9548086042 for call girls in Indira Nagar with room service
Week1_2.ppt
1. Course Code: MISS/MICT 1103
Course Title: Digital Forensics
Semester: January-June 2018
Prof. Syed Akhter Hossain
aktarhossain@daffodilvarsity.edu.bd
2. MISS/MICT1103: Digital Forensics @ SAH, 2018 2
Plan for Action
• Basic of Digital Forensics
09:30/10:30
• Project & Team Formation
10:30/11:00
• Dealing with Computer Investigation
11:00/12:00
3. Basic of Digital Forensics
• Introduction
• Applications
–Law enforcement, Human resources,
Other
• Services
• Benefits
• Using the evidence
MISS/MICT1103: Digital Forensics @ SAH, 2018 3
4. Digital Forensics
• Digital forensics is about the investigation of
crime including using digital/computer methods
• More formally: “Digital forensics, also known as
computer forensics, involved the preservation,
identification, extraction, and documentation of
computer evidence stored as data or
magnetically encoded information”, by John
Vacca
• Digital evidence may be used to analyze cyber
crime (e.g. Worms and virus), physical crime (e.g.,
homicide) or crime committed through the use of
computers (e.g., child pornography)
MISS/MICT1103: Digital Forensics @ SAH, 2018 4
5. MISS/MICT1103: Digital Forensics @ SAH, 2018 5
Computer Forensics Versus Other
Related Disciplines
• Computer forensics
– Investigates data that can be retrieved from a
computer’s hard disk or other storage media
• Network forensics
– Yields information about how a perpetrator or an
attacker gained access to a network
• Data recovery
– Recovering information that was deleted by
mistake
• Or lost during a power surge or server crash
– Typically you know what you’re looking for
6. MISS/MICT1103: Digital Forensics @ SAH, 2018 6
Computer Forensics Versus Other
Related Disciplines (continued)
• Computer forensics
– Task of recovering data that users have hidden or
deleted and using it as evidence
– Evidence can be inculpatory (“incriminating”) or
exculpatory
• Disaster recovery
– Uses computer forensics techniques to retrieve
information their clients have lost
• Investigators often work as a team to make
computers and networks secure in an
organization
7. MISS/MICT1103: Digital Forensics @ SAH, 2018 7
A Brief History of Computer
Forensics
• By the 1970s, electronic crimes were increasing,
especially in the financial sector
– Most law enforcement officers didn’t know enough
about computers to ask the right questions
• Or to preserve evidence for trial
• 1980s
– PCs gained popularity and different OSs emerged
– Disk Operating System (DOS) was available
– Forensics tools were simple, and most were
generated by government agencies
8. MISS/MICT1103: Digital Forensics @ SAH, 2018 8
A Brief History of Computer
Forensics (continued)
• Mid-1980s
– Xtree Gold appeared on the market
• Recognized file types and retrieved lost or deleted
files
– Norton DiskEdit soon followed
• And became the best tool for finding deleted file
• 1987
– Apple produced the Mac SE
• A Macintosh with an external EasyDrive hard disk
with 60 MB of storage
11. MISS/MICT1103: Digital Forensics @ SAH, 2018 11
A Brief History of Computer
Forensics (continued)
• Early 1990s
– Tools for computer forensics were available
– International Association of Computer
Investigative Specialists (IACIS)
• Training on software for forensics investigations
– IRS created search-warrant programs
– Expert Witness for the Macintosh
• First commercial GUI software for computer
forensics
• Created by ASR Data
12. MISS/MICT1103: Digital Forensics @ SAH, 2018 12
A Brief History of Computer
Forensics (continued)
• Early 1990s (continued)
– Expert Witness for the Macintosh
• Recovers deleted files and fragments of deleted files
• Large hard disks posed problems for investigators
• Other software
– iLook
– AccessData Forensic Toolkit (FTK)
13. Objectives and Priority
• Objective of Computer Forensics
– To recovery, analyze and present computer
based material in such a way that is it usable as
evidence in a court of law
– Note that the definition is the following:
“computer forensics, involves the preservation,
identification, extraction, and documentation of
computer evidence stored as data or
magnetically encoded information”, by John
Vacca
MISS/MICT1103: Digital Forensics @ SAH, 2018 13
14. Objectives and Priority
• Priority
–Main priority is with forensics
procedures, rules of evidence and
legal processes; computers are
secondary
–Therefore accuracy is crucial
MISS/MICT1103: Digital Forensics @ SAH, 2018 14
15. Job of Forensics Specialist
• Determine the systems from which evidence is
collected
• Protect the systems from which evidence is
collected
• Discover the files and recover the data
• Get the data ready for analysis
• Carry out an analysis of the data
• Produce a report
• Provide expert consultation and/or testimony?
MISS/MICT1103: Digital Forensics @ SAH, 2018 15
16. MISS/MICT1103: Digital Forensics @ SAH, 2018 16
Preparing for Computer
Investigations
• Computer investigations and forensics falls into
two distinct categories
– Public investigations
– Private or corporate investigations
• Public investigations
– Involve government agencies responsible for
criminal investigations and prosecution
– Organizations must observe legal guidelines
• Law of search and seizure
– Protects rights of all people, including suspects
17. MISS/MICT1103: Digital Forensics @ SAH, 2018 17
Preparing for Computer
Investigations (continued)
• Private or corporate investigations
– Deal with private companies, non-law-
enforcement government agencies, and lawyers
– Aren’t governed directly by criminal law or Fourth
Amendment issues
– Governed by internal policies that define expected
employee behavior and conduct in the workplace
• Private corporate investigations also involve
litigation disputes
• Investigations are usually conducted in civil
cases
18. MISS/MICT1103: Digital Forensics @ SAH, 2018 18
Understanding Law Enforcements
Agency Investigations
• In a criminal case, a suspect is tried for a
criminal offense
– Such as burglary, murder, or molestation
• Computers and networks are only tools that
can be used to commit crimes
– Many states have added specific language to
criminal codes to define crimes involving
computers
• Following the legal process
– Legal processes depend on local custom,
legislative standards, and rules of evidence
19. MISS/MICT1103: Digital Forensics @ SAH, 2018 19
Understanding Law Enforcements
Agency Investigations (continued)
• Following the legal process (continued)
– Criminal case follows three stages
• The complaint, the investigation, and the
prosecution
20. MISS/MICT1103: Digital Forensics @ SAH, 2018 20
Understanding Law Enforcements
Agency Investigations (continued)
• Following the legal process (continued)
– A criminal case begins when someone finds
evidence of an illegal act
– Complainant makes an allegation, an accusation
or supposition of fact
– A police officer interviews the complainant and
writes a report about the crime
• Police blotter provides a record of clues to crimes
that have been committed previously
– Investigators delegate, collect, and process the
information related to the complaint
21. MISS/MICT1103: Digital Forensics @ SAH, 2018 21
Understanding Law Enforcements
Agency Investigations (continued)
• Following the legal process (continued)
– After you build a case, the information is turned
over to the prosecutor
– Affidavit
• Sworn statement of support of facts about or
evidence of a crime
– Submitted to a judge to request a search
warrant
• Have the affidavit notarized under sworn oath
– Judge must approve and sign a search warrant
• Before you can use it to collect evidence
22. MISS/MICT1103: Digital Forensics @ SAH, 2018 22
Understanding Corporate
Investigations
• Private or corporate investigations
– Involve private companies and lawyers who
address company policy violations and litigation
disputes
• Corporate computer crimes can involve:
– E-mail harassment
– Falsification of data
– Gender and age discrimination
– Embezzlement
– Sabotage
– Industrial espionage
23. MISS/MICT1103: Digital Forensics @ SAH, 2018 23
Understanding Corporate
Investigations (continued)
• Establishing company policies
– One way to avoid litigation is to publish and
maintain policies that employees find easy to read
and follow
– Published company policies provide a line of
authority
• For a business to conduct internal investigations
– Well-defined policies
• Give computer investigators and forensic examiners
the authority to conduct an investigation
• Displaying Warning Banners
– Another way to avoid litigation
24. MISS/MICT1103: Digital Forensics @ SAH, 2018 24
Understanding Corporate
Investigations (continued)
• Displaying Warning Banners (continued)
– Warning banner
• Usually appears when a computer starts or connects
to the company intranet, network, or virtual private
network
• Informs end users that the organization reserves the
right to inspect computer systems and network traffic
at will
• Establishes the right to conduct an investigation
– As a corporate computer investigator
• Make sure company displays well-defined warning
banner
25. MISS/MICT1103: Digital Forensics @ SAH, 2018 25
Understanding Corporate
Investigations (continued)
• Designating an authorized requester
– Authorized requester has the power to conduct
investigations
– Policy should be defined by executive management
– Groups that should have direct authority to request
computer investigations
• Corporate Security Investigations
• Corporate Ethics Office
• Corporate Equal Employment Opportunity Office
• Internal Auditing
• The general counsel or Legal Department
26. MISS/MICT1103: Digital Forensics @ SAH, 2018 26
Understanding Corporate
Investigations (continued)
• Conducting security investigations
– Types of situations
• Abuse or misuse of corporate assets
• E-mail abuse
• Internet abuse
– Be sure to distinguish between a company’s abuse
problems and potential criminal problems
– Corporations often follow the silver-platter doctrine
• What happens when a civilian or corporate
investigative agent delivers evidence to a law
enforcement officer
27. MISS/MICT1103: Digital Forensics @ SAH, 2018 27
Maintaining Professional Conduct
• Professional conduct
– Determines your credibility
– Includes ethics, morals, and standards of behavior
• Maintaining objectivity means you must form and
sustain unbiased opinions of your cases
• Maintain an investigation’s credibility by keeping
the case confidential
– In the corporate environment, confidentiality is
critical
• In rare instances, your corporate case might
become a criminal case as serious as murder
28. MISS/MICT1103: Digital Forensics @ SAH, 2018 28
Maintaining Professional Conduct
(continued)
• Enhance your professional conduct by continuing
your training
• Record your fact-finding methods in a journal
• Attend workshops, conferences, and vendor
courses
• Membership in professional organizations adds to
your credentials
• Achieve a high public and private standing and
maintain honesty and integrity
29. MISS/MICT1103: Digital Forensics @ SAH, 2018 29
Summary
• Computer forensics applies forensics procedures
to digital evidence
• Laws about digital evidence established in the
1970s
• To be a successful computer forensics
investigator, you must know more than one
computing platform
• Public and private computer investigations are
different
30. Project & Team
Formation of Project
Course Code: MISS/MICT 1103
Course Title: Digital Forensics
Semester: January-June 2018
31. Project Team Formation
• 4/5 members in a team
• Choose a Team Leader
• Choose a Team Name e.g. MadMonkey
• Decide on your project and discuss for
3mins among yourselves
• Finalize the Project
MISS/MICT1103: Digital Forensics @ SAH, 2018 31
33. Session Objectives
• Explain how to prepare a computer
investigation
• Apply a systematic approach to an
investigation
• Describe procedures for corporate high-tech
investigations
• Explain requirements for data recovery
workstations and software
• Describe how to conduct an investigation
• Explain how to complete and critique a case
MISS/MICT1103: Digital Forensics @ SAH, 2018 33
34. Preparing a Computer Investigation
• Role of computer forensics professional is to
gather evidence to prove that a suspect committed
a crime or violated a company policy
• Collect evidence that can be offered in court or at a
corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Follow an accepted procedure to prepare a case
• Chain of custody
– Route the evidence takes from the time you find
it until the case is closed or goes to court
MISS/MICT1103: Digital Forensics @ SAH, 2018 34
35. An Overview of a Computer
Crime
• Computers can contain information that helps
law enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• Information on hard disks might be password
protected
MISS/MICT1103: Digital Forensics @ SAH, 2018 35
36. An Overview of a Company Policy
Violation
• Employees misusing resources can cost
companies millions of dollars
• Misuse includes:
– Surfing the Internet
– Sending personal e-mails
– Using company computers for personal
tasks
MISS/MICT1103: Digital Forensics @ SAH, 2018 36
37. Taking a Systematic Approach
• Steps for problem solving
– Make an initial assessment about the type
of case you are investigating
– Determine a preliminary design or
approach to the case
– Create a detailed checklist
– Determine the resources you need
– Obtain and copy an evidence disk drive
MISS/MICT1103: Digital Forensics @ SAH, 2018 37
38. Taking a Systematic Approach
(continued)
• Steps for problem solving (continued)
– Analyze and recover the digital evidence
– Investigate the data you recover
– Complete the case report
– Critique the case
MISS/MICT1103: Digital Forensics @ SAH, 2018 38
39. Assessing the Case
• Systematically outline the case details
– Situation
– Nature of the case
– Specifics of the case
– Type of evidence
– Operating system
– Known disk format
– Location of evidence
MISS/MICT1103: Digital Forensics @ SAH, 2018 39
40. Assessing the Case (continued)
• Based on case details, you can determine
the case requirements
– Type of evidence
– Computer forensics tools
– Special operating systems
MISS/MICT1103: Digital Forensics @ SAH, 2018 40
41. Planning Your Investigation
• A basic investigation plan should include
the following activities:
– Acquire the evidence
– Complete an evidence form and establish
a chain of custody
– Transport the evidence to a computer
forensics lab
– Secure evidence in an approved secure
container
MISS/MICT1103: Digital Forensics @ SAH, 2018 41
42. Planning Your Investigation
(continued)
• A basic investigation plan (continued):
– Prepare a forensics workstation
– Obtain the evidence from the secure
container
– Make a forensic copy of the evidence
– Return the evidence to the secure
container
– Process the copied evidence with
computer forensics tools
MISS/MICT1103: Digital Forensics @ SAH, 2018 42
43. Planning Your Investigation
(continued)
• An evidence custody form helps you document
what has been done with the original evidence and
its forensics copies
• Two types
– Single-evidence form
• Lists each piece of evidence on a separate page
– Multi-evidence form
MISS/MICT1103: Digital Forensics @ SAH, 2018 43
45. Securing Your Evidence
• Use evidence bags to secure and catalog the
evidence
• Use computer safe products
– Antistatic bags
– Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
– Floppy disk or CD drives
– Power supply electrical cord
• Write your initials on tape to prove that
evidence has not been tampered with
MISS/MICT1103: Digital Forensics @ SAH, 2018 45
46. Employee Termination Cases
• Majority of investigative work for
termination cases involves employee abuse
of corporate assets
• Internet abuse investigations
– To conduct an investigation you need:
• Organization’s Internet proxy server logs
• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis
tool
MISS/MICT1103: Digital Forensics @ SAH, 2018 46
47. Employee Termination Cases
(continued)
• Internet abuse investigations (continued)
– Recommended steps
• Use standard forensic analysis techniques and
procedures
• Use appropriate tools to extract all Web page URL
information
• Contact the network firewall administrator and
request a proxy server log
• Compare the data recovered from forensic
analysis to the proxy server log
• Continue analyzing the computer’s disk drive data
MISS/MICT1103: Digital Forensics @ SAH, 2018 47
48. Employee Termination Cases
(continued)
• E-mail abuse investigations
– To conduct an investigation you need:
• An electronic copy of the offending e-mail that
contains message header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on
a central server, access to the server
• Access to the computer so that you can perform a
forensic analysis on it
• Your preferred computer forensics analysis tool
MISS/MICT1103: Digital Forensics @ SAH, 2018 48
49. Employee Termination Cases
(continued)
• E-mail abuse investigations (continued)
– Recommended steps
• Use the standard forensic analysis techniques
• Obtain an electronic copy of the suspect’s and
victim’s e-mail folder or data
• For Web-based e-mail investigations, use tools
such as FTK’s Internet Keyword Search option to
extract all related e-mail address information
• Examine header data of all messages of interest to
the investigation
MISS/MICT1103: Digital Forensics @ SAH, 2018 49
50. Media Leak Investigations
• In the corporate environment, controlling
sensitive data can be difficult
• Consider the following for media leak
investigations
– Examine e-mail
– Examine Internet message boards
– Examine proxy server logs
– Examine known suspects’ workstations
– Examine all company telephone records
MISS/MICT1103: Digital Forensics @ SAH, 2018 50
51. Media Leak Investigations
(consider)
• Steps to take for media leaks
– Interview management privately
• To get a list of employees who have direct
knowledge of the sensitive data
– Identify media source that published the
information
– Review company phone records
– Obtain a list of keywords related to the media
leak
– Perform keyword searches on proxy and e-mail
servers
MISS/MICT1103: Digital Forensics @ SAH, 2018 51
52. Media Leak Investigations
(consider)
• Steps to take for media leaks (continued)
– Discreetly conduct forensic disk acquisitions
and analysis
– From the forensic disk examinations, analyze all
e-mail correspondence
• And trace any sensitive messages to other people
– Expand the discreet forensic disk acquisition
and analysis
– Consolidate and review your findings
periodically
– Routinely report findings to management
MISS/MICT1103: Digital Forensics @ SAH, 2018 52
53. Interviews and Interrogations in
High-Tech Investigations
• Becoming a skilled interviewer and interrogator can
take many years of experience
• Interview
– Usually conducted to collect information from a
witness or suspect
• About specific facts related to an investigation
• Interrogation
– Trying to get a suspect to confess
MISS/MICT1103: Digital Forensics @ SAH, 2018 53