SlideShare a Scribd company logo

Computer Forensics Basics Lecture

Download as PPT, PDF
G
Gnanavi2

Computer forensics ppt

Science
1 of 41
1 Computer Forensics: Basics Lecture1 The Context of Computer Forensics Adapted from a lecture by Mark Rogers Purdue University 2004
2 Debate  Is digital forensics a “real” scientific discipline? – What is digital forensics – How do you define a scientific discipline? – Does it really matter?
3 Learning Objectives  At the end of this section you will be able to: – Describe the science of digital forensics. – Categorize the different communities and areas within digital forensics. – Explain where computer forensics fits into DFS – Describe criminalistics as it relates to the investigative process – Discuss the 3 A’s of the computer forensics methodology – Critically analyze the emerging area of cyber- criminalistics – Explain the holistic approach to cyber-forensics
4 Computer Forensics Fundamentals Military Acquisition Analysis Examination Report Investigation Criminal FRYE FRE 702 Daubert/Kumho Civil Federal Rules of Civil Procedure Sedona Rowe Rules of Evidence Expert Witness Friend of the Court Technical Expert Presentation Standards & Guidelines Law Enforcement Private Sector Computer Forensics
5 Concept Map Context/Domain Legal Technical Standards & Guidelines Data Hiding Profili ng & Issues Criminal Civil Disks Structures Filesystem Bag/tag Acquire Analysis Examine
6 Criminalistics
7 Criminalistics  Fancy term for Forensic Science  Forensic Science – The application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system (Saferstein, 2004)  Think Sherlock Holmes!!
8 History & Development  Francis Galton (1822-1911) – First definitive study of fingerprints  Sir Arthur Conan Doyle (1887) – Sherlock Holmes mysteries  Leone Lattes (1887-1954) – Discovered blood groupings (A,B,AB, & 0)  Calvin Goddard (1891-1955) – Firearms and bullet comparison  Albert Osborn (1858-1946) – Developed principles of document examination  Hans Gross (1847-1915) – First treatise on using scientific disciplines in criminal investigations.
9 History & Development  Edmond Locard (1877-1966) – Principle of Exchange  “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” – The purpose of an investigation is to locate identify and preserve evidence-data on which a judgment or conclusion can be based.  FBI (1932) – National Lab to provide forensic services to all law enforcement agencies in the country
10 Crime Lab  Basic services provided – Physical Science Unit  Chemistry, physics, geology – Biology Unit  DNA, blood, hair & fiber, body fluids, botanical – Firearms Unit – Document Examination – Photography Unit
11 Crime Lab  Optional Services – Toxicology Unit – Latent Fingerprint Unit – Polygraph Unit – Voice Print Analysis Unit – Evidence Collection Unit (Rather new)
12 Other Forensic Science Services  Forensic Pathology – Sudden unnatural or violent deaths  Forensic Anthropology – Identification of human skeletal remains  Forensic Entomology – Insects  Forensic Psychiatry  Forensic Psychology  Forensic Odontology – Dental  Forensic Engineering  ***Digital Forensics***
13 Digital Forensic Science  Digital Forensic Science (DFS): “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS)
14 Communities  There at least 3 distinct communities within Digital Forensics – Law Enforcement – Military – Business & Industry  Possibly a 4th – Academia
15 Digital Forensic Science
16 Community Objectives
17 The Process  The primary activities of DFS are investigative in nature.  The investigative process encompasses – Identification – Preservation – Collection – Examination – Analysis – Presentation – Decision
18 Investigative Process
19 Subcategories of DFS  There is a consensus that there are at least 3 distinct types of DFS analysis – Media Analysis  Examining physical media for evidence – Code Analysis  Review of software for malicious signatures – Network Analysis  Scrutinize network traffic and logs to identify and locate
20 Media Analysis  May often be referred to as computer forensics.  More accurate to call it media analysis as the focus is on the various storage medium (e.g., hard drives, RAM, flash memory, PDAs, diskettes etc.)  Excludes network analysis.
21 Computer Forensics  Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
22 Computer Forensic Activities  Computer forensics activities commonly include: – the secure collection of computer data – the identification of suspect data – the examination of suspect data to determine details such as origin and content – the presentation of computer-based information to courts of law – the application of a country's laws to computer practice.
23 The 3 As  The basic methodology consists of the 3 As: – Acquire the evidence without altering or damaging the original – Authenticate the image – Analyze the data without modifying it
24 Computer Forensics - History  1984 FBI Computer Analysis and Response Team (CART)  1991 International Law Enforcement meeting to discuss computer forensics & the need for standardized approach  1997 Scientific Working Group on Digital Evidence (SWGDE) established to develop standards  2001 Digital Forensic Research Workshop (DFRWS) development of research roadmap  2003 Still no standards developed or corpus of knowledge (CK)
25 Context of Computer Forensics •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Computer Forensics
26 Fit with Information Assurance  Computer Forensics is part of the incident response (IR) capability  Forensic “friendly” procedures & processes  Proper evidence management and handling  IR is an integral part of IA
27 Incident Response Methodology (PDCAERF) Preparation Detection Containment Analysis Eradication Recovery Follow-up Feed Back Digital Forensics/Evidence Management
28 (PDCAERF)  Preparation – Being ready to respond – Procedures & policies – Resources & CSIRT creation – Current vulnerabilities & counter-measures  Detection/Notification – Determining if an incident or attempt has been made – IDS – Initial actions/reactions – Determining the scope – Reporting process
29 (PDCAERF)  Containment – Limit the extent of an attack – Mitigate the potential damage & loss – Containment strategies  Analysis & Tracking – How the incident occurred – More in-depth analysis of the event – Tracing the incident back to its source
30 (PDCAERF)  Eradication/ Repair-Recovery – Recovering systems – Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) – Hardening systems – Dealing with patches
31 (PDCAERF)  Follow-up – Review the incident and how it was handled – Postmortem analysis – Lessons learned – Follow-up reporting
32 Challenges  Eric Holder, Deputy Attorney General of the United States Subcommittee on Crime of the House Committee on the Judiciary and the Subcommittee on Criminal Oversight of the Senate Committee on the Judiciary:  Technical challenges that hinder law enforcement’s ability to find and prosecute criminals operating online;  Legal challenges resulting from laws and legal tools needed to investigate cybercrime lagging behind technological, structural, social changes; and  Resource challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of government.
33 Challenges  NIJ 2001 Study  There is near-term window of opportunity for law enforcement to gain a foothold in containing electronic crimes.  Most State and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime.  Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.
34 General Challenges  Computer forensics is in its infancy  Different from other forensic sciences as the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector  No real basic theoretical background upon which to conduct empirical hypothesis testing  No true professional designations  Proper training  At least 3 different “communities” with different demands  Still more of a “folk art” than a true science
35 Legal Challenges  Status as scientific evidence??  Criteria for admissibility of novel scientific evidence (Daubert v. Merrell) – Whether the theory or technique has been reliably tested; – Whether the theory or technique has been subject to peer review and publication; – What is the known or potential rate of error of the method used; and – Whether the theory or method has been generally accepted by the scientific community.  Kumho Tire extended the criteria to technical knowledge
36 Specific Challenges  No International Definitions of Computer Crime  No International agreements on extraditions  Multitude of OS platforms and filesystems  Incredibly large storage capacity – 100 Gig Plus – Terabytes – SANs
37 Specific Challenges  Small footprint storage devices – Compact flash – Memory sticks – Thumb drives – Secure digital  Networked environments  RAID systems  Grid computing  Embedded processors  Other??
38 Specific Challenges  Where is the “crime scene?” Perpetrator’s System Victim’s System Electronic Crime Scene Cyberspace
39 Specific Challenges  What constitutes evidence??  What are we looking for??
40 Summary  DFS is a sub-discipline of criminalistics  DFS is a relatively new science  3 Communities – Legal, Military, Private Sector/Academic  DFS is primarily investigative in nature  DFS is made up of – Media Analysis – Code Analysis – Network Analysis
41 Summary  Computer Forensics is a sub-discipline within DFS  Computer Forensics is part of an IR capability  3 A’s of the Computer Forensic Methodology  There are many general and specific challenges  There is a lack of basic research in this area  Both DFS and Computer Forensics are immature emerging areas

Recommended

sakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptsakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptSakshiAlex
 
01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20worldAqib Memon
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptxYashPatel132112
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptxBhagyasriPatel2
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 

Recommended

sakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptsakshi Computer_forensics_ppt.ppt
sakshi Computer_forensics_ppt.pptSakshiAlex
 
01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20world01 computer%20 forensics%20in%20todays%20world
01 computer%20 forensics%20in%20todays%20worldAqib Memon
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptxYashPatel132112
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptxBhagyasriPatel2
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptRebeccaMunasheChimhe
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
Computer forensic
Computer forensicComputer forensic
Computer forensicShashi Mishra
 
Computer forensic
Computer forensicComputer forensic
Computer forensicibraheem ogundele
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensicRahul Badekar
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxDaniyaHuzaifa
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxssuser2bf502
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
computer forensics
computer forensicscomputer forensics
computer forensicsshivi123456
 
Forensics for IT, final attempt
Forensics for IT, final attemptForensics for IT, final attempt
Forensics for IT, final attemptj9lai
 
Forensics for IT - ACC 626
Forensics for IT - ACC 626Forensics for IT - ACC 626
Forensics for IT - ACC 626j9lai
 
Acc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITAcc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITj9lai
 
Acc 626 slidecast
Acc 626 slidecastAcc 626 slidecast
Acc 626 slidecastj9lai
 
ACC 626 - Forensics for IT
ACC 626 - Forensics for ITACC 626 - Forensics for IT
ACC 626 - Forensics for ITj9lai
 
ACC 626 - Forensics for IT
ACC 626 - Forensics for ITACC 626 - Forensics for IT
ACC 626 - Forensics for ITj9lai
 
Acc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITAcc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITj9lai
 
Acc 626 slidecast
Acc 626 slidecastAcc 626 slidecast
Acc 626 slidecastj9lai
 
Digital forensics by vimal priya.s
Digital forensics by vimal priya.sDigital forensics by vimal priya.s
Digital forensics by vimal priya.sVimal Priya subramanian
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
PPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfPPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfGnanavi2
 
computerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfcomputerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfGnanavi2
 

More Related Content

Similar to Computer Forensics Basics Lecture

L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptRebeccaMunasheChimhe
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensicRahul Badekar
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxDaniyaHuzaifa
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxssuser2bf502
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
computer forensics
computer forensicscomputer forensics
computer forensicsshivi123456
 
Forensics for IT, final attempt
Forensics for IT, final attemptForensics for IT, final attempt
Forensics for IT, final attemptj9lai
 
Forensics for IT - ACC 626
Forensics for IT - ACC 626Forensics for IT - ACC 626
Forensics for IT - ACC 626j9lai
 
Acc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITAcc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITj9lai
 
Acc 626 slidecast
Acc 626 slidecastAcc 626 slidecast
Acc 626 slidecastj9lai
 
ACC 626 - Forensics for IT
ACC 626 - Forensics for ITACC 626 - Forensics for IT
ACC 626 - Forensics for ITj9lai
 
ACC 626 - Forensics for IT
ACC 626 - Forensics for ITACC 626 - Forensics for IT
ACC 626 - Forensics for ITj9lai
 
Acc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITAcc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITj9lai
 
Acc 626 slidecast
Acc 626 slidecastAcc 626 slidecast
Acc 626 slidecastj9lai
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 

Similar to Computer Forensics Basics Lecture (20)

L11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.pptL11 - Intro to Computer Forensics.ppt
L11 - Intro to Computer Forensics.ppt
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptx
 
computer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptxcomputer-forensics-8727-OHvDvOm.pptx
computer-forensics-8727-OHvDvOm.pptx
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Forensics for IT, final attempt
Forensics for IT, final attemptForensics for IT, final attempt
Forensics for IT, final attempt
 
Forensics for IT - ACC 626
Forensics for IT - ACC 626Forensics for IT - ACC 626
Forensics for IT - ACC 626
 
Acc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITAcc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for IT
 
Acc 626 slidecast
Acc 626 slidecastAcc 626 slidecast
Acc 626 slidecast
 
ACC 626 - Forensics for IT
ACC 626 - Forensics for ITACC 626 - Forensics for IT
ACC 626 - Forensics for IT
 
ACC 626 - Forensics for IT
ACC 626 - Forensics for ITACC 626 - Forensics for IT
ACC 626 - Forensics for IT
 
Acc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for ITAcc 626 slidecast - Forensics for IT
Acc 626 slidecast - Forensics for IT
 
Acc 626 slidecast
Acc 626 slidecastAcc 626 slidecast
Acc 626 slidecast
 
Digital forensics by vimal priya.s
Digital forensics by vimal priya.sDigital forensics by vimal priya.s
Digital forensics by vimal priya.s
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 

More from Gnanavi2

PPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfPPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfGnanavi2
 
computerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfcomputerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfGnanavi2
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
computerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfcomputerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfGnanavi2
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfGnanavi2
 

More from Gnanavi2 (6)

PPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdfPPT_on_Cache_Partitioning_Techniques.pdf
PPT_on_Cache_Partitioning_Techniques.pdf
 
computerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdfcomputerforensicsppt-111006063922-phpapp01.pdf
computerforensicsppt-111006063922-phpapp01.pdf
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
computerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdfcomputerforensics-140212060522-phpapp02.pdf
computerforensics-140212060522-phpapp02.pdf
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
computerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdfcomputerforensicppt-160201192341.pdf
computerforensicppt-160201192341.pdf
 

Recently uploaded

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 sciencefloriejanemacaya1
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTSérgio Sacani
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxAleenaTreesaSaji
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |aasikanpl
 
Scheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxScheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxyaramohamed343013
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfmuntazimhurra
 
VIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C PVIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C PPRINCE C P
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bSérgio Sacani
 
Work, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE PhysicsWork, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE Physicsvishikhakeshava1
 

Recently uploaded (20)

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 science
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Engler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomyEngler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomy
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptx
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
 
Scheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxScheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docx
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
 
VIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C PVIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C P
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
 
Work, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE PhysicsWork, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE Physics
 

Computer Forensics Basics Lecture

  • 1. 1 Computer Forensics: Basics Lecture1 The Context of Computer Forensics Adapted from a lecture by Mark Rogers Purdue University 2004
  • 2. 2 Debate  Is digital forensics a “real” scientific discipline? – What is digital forensics – How do you define a scientific discipline? – Does it really matter?
  • 3. 3 Learning Objectives  At the end of this section you will be able to: – Describe the science of digital forensics. – Categorize the different communities and areas within digital forensics. – Explain where computer forensics fits into DFS – Describe criminalistics as it relates to the investigative process – Discuss the 3 A’s of the computer forensics methodology – Critically analyze the emerging area of cyber- criminalistics – Explain the holistic approach to cyber-forensics
  • 4. 4 Computer Forensics Fundamentals Military Acquisition Analysis Examination Report Investigation Criminal FRYE FRE 702 Daubert/Kumho Civil Federal Rules of Civil Procedure Sedona Rowe Rules of Evidence Expert Witness Friend of the Court Technical Expert Presentation Standards & Guidelines Law Enforcement Private Sector Computer Forensics
  • 5. 5 Concept Map Context/Domain Legal Technical Standards & Guidelines Data Hiding Profili ng & Issues Criminal Civil Disks Structures Filesystem Bag/tag Acquire Analysis Examine
  • 7. 7 Criminalistics  Fancy term for Forensic Science  Forensic Science – The application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system (Saferstein, 2004)  Think Sherlock Holmes!!
  • 8. 8 History & Development  Francis Galton (1822-1911) – First definitive study of fingerprints  Sir Arthur Conan Doyle (1887) – Sherlock Holmes mysteries  Leone Lattes (1887-1954) – Discovered blood groupings (A,B,AB, & 0)  Calvin Goddard (1891-1955) – Firearms and bullet comparison  Albert Osborn (1858-1946) – Developed principles of document examination  Hans Gross (1847-1915) – First treatise on using scientific disciplines in criminal investigations.
  • 9. 9 History & Development  Edmond Locard (1877-1966) – Principle of Exchange  “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” – The purpose of an investigation is to locate identify and preserve evidence-data on which a judgment or conclusion can be based.  FBI (1932) – National Lab to provide forensic services to all law enforcement agencies in the country
  • 10. 10 Crime Lab  Basic services provided – Physical Science Unit  Chemistry, physics, geology – Biology Unit  DNA, blood, hair & fiber, body fluids, botanical – Firearms Unit – Document Examination – Photography Unit
  • 11. 11 Crime Lab  Optional Services – Toxicology Unit – Latent Fingerprint Unit – Polygraph Unit – Voice Print Analysis Unit – Evidence Collection Unit (Rather new)
  • 12. 12 Other Forensic Science Services  Forensic Pathology – Sudden unnatural or violent deaths  Forensic Anthropology – Identification of human skeletal remains  Forensic Entomology – Insects  Forensic Psychiatry  Forensic Psychology  Forensic Odontology – Dental  Forensic Engineering  ***Digital Forensics***
  • 13. 13 Digital Forensic Science  Digital Forensic Science (DFS): “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS)
  • 14. 14 Communities  There at least 3 distinct communities within Digital Forensics – Law Enforcement – Military – Business & Industry  Possibly a 4th – Academia
  • 17. 17 The Process  The primary activities of DFS are investigative in nature.  The investigative process encompasses – Identification – Preservation – Collection – Examination – Analysis – Presentation – Decision
  • 19. 19 Subcategories of DFS  There is a consensus that there are at least 3 distinct types of DFS analysis – Media Analysis  Examining physical media for evidence – Code Analysis  Review of software for malicious signatures – Network Analysis  Scrutinize network traffic and logs to identify and locate
  • 20. 20 Media Analysis  May often be referred to as computer forensics.  More accurate to call it media analysis as the focus is on the various storage medium (e.g., hard drives, RAM, flash memory, PDAs, diskettes etc.)  Excludes network analysis.
  • 21. 21 Computer Forensics  Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
  • 22. 22 Computer Forensic Activities  Computer forensics activities commonly include: – the secure collection of computer data – the identification of suspect data – the examination of suspect data to determine details such as origin and content – the presentation of computer-based information to courts of law – the application of a country's laws to computer practice.
  • 23. 23 The 3 As  The basic methodology consists of the 3 As: – Acquire the evidence without altering or damaging the original – Authenticate the image – Analyze the data without modifying it
  • 24. 24 Computer Forensics - History  1984 FBI Computer Analysis and Response Team (CART)  1991 International Law Enforcement meeting to discuss computer forensics & the need for standardized approach  1997 Scientific Working Group on Digital Evidence (SWGDE) established to develop standards  2001 Digital Forensic Research Workshop (DFRWS) development of research roadmap  2003 Still no standards developed or corpus of knowledge (CK)
  • 25. 25 Context of Computer Forensics •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Computer Forensics
  • 26. 26 Fit with Information Assurance  Computer Forensics is part of the incident response (IR) capability  Forensic “friendly” procedures & processes  Proper evidence management and handling  IR is an integral part of IA
  • 27. 27 Incident Response Methodology (PDCAERF) Preparation Detection Containment Analysis Eradication Recovery Follow-up Feed Back Digital Forensics/Evidence Management
  • 28. 28 (PDCAERF)  Preparation – Being ready to respond – Procedures & policies – Resources & CSIRT creation – Current vulnerabilities & counter-measures  Detection/Notification – Determining if an incident or attempt has been made – IDS – Initial actions/reactions – Determining the scope – Reporting process
  • 29. 29 (PDCAERF)  Containment – Limit the extent of an attack – Mitigate the potential damage & loss – Containment strategies  Analysis & Tracking – How the incident occurred – More in-depth analysis of the event – Tracing the incident back to its source
  • 30. 30 (PDCAERF)  Eradication/ Repair-Recovery – Recovering systems – Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) – Hardening systems – Dealing with patches
  • 31. 31 (PDCAERF)  Follow-up – Review the incident and how it was handled – Postmortem analysis – Lessons learned – Follow-up reporting
  • 32. 32 Challenges  Eric Holder, Deputy Attorney General of the United States Subcommittee on Crime of the House Committee on the Judiciary and the Subcommittee on Criminal Oversight of the Senate Committee on the Judiciary:  Technical challenges that hinder law enforcement’s ability to find and prosecute criminals operating online;  Legal challenges resulting from laws and legal tools needed to investigate cybercrime lagging behind technological, structural, social changes; and  Resource challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of government.
  • 33. 33 Challenges  NIJ 2001 Study  There is near-term window of opportunity for law enforcement to gain a foothold in containing electronic crimes.  Most State and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime.  Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.
  • 34. 34 General Challenges  Computer forensics is in its infancy  Different from other forensic sciences as the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector  No real basic theoretical background upon which to conduct empirical hypothesis testing  No true professional designations  Proper training  At least 3 different “communities” with different demands  Still more of a “folk art” than a true science
  • 35. 35 Legal Challenges  Status as scientific evidence??  Criteria for admissibility of novel scientific evidence (Daubert v. Merrell) – Whether the theory or technique has been reliably tested; – Whether the theory or technique has been subject to peer review and publication; – What is the known or potential rate of error of the method used; and – Whether the theory or method has been generally accepted by the scientific community.  Kumho Tire extended the criteria to technical knowledge
  • 36. 36 Specific Challenges  No International Definitions of Computer Crime  No International agreements on extraditions  Multitude of OS platforms and filesystems  Incredibly large storage capacity – 100 Gig Plus – Terabytes – SANs
  • 37. 37 Specific Challenges  Small footprint storage devices – Compact flash – Memory sticks – Thumb drives – Secure digital  Networked environments  RAID systems  Grid computing  Embedded processors  Other??
  • 38. 38 Specific Challenges  Where is the “crime scene?” Perpetrator’s System Victim’s System Electronic Crime Scene Cyberspace
  • 39. 39 Specific Challenges  What constitutes evidence??  What are we looking for??
  • 40. 40 Summary  DFS is a sub-discipline of criminalistics  DFS is a relatively new science  3 Communities – Legal, Military, Private Sector/Academic  DFS is primarily investigative in nature  DFS is made up of – Media Analysis – Code Analysis – Network Analysis
  • 41. 41 Summary  Computer Forensics is a sub-discipline within DFS  Computer Forensics is part of an IR capability  3 A’s of the Computer Forensic Methodology  There are many general and specific challenges  There is a lack of basic research in this area  Both DFS and Computer Forensics are immature emerging areas