• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Chfi V3 Module 01 Computer Forensics In Todays World
 

Chfi V3 Module 01 Computer Forensics In Todays World

on

  • 7,876 views

 

Statistics

Views

Total Views
7,876
Views on SlideShare
7,820
Embed Views
56

Actions

Likes
4
Downloads
487
Comments
0

4 Embeds 56

https://online.walshcollege.edu 22
http://www.slideshare.net 14
http://hiddenspider.net 13
https://online2.walshcollege.edu 7

Accessibility

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Chfi V3 Module 01 Computer Forensics In Todays World Chfi V3 Module 01 Computer Forensics In Todays World Presentation Transcript

    • Co pute ac g Computer Hacking Forensics Investigator Version 3 Module I Computer Forensics in Today’s World y
    • Scenario Jacob, a senior management official of a software giant is accused by his junior staff of sexually harassment. Rachel, the complainant, has accused Jacob of sending email asking sexual favors in return for her annual performance hike Ross, a computer forensics investigator, is hired by the , p g , y software giant to investigate the case If found guilty, Jacob stands to loose his job and may face imprisonment up to three years, along with a fine of $ 15,000 Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Forensic News Source: http://www.infoworld.com/article/06/08/10/HNinterceptingemail_1.html Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Module Objective This module will familiarize you with the following: Computer forensics Stages of forensic investigation History of computer forensics in tracking cyber criminals Objective of computer forensics Rules of computer forensics Computer facilitated crimes Digital forensics g Reasons for cyber attacks Approach the crime scene Computer forensics flaws and Where and when do you use y risks computer forensics Modes of attacks Legal issues Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Module Flow Introduction History Objective of forensics Computer fforensics i Computer f ili C facilitated d Reasons for cyber attacks flaws and risks crimes Stages of Rules of Digital forensics forensic investigation computer forensics Where and when to use Approach to Legal issues computer forensics the crime scene Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Introduction Cyber activity has become an important part of our daily lives Importance of computer forensics: • 85% of business and government agencies detected security breaches • The FBI estimates that the United States loses up t $ billi a year t cyber crime l to $10 billion to b i Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • History of Forensics Francis Galton (1822-1911) • Made the first recorded study of fingerprints fingerprints. Leone Lattes (1887-1954) • Discovered blood groupings (A,B,AB, & 0). Calvin Goddard (1891-1955) • Allowed Firearms and bullet comparison for solving many pending court cases. Albert Osborn (1858-1946) Alb t O b ( 8 8 6) • Developed essential features of document examination. Hans Gross (1847-1915) • Made use of scientific study to head criminal investigations. FBI (1932) • A Lab was set up to provide forensic services to all field agents and other law authorities across the country. Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Definition of Forensic Science Definition: • “Application of physical sciences to law in the search for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done to any member of society.” (Source: Handbook of Forensic Pathology College of American Pathologists 1990) Aim: • To determine the evidential value of a crime scene a d e a ed evidence. and related e de ce Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Definition of Computer Forensics Definition: “A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and i f l format.” meaningful f - Dr. H.B. Wolfe Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • What is Computer Forensics? “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or p g p p g / administrative proceeding as to what was found.” "Forensic Computing is the science of capturing, processing and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a Court of Law.” Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Need for Computer Forensics “Computer forensics is equivalent of surveying a crime scene or performing an autopsy on a victim.” – {Source: James Borek 2001} Presence of a majority of electronic documents Search and identify data in a computer y p Digital evidence can be easily destroyed, if not handled properly For F recovering: i • Deleted files • Encrypted files • Corrupted files Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Ways of Forensic Data Collection Forensic Data collection can be categorized: • Background: Data gathered and stored for normal business reasons • Foreground: Data specifically gathered to detect crime, or to identify criminals Issues related t collecting evidence: I l t d to ll ti id • Proper documentation • Duplicating media l d • Preserving evidence • Tests should be repeatable Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Objectives of Computer Forensics To recover, analyze, and present computer-based material in such a way that it can be presented as evidence p in a court of law To id tif the id T identify th evidence i short ti in h t time, estimate potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Benefits of Forensic Readiness Evidence can be gathered to act in the company's defense if subject to a lawsuit In the event of a major incident, a fast and efficient investigation can be conducted and corresponding actions can be followed with minimal disruption to the business Forensic readiness can extend the target of information security to the wider threat from cyber crime, such as intellectual property protection, fraud, or extortion Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Categories of Forensics Data Computer forensics focuses on three categories of data: • Active Data • Latent Data • Archival Data Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Computer Forensics Flaws and Risks Computer forensics is in its development stage It differs from other forensic sciences, as digital evidence is examined There is a little theoretical knowledge based upon which empirical hypothesis testing is carried out There is a lack of proper training There is no standardization of tools It i ill I is still more of an “Art” than a “Science” f “A ” h “S i ” Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Computer Facilitated Crimes Dependency on computer has given way to new crimes Computers are used as tools for committing crimes Computer crimes pose new challenges for investigators due to their: • Speed • Anonymity • Fl ti nature of evidence Fleeting t f id Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Type of Computer Crimes Fraud by computer manipulation Damage to or modifications of computer data or programs Unauthorized access to computer and programs/applications Unauthorized reproduction of computer programs Financial crimes – identity theft, fraud, forgery, theft of funds committed by electronic means Counterfeiting – use of computers and laser printers to print checks, money orders, negotiable securities, store coupons y , g , p Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Cyber Crime Cyber crime is defined as “Any illegal act involving a computer, its systems, or its applications.” • Crime directed against a computer • Crime where the computer contains evidence • Crime where the computer is used as a tool to commit the crime “Cyber Crime is a term used broadly to describe criminal activity in which computers or networks are a tool, a target, or a place of criminal activity These categories are not exclusive and many activities can be characterized as falling in one or more categories.” A cyber crime is intentional and not accidental Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Modes of Attacks Cyber crime can be categorized into two categories, depending on the way the attack takes place. • Insider Attacks: Breach of trust from employees within the organization • External Attacks: Hackers either hired by an insider or by an y y external entity with aim to destroy competitor’s reputation Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Examples of Cyber Crime A few examples of cyber crime include: • Theft of Intellectual Property • Damage of company service networks • Embezzlement • Copyright piracy ( py g p y (software, movie, sound recording) , , g) • Child Pornography • Planting of virus and worms • Password trafficking • E il bombing & SPAM Email b bi Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Examples of Cyber Crime (cont’d) The investigation of any crime involves painstaking collection of clues, forensic evidence and attention to detail , This is more so in these days of ‘white collar’ crime where documentary evidence plays a crucial role With an increasing number of households and businesses using computers, coupled with easy Internet access, i i i l d ih it is inevitable that there will be at least one electronic device found during the course of an investigation This may be a computer, but could also be a printer, mobile y p , p , phone, and personal organizer This electronic device may be central to the investigation No matter which, the information held on the computer may be b crucial and must b i i l d be investigated i the proper manner, i d in h especially if any evidence found is to be relied upon in a court of law Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Examples of Evidence Examples of how evidence found in a computer may assist in the prosecution or defense of a case are p manifold. A few of these examples are: Use/abuse of the Internet Production of false documents and accounts Encrypted/password protected material Abuse of systems Email contact between suspects/conspirators Theft of commercial secrets Unauthorized transmission of information Records of movements Malicious attacks on the computer systems themselves p y Names and addresses of contacts Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Stages of Forensic Investigation in Tracking Cyber Criminals An incident occurs in The client contacts the The advocate contracts which, the company’s hi h h ’ company’s advocate ’ d an external f l forensic i server is compromised for legal advice investigator The FI seizes the The forensic investigator The forensic investigator evidences in the crime (FI) prepares the prepares first response scene & transports bit-stream images of the files of procedures (frp) them to the forensics lab The FI prepares investigation The forensic investigator The forensic investigator reports and concludes the Creates md5 # examines the evidence investigation, enables the of the files files for proof of a crime advocate identify required p oo s de t y equ ed proofs The advocate studies the The forensic investigator The FI handles the report and might press charges usually destroys sensitive report to the against the offensive in all the evidences client in a secure manner the court of law Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Key Steps in Forensic Investigations Step 1: Computer crime is suspected Step 2: Collect preliminary evidence p p y Step 3: Obtain court warrant for seizure (if required) Step 4: Perform first responder procedures Step 5: S i evidence at the crime scene S Seize id h i Step 6: Transport them to the forensic laboratory Step 7: Create 2 bit stream copies of the evidence Step 8: Generate MD5 checksum on the images Step 9: Prepare chain of custody Step 10: Store the original evidence in a secure location Step 11: Analyze the image copy for evidence Step 12: Prepare a forensic report Step 13: S b i the report to the client S Submit h h li Step 14: If required, attend the court and testify as expert witness Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Rules of Computer Forensics Minimize the option of examining the original evidence Document anyy Follow rules of change in evidence evidence Never exceed Do not tamper the knowledge with the base evidence Handle evidence Always prepare with care chain of custody Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Rule for Forensic Investigator Examination of a computer by the technically inexperienced person will almost certainly result in rendering any evidence found inadmissible in a court of law Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Accessing Computer Forensics Resources You can obtain • Computer Technology Investigators Resources by joining Northwest various discussion • High Technology Crime Investigation groups such as: Association Joining J i i a network of t k f computer forensic experts and other professionals News services devoted to computer forensics can also be a powerful resource • Journals of forensic investigators Other resources: • Actual case studies Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Maintaining Professional Conduct Professional conduct determines the credibility of a forensic investigator Always dress professionally – wear a tie and a coat Investigators must display the highest level of ethics I ti t t di l th hi h t l l f thi and moral integrity, as well as confidentiality Discuss the case at hand only with the person who has the right to k h i h know Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Understanding Corporate Investigations Involve private companies who address company policy violations and litigation disputes Company procedures should continue without any interruption from the investigation vest gat o After the investigation the company should minimize or eliminate similar litigations Industrial espionage is the foremost crime in corporate investigations Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Digital Forensics The use of scientifically unexpressed and proven methods towards h d d Preserving Collecting C ll i Confirming Digital evidence extracted Identifying d if i from digital sources Analyzing Recording di Presenting Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Case Study: # 1 Password Recovery Services y A pharmaceutical manufacturer had password protected accounting software files as part of normal security practices to safeguard confidential information. After the bookkeeper’s employment was terminated for poor performance, the Director of Human Resources attempted to open the accounting file and found the file password protected, as expected. The HR Director obtained a copy of the current password that had been stored in an envelope in the department safe (as directed by the company’s security policy). When she attempted to use the password to open the file, she was unsuccessful. Apparently, the former bookkeeper had changed the password and not followed the company policy of placing a copy of the password in the safe. The HR Director emailed the password protected accounting file to TRC. We were able to recover the password within a few hours and email it back to her all in the same afternoon. Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Case Study: #2 Court Upholds Repayment of Fees Incurred in a Computer Forensic Investigation United States v. Gordon, 393 F.3d 1044 (9th Cir. 2004). After discovering missing stock shares, an employer suspected embezzlement and requested the defendant’s laptop computer for examination. The employer specifically told the defendant not to delete anything from the hard drive. p y p y y g A computer forensic analysis revealed the defendant attempted to overwrite files on the computer by running “Evidence Eliminator,” a software wiping program, at least five times the night before he turned over the computer. The defendant was convicted of embezzlement and ordered to pay restitution, including reimbursing the employer for $1,038,477 of the total $1,268,022 costs spent on the forensic analysis. On appeal, the defendant argued the trial court should not have awarded the employer investigation costs, including the costs of the forensic examination costs examination. The appellate court rejected this argument and affirmed the district court’s award, noting the defendant “purposefully covered his tracks as he concealed his numerous acts of wrongdoing from [his employer] over a period of years. As the victim, [the employer] cannot be faulted for making a concerted effort to pick up his trail and identify all the assets he took amid everything he worked on.” Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • When An Advocate Contacts The Forensic Investigator, He Specifies How To Approach The Crime Scene p pp Any liabilities from the incident and how they can be managed Finding and prosecuting/punishing (internal versus external culprits) Legal and regulatory constraints on what action can be taken Reputation protection and PR issues When/if to advise partners, customers, and investors How to deal with employees Resolving commercial disputes Any additional measures required Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Enterprise Theory of Investigation (ETI) “Rather than viewing criminal acts as isolated crimes, the ETI attempts to show that individuals commit crimes in furtherance of the criminal enterprise itself In other words, individuals commit criminal acts solely to benefit their criminal enterprise “By applying the ETI with favorable state and federal legislation, l enforcement can t l i l ti law f t target and di t d dismantle tl entire criminal enterprises in one criminal indictment.” Source: FBI LAW ENFORCEMENT BULLETIN,THE, May, 2001 by Richard A. Mcfeely Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Where and When Do You Use Computer Forensics Where? • To provide a Real Evidence such as reading bar codes, magnetic tapes. • To identify the occurrence of electronic transactions transactions. • To reconstruct an incidence with sequence of events. When? • If a breach of contract occurs. • If copyright and intellectual property theft/misuse happens. • Employee disputes. • Damage to Resources. Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Legal Issues It is not always possible for a computer forensics expert to separate the legal issues surrounding the evidence from the practical aspects of computer forensics Ex: The issues related to authenticity, reliability and completeness and convincing The Th approach of investigation di h fi ti ti diverges with change i ith h in technology Evidence shown is to be untampered with and fully accounted for, from the time of collection to the time of presentation to the court. Hence, it must meet the relevant evidence laws Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Reporting the Results Report should consist of summary of p y conclusions, observations and all appropriate recommendations. i t d ti Report is based on: • Who has access to the data? • H How could it b made available t an ld be d il bl to investigation? • To what business processes does it relate? Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Summary Forensic Computing is the science of capturing, processing and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a court of law. The Th need f computer f d for t forensics h i i has increased d t th presence of a d due to the f majority of digital documents. Computer forensics focuses on three categories of data: active data, latent data and archival data. Cyber crime is defined as any illegal act involving a computer, its systems, or its applications. Forensics results report should consist of summary of conclusions, observations and all appropriate recommendations. b i d ll i d i Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited
    • Copyright © by EC-Council EC-Council All rights reserved. Reproduction is strictly prohibited