Chapter 19 Forensic Science and the Internet
- No subject or profession remains untouched by the Internet:
- -one common electronic forensic community
A Network of Networks
- Internet: “network of networks.”
- A single network consists of two or more computers that are connected to share information.
- The Internet connects thousands of these networks so all of the information can be exchanged worldwide.
A Network of Networks
- Computers that participate in the Internet have a unique numerical Internet Provider (IP) address and usually a name.
The World Wide Web
- -collection of pages stored in the computers connected to the Internet throughout the world.
- -explore information the Web
- -assist user in locating topics
Electronic Mail (e-Mail)
- Most commonly used in conjunction with the Internet
- -transport messages across the world
- -simple explanations of forensics
- -intricate details of forensic science specialties
- -Portions/entire web pages can be reconstructed
- -deleted cached files can be recovered
- -placed on the local hard disk drive by the web site the user has visited.
- -used by the web site to track certain information about its visitors
- Most web browsers track the history of web page visits for the computer user
- -accounting of sites most recently visited
- -history file located/read with computer forensic software packages
Bookmarks and Favorite Places
- Bookmarks/favorite places
- -bookmark websites for future visits
- -favorite child pornography
- Computer investigations often begin or are centered around Internet communication.
Value of the IP address
- -provided by the Internet Service provider
- -lead to the identity of a real person
IP Address Locations
- -IP address in the header portion
- -Internet Service Provider (ISP):
Difficulty with IP Addresses
- Finding IP addresses may be difficult.
- E-mail can be read through a number of clients or software programs.
- Most accounts offer the ability to access e-mail through a web-based interface as well.
- Often the majority of chat and instant message conversations are not saved by the parties involved.
- Unauthorized computer intrusion:
- Rogue/disgruntled employee
Locations of Concentration
- -document the IP address of the computer that made the connection
- -located in several locations on computer network
- -router (the device responsible for directing data)
Computer Intrusion Investigation
- Cover tracks of IP address
- -capture volatile data (data in RAM).
- -clues into the identity of the intruder/method of attack.
- -IM/chat data in RAM needs to be acquired
- Document all programs installed/running
- -malicious software installed by the perpetrator to facilitate entry
- -specialized software designed to document running processes/registry entries/installed files.
Live Network Traffic
- Traffic that travels the network:
- -contain source and destination IP addresses
- -two-way communication (stealing data)- transmitted back to hacker’s computer
The Destination IP Address
- -investigation can focus on that system
- -type of attack being launched
- -types of malicious software