Computer Forensics
Upcoming SlideShare
Loading in...5

Computer Forensics







Total Views
Views on SlideShare
Embed Views



1 Embed 5 5



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Computer Forensics Computer Forensics Presentation Transcript

  • Computer Forensics By Rob Ferrill
  • Forensics in a Nutshell
    • Evidence Seizure
    • Investigation and Analysis
    • Reporting Results
    “ Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system” Farmer and Venema
  • Do You Have a Plan
    • Planning and Policy
      • Do you have an incident response policy in place?
      • External Incident
        • Intrusions, viruses, denial of service, theft of service
      • Internal Incident
        • Intellectual property theft, malicious intent, policy abuse
    View slide
  • Forensic Fortifying Your Network
    • System time
      • GMT or local
      • Use Network Time Protocol
    • Network logs
      • Firewalls, IDS, e-mail, file servers
    • Backups
      • Critical servers and tertiary servers
    • Hash databases
    View slide
  • Forensic Definitions
    • Evidence
    • Best Evidence
    • Chain of custody
    • Images
    • Dirty word list
    • Incident response forensics
    • Media analysis
  • Evidence
    • Definition: Something that tends to establish or disprove a fact
    • What potentially can be the smallest piece of evidence?
      • 4 bytes
      • An IP address in hex
  • Best Evidence Rule
    • Definition: Original writing must be offered as evidence unless it is unavailable, in which case other evidence, like copies, notes, or other testimony can be used.
    • Accurate representation of original data on a system
    • Extracted data may be introduced as evidence
  • Chain of Custody
    • Chain of custody
      • Establishes each person who has had custody of the evidence
      • Establishes continuity of possession
      • Proof of integrity of the handling of the evidence collected
  • Chain of Custody Items (2)
    • Chain of custody items
      • Full name and signature of person receiving evidence
      • Case number and item (tag) number of evidence
      • Hash values (if available, MD5sum is fine) of evidence if able to obtain
      • Pertinent technical data (drive geometry)
  • Chain of Custody Items
    • Chain of custody items
      • Date and time item was seized
      • Location and who it was obtained from
      • Make, model, and serial number
      • Name of individual(s) who collected evidence
      • Description of evidence
  • Image
    • What is an “image”?
    • Bit-for-bit copy of the original evidence gathered from a system
    • Could include:
      • Hard drive (logical or physical)
      • Memory
      • Removable media
  • Dirty Word Lists
    • Specific keywords to your case
    • List that is used to search for hits on your hard drive
    • Modified during an investigation while you perform your analysis
  • Evidence Integrity
    • Ensure that the evidence has not been altered
    • Bit-image copies
    • Locked and limited access cabinet
    • Use cryptographic hashes to ensure integrity of original evidence and copies
  • Evidence Hashes
    • Electronic evidence is used as input
    • Non-reversible
    • No two “different” files can create the same hash
    • Ideal way to ensure integrity
  • Forensic Incident Response
    • Incident response
      • Initially focuses on verification of incident
      • Techniques highlight gathering evidence
        • Minimize data and evidence loss
        • Avoid adding data to the system through actions
        • Recovery and downtime major concerns
      • Initial concern is to triage the incident to prevent further potential damage to evidence
  • Media Analysis
    • Media analysis
      • Focuses on processing copies of evidence gathered at incident scene (i.e. an image)
      • Is not considered evidence gathering but evidence analysis
      • Primarily used to find specific data pertaining to the crime
      • Uses forensic workstations and automated tools to parse through gigabytes of data
  • Forensic Principles
    • Four forensic principles = success
      • Minimize data loss
      • Record everything
      • Analyze all data collected
      • Report your findings
  • Recording Your Actions
    • Four reasons to take good notes:
      • May have to duplicate setup
      • Explain how you took down the computer
      • May be called upon to testify
      • Witness’ notes can be used as a refresher
  • Think. Like. A. Hacker.
    • Some incidents are just the tip of the iceberg
      • Usually one system compromised means you will find others
      • Always investigate due to this fact
    • Wiretap?
      • Contemplate watching the hacker enter back into the system
      • See what he is doing and what he is after
  • Avoiding Common Mistakes
    • Adding your own data to the system
    • Killing any processes on the system
    • Accidentally touching timestamps
    • Using un-trusted commands or tools
    • Adjusting the system prior to evidence seizure (power off, patching, updates)