Chapter 19 Forensic Science and the Internet
Introduction <ul><li>The Internet, often referred to as the “information superhighway,” has opened a medium for people to ...
A Network of Networks <ul><li>The Internet can be defined as a “network of networks.”  </li></ul><ul><ul><li>A single netw...
A Network of Networks <ul><li>Computers can be linked or networked through wire or wireless (WI-Fi) connections.  </li></u...
The World Wide Web <ul><li>The most popular area of the Internet is the World Wide Web.  </li></ul><ul><li>It is considere...
Electronic Mail (e-Mail) <ul><li>The service that is most commonly used in conjunction with the Internet is electronic mai...
Forensic Analysis of the Internet <ul><li>It is important from the investigative standpoint to be familiar with the eviden...
Internet Cache <ul><li>Evidence of Internet web browsing typically exists in abundance on the user’s computer.  </li></ul>...
Internet Cookies <ul><li>To appreciate the value of the “cookie” you must first understand how they get onto the computer ...
Internet History <ul><li>Most web browsers track the history of web page visits for the computer user.  </li></ul><ul><li>...
Bookmarks and Favorite Places <ul><li>Another way users can access websites quickly is to store them in their “bookmarks” ...
Internet Communications <ul><li>Computer investigations often begin or are centered around Internet communication. </li></...
Value of the IP address <ul><li>In our earlier discussion, it was stated that in order to communicate on the Internet a de...
IP Address Locations <ul><li>IP addresses are located in different places for different mediums of communications.  </li><...
Difficulty with IP Addresses <ul><li>Finding IP addresses may be difficult. </li></ul><ul><ul><li>E-mail can be read throu...
Hacking <ul><li>Unauthorized computer intrusion, more commonly referred to as hacking, is the concern of every computer ad...
Locations of Concentration <ul><li>Generally speaking, when investigating an unauthorized computer intrusion, investigator...
Logs <ul><li>Logs will typically document the IP address of the computer that made the connection.  </li></ul><ul><li>Logs...
Computer Intrusion Investigation <ul><li>Many times, in cases of unlawful access to a computer network, some technique is ...
Intrusion Investigation <ul><li>Another standard tactic for investigating intrusion cases is documenting all programs inst...
Live Network Traffic <ul><li>The investigator may want to capture live network traffic as part of the evidence collection ...
The Destination IP Address <ul><li>To get there, the destination IP address is needed.  </li></ul><ul><li>Once this is lea...
Upcoming SlideShare
Loading in …5
×

Fs Ch 19

442 views
361 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
442
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Fs Ch 19

  1. 1. Chapter 19 Forensic Science and the Internet
  2. 2. Introduction <ul><li>The Internet, often referred to as the “information superhighway,” has opened a medium for people to communicate and to access millions of pieces of information from computers located anywhere on the globe. </li></ul><ul><li>No subject or profession remains untouched by the Internet, and this is so for forensic science. </li></ul><ul><li>A major impact of the Internet will be to bring together forensic scientists from all parts of the world, linking them into one common electronic community. </li></ul>
  3. 3. A Network of Networks <ul><li>The Internet can be defined as a “network of networks.” </li></ul><ul><ul><li>A single network consists of two or more computers that are connected to share information. </li></ul></ul><ul><ul><li>The Internet connects thousands of these networks so all of the information can be exchanged worldwide. </li></ul></ul><ul><li>Connections can be made through a modem, a device that allows computers to exchange and transmit information through telephone lines. </li></ul><ul><li>Higher speed broadband connections are available through cable lines or through DSL telephone lines. </li></ul>
  4. 4. A Network of Networks <ul><li>Computers can be linked or networked through wire or wireless (WI-Fi) connections. </li></ul><ul><li>Computers that participate in the Internet have a unique numerical Internet Provider (IP) address and usually a name. </li></ul>
  5. 5. The World Wide Web <ul><li>The most popular area of the Internet is the World Wide Web. </li></ul><ul><li>It is considered a collection of pages stored in the computers connected to the Internet throughout the world. </li></ul><ul><li>Web browsers allow the user to explore information stored on the Web and to retrieve Web pages the viewer wishes to read. </li></ul><ul><li>Several directories and indexes on the Internet, known as search engines, are available to assist the user in locating a particular topic from the hundreds of thousands of web sites located on the Internet. </li></ul><ul><li>Commercial Internet service providers connect computers to the Internet while offering the user an array of options. </li></ul><ul><ul><li>A keyword or phrase entered into a search engine will locate sites on the Internet that are relevant to that subject. </li></ul></ul>
  6. 6. Electronic Mail (e-Mail) <ul><li>The service that is most commonly used in conjunction with the Internet is electronic mail (e-mail). </li></ul><ul><li>This communication system can transport messages across the world in a matter of seconds. </li></ul><ul><li>Extensive information relating to forensic science is available on the Internet. </li></ul><ul><li>The types of Web pages range from simple explanations of the different fields of forensics to intricate details of forensic science specialties. </li></ul>
  7. 7. Forensic Analysis of the Internet <ul><li>It is important from the investigative standpoint to be familiar with the evidence left behind from a user’s Internet activity. </li></ul><ul><li>A forensic examination of a computer system will reveal quite a bit of data about a user’s Internet activity. </li></ul><ul><li>The data described on the next few slides would be accessed and examined utilizing the forensic techniques outlined in Chapter 17. </li></ul>
  8. 8. Internet Cache <ul><li>Evidence of Internet web browsing typically exists in abundance on the user’s computer. </li></ul><ul><li>Most web browsers (Internet Explorer, Netscape, and Firefox) utilize a system of caching to expedite web browsing and make it more efficient. </li></ul><ul><li>This web browsing Internet cache is a potential source of evidence for the computer investigator. </li></ul><ul><li>Portions of, and in some cases, entire visited web pages can be reconstructed. </li></ul><ul><li>Even if deleted, these cached files can often be recovered. </li></ul>
  9. 9. Internet Cookies <ul><li>To appreciate the value of the “cookie” you must first understand how they get onto the computer and their intended purpose. </li></ul><ul><li>Cookies are placed on the local hard disk drive by the web site the user has visited. </li></ul><ul><li>This is, of course, if the particular web browser being used is set to allow this to happen. </li></ul><ul><li>A cookie is used by the web site to track certain information about its visitors. </li></ul><ul><li>This information can be anything from history of visits or purchasing habits, to passwords and personal information used to recognize the user for later visits. </li></ul>
  10. 10. Internet History <ul><li>Most web browsers track the history of web page visits for the computer user. </li></ul><ul><li>This is probably done merely for a matter of convenience. </li></ul><ul><li>Like the “recent calls” list on a cell phone, the Internet history provides an accounting of sites most recently visited, with some storing weeks worth of visits. </li></ul><ul><li>Users have the availability to go back and access sites they most recently visited, just by accessing them through the browser’s history. </li></ul><ul><li>The history file can be located and read with most popular computer forensic software packages. </li></ul>
  11. 11. Bookmarks and Favorite Places <ul><li>Another way users can access websites quickly is to store them in their “bookmarks” or “favorite places.” </li></ul><ul><li>Like a pre-set radio station, Internet browsers allow a user to bookmark websites for future visits. </li></ul><ul><li>A lot can be learned from the bookmarked sites of a person. Perhaps you might learn what online news a person is interested in or what type of hobbies he/she has. </li></ul><ul><li>You may also see that person’s favorite child pornography or computer hacking sites bookmarked. </li></ul>
  12. 12. Internet Communications <ul><li>Computer investigations often begin or are centered around Internet communication. </li></ul><ul><li>It may be: </li></ul><ul><ul><li>a chat conversation amongst many people, </li></ul></ul><ul><ul><li>an instant message conversation between just two individuals, </li></ul></ul><ul><ul><li>or the back and forth of an e-mail exchange. </li></ul></ul><ul><li>Human communication has long been a source of evidentiary material. </li></ul><ul><li>Regardless of the type, investigators are typically interested in communication. </li></ul>
  13. 13. Value of the IP address <ul><li>In our earlier discussion, it was stated that in order to communicate on the Internet a device needs to be assigned an Internet Protocol (IP) address. </li></ul><ul><li>The IP address is provided by the Internet Service provider from which the device accesses the Internet. </li></ul><ul><li>Thus it is the IP address that might lead to the identity of a real person. </li></ul><ul><li>If an IP address is the link to the identity of a real person, then it would quite obviously be very valuable for identifying someone on the Internet. </li></ul>
  14. 14. IP Address Locations <ul><li>IP addresses are located in different places for different mediums of communications. </li></ul><ul><li>E-Mail will have the IP address in the header portion of the mail. </li></ul><ul><ul><li>This may not be readily apparent and may require a bit of configuration to reveal. </li></ul></ul><ul><ul><li>Each e-mail client is different and needs to be evaluated on a case by case basis. </li></ul></ul><ul><li>In the case of an Instant Message or Chat session, the particular provider (the one providing the mechanism of chat - AOL, Yahoo, etc.) would be contacted to provide the users IP address). </li></ul>
  15. 15. Difficulty with IP Addresses <ul><li>Finding IP addresses may be difficult. </li></ul><ul><ul><li>E-mail can be read through a number of clients or software programs. </li></ul></ul><ul><ul><li>Most accounts offer the ability to access e-mail through a web-based interface as well. </li></ul></ul><ul><ul><li>Often the majority of chat and instant message conversations are not saved by the parties involved. </li></ul></ul><ul><li>Each application needs to be researched and the computer forensic examination guided by an understanding of how it functions. </li></ul>
  16. 16. Hacking <ul><li>Unauthorized computer intrusion, more commonly referred to as hacking, is the concern of every computer administrator. </li></ul><ul><li>Hackers penetrate computer systems for a number of reasons. </li></ul><ul><ul><li>Sometimes the motive is corporate espionage and other times it is merely for bragging rights within the hacker community. </li></ul></ul><ul><ul><li>Most commonly though, it is a rogue or disgruntled employee, with some knowledge of the computer network, who is looking to cause damage. </li></ul></ul><ul><li>Despite the motivation, Corporate America is frequently turning to law enforcement to investigate and prosecute these cases. </li></ul>
  17. 17. Locations of Concentration <ul><li>Generally speaking, when investigating an unauthorized computer intrusion, investigators will concentrate their efforts in three locations: </li></ul><ul><ul><li>log files </li></ul></ul><ul><ul><li>volatile memory </li></ul></ul><ul><ul><li>network traffic </li></ul></ul>
  18. 18. Logs <ul><li>Logs will typically document the IP address of the computer that made the connection. </li></ul><ul><li>Logs can be located in several locations on computer network. </li></ul><ul><li>Most servers that exist on the Internet track connections made to them through the use of logs. </li></ul><ul><li>Additionally the router, ( the device responsible for directing data) might possibly contain logs files detailing connections. </li></ul><ul><li>Similarly, devices known as firewalls might contain log files which list computers that were allowed access to the network or an individual system. </li></ul>
  19. 19. Computer Intrusion Investigation <ul><li>Many times, in cases of unlawful access to a computer network, some technique is used by the perpetrator to cover the tracks of his IP address. </li></ul><ul><li>Advanced investigative techniques might be necessary to discover the true identity. </li></ul><ul><li>Where an intrusion is in progress the investigator might have to capture volatile data (data in RAM). </li></ul><ul><li>The data existing in RAM at the time of an intrusion may provide valuable clues into the identity of the intruder, or at the very least the method of attack. </li></ul><ul><li>In the case of the instant message or chat conversation, the data that exists in RAM needs to be acquired. </li></ul>
  20. 20. Intrusion Investigation <ul><li>Another standard tactic for investigating intrusion cases is documenting all programs installed and running on a system. </li></ul><ul><li>By doing this the investigator might discover malicious software installed by the perpetrator to facilitate entry. </li></ul><ul><li>This is accomplished utilizing specialized software designed to document running processes, registry entries, and any installed files. </li></ul>
  21. 21. Live Network Traffic <ul><li>The investigator may want to capture live network traffic as part of the evidence collection and investigation process. </li></ul><ul><li>Traffic that travels the network does so in the form of data packets. </li></ul><ul><li>In addition to containing data these packets also contain source and destination IP addresses. </li></ul><ul><li>If the attack requires two-way communication, as in the case of a hacker stealing data, then it needs to be transmitted back to the hacker’s computer. </li></ul>
  22. 22. The Destination IP Address <ul><li>To get there, the destination IP address is needed. </li></ul><ul><li>Once this is learned, the investigation can focus on that system. </li></ul><ul><li>Moreover, the type of data that is being transmitted on the network may be a clue as to what type of attack is being launched, if any important data is being stolen, or types of malicious software, if any, that are involved in the attack. </li></ul>

×