New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Lect 3 Computer Forensics
1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY باخترپوهنتون د
2. Outline
• CF Investigation Process
• Investigating Computer Crime
• Before the Investigation
• Computer Forensic Investigation Methodology
• Evaluate and Secure the Scene
• Electronic Evidence
• Collect the Evidence
• Principles of Electronic Evidence
3. Investigating Computer Crime
• Determine if an incident has occurred
• Find and interpret the clues left behind
• Conduct preliminary assessment to search for the evidence
• Search and seize the computer’s equipment
• Collect evidence that can be presented in the court of law or at a
corporate inquiry
4. Before the Investigation
• Have work station and data recovery lab
• Build investigating team
• Enter into alliance with a local district attorney
• Review policies and laws
• Notify decision makers and acquire authorization
• Assess risks
• Build a computer investigation toolkit
• Define the methodology
11. Evaluate and Secure the Scene
• Forensics Photography
• Gather Preliminary information at the crime scene
• Date and Time
• Place and location of the incident
• Evidence from a volatile system and non volatile system
• Volatile data: Data that would be lost if the computer is turned off
• Hard drives and storage media
• Non-volatile: Data that remains unaffected when the computer is turned off
• Deleted files, computer history, the computer’s registry, temporary files and web browsing history
• Details of the person(s) at the crime scene
• Name and identification of the people or person who can serve as a potential
witness
12. Electronic Evidences
• What data you can retrieved?
• Any data that is recorded or preserved on any medium in or by a
computer system or other similar device, that can be read or
understand by a person or a computer system or other similar device
• Evidence is everything
• Evidence is used to establish facts
13. Where to find Evidence?
• Find the evidence, Where is it stored
• Find relevant data- Recovery
• Create order of volatility
• Collect Evidence- use tools
• Good documentation of all the actions.
14. Where to find Evidence?
• Text documents
• Graphical images
• Calendar files
• Databases
• Audio and video files
• Websites and application programs
• Even viruses, Trojan horses and spyware
• Email records
• Instant messaging logs
• etc
18. Principle of Electronic Evidence
• Relevance
• Able to demonstrate that material acquired is relevant to the investigation
• Reliability
• All processes used in handling evidence is auditable and repeatable
• Sufficient
• Enough material has been gathered to allow proper investigation
• Admissible
• It must be able to be used in court