytes of data
    • Forensic Principles
      • Four forensic principles = success
        • Minimize data loss
        • Record everything
        • Analyze all data collected
        • Report your findings
    • Recording Your Actions
      • Four reasons to take good notes:
        • May have to duplicate setup
        • Explain how you took down the computer
        • May be called upon to testify
        • Witness’ notes can be used as a refresher
    • Think. Like. A. Hacker.
      • Some incidents are just the tip of the iceberg
        • Usually one system compromised means you will find others
        • Always investigate due to this fact
      • Wiretap?
        • Contemplate watching the hacker enter back into the system
        • See what he is doing and what he is after
    • Avoiding Common Mistakes
      • Adding your own data to the system
      • Killing any processes on the system
      • Accidentally touching timestamps
      • Using un-trusted commands or tools
      • Adjusting the system prior to evidence seizure (power off, patching, updates)