Successfully reported this slideshow.

M Compevid

772 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

M Compevid

  1. 1. Methodology of Investigations Seizing and examining computer evidence
  2. 2. Where will you find computer evidence? <ul><li>Hard drive </li></ul><ul><li>Floppy disk </li></ul><ul><li>Tape </li></ul><ul><li>CD-ROM </li></ul><ul><li>RAM </li></ul><ul><li>EPROM: Electronically Programmable ROM </li></ul>
  3. 3. These items are very volatile and can be damaged by: <ul><li>electo-magnetic field </li></ul><ul><li>power surges and drops </li></ul><ul><li>dirt and smoke </li></ul><ul><li>mis-handling dropping vibration (expansion cards can pop out) </li></ul>
  4. 4. Evidence Identification <ul><li>RAM Data stored in RAM evaporates when the system is shut down. </li></ul><ul><li>CD-ROM’s Look the same as music CD’s </li></ul>
  5. 5. Criminal Schemes to Conceal Evidence: Booby Traps <ul><li>Power switch designed to destroy evidence on hard drive </li></ul><ul><li>Hot keys that destroy evidence in hard drive and RAM </li></ul>
  6. 6. Criminal Schemes to Conceal Evidence <ul><li>Booby trap the software </li></ul><ul><ul><li>Commands, such as DIR altered to destroy evidence </li></ul></ul><ul><li>Data encryption </li></ul>
  7. 7. Criminal Schemes to Conceal Evidence <ul><li>Renaming files to conceal their purpose </li></ul><ul><ul><li>Databases listed as programs </li></ul></ul><ul><ul><li>Documents listed as graphics files </li></ul></ul><ul><ul><li>Pornography listed as document </li></ul></ul>
  8. 8. Where to look for evidence <ul><li>Hidden files </li></ul><ul><li>Bad sectors </li></ul><ul><li>Slack space </li></ul>
  9. 9. Slack Space The area of the disk cluster between the end of the file and the end of the cluster.
  10. 10. Traditional Crime Scene <ul><li>Preserve the scene </li></ul><ul><li>Search for evidence </li></ul><ul><li>Record location (feet and inches) </li></ul><ul><li>Collect evidence </li></ul><ul><li>Examine evidence </li></ul><ul><li>Reconstruct crime </li></ul>
  11. 11. Computer Crime Scene: Preserve the scene <ul><li>Whats on the monitor </li></ul><ul><li>Whats in RAM </li></ul><ul><li>Pull the plug (Well, maybe......) </li></ul>
  12. 12. Computer Crime Scene: Search for evidence <ul><li>Passwords </li></ul><ul><li>Printouts </li></ul><ul><li>Software and manuals </li></ul><ul><li>Check for booby traps/magnetic fields </li></ul>
  13. 13. Computer Crime Scene: Transport to office <ul><li>Radio transmissions </li></ul><ul><li>Dirt, heat, jarring </li></ul><ul><li>Curious co-workers </li></ul>
  14. 14. Examining Computer Evidence <ul><li>Preparation </li></ul><ul><ul><li>Duplicate (mirror) image back-up </li></ul></ul><ul><ul><li>Make more than one copy </li></ul></ul><ul><ul><li>Lock the original away </li></ul></ul><ul><li>Examine on a department computer </li></ul><ul><ul><li>Restore the hard drive </li></ul></ul>
  15. 15. Examining the data <ul><li>Write protect the disk </li></ul><ul><li>Print the root directory </li></ul><ul><li>Follow the directory order and examine user created files </li></ul><ul><li>Examine the files and print those of value </li></ul><ul><li>Print all configuration and autoexec files </li></ul><ul><ul><li>config.sys autoexec.bat </li></ul></ul>
  16. 16. Examining the data: Using disk utilities <ul><li>Look for hidden files </li></ul><ul><li>Examine slack space </li></ul><ul><li>Check for erased files </li></ul>
  17. 17. Examining the data <ul><li>Expand compressed files </li></ul><ul><ul><li>Zip </li></ul></ul><ul><ul><li>Arc </li></ul></ul>
  18. 18. Documentation: Keep a log of your activities <ul><li>What you examined </li></ul><ul><li>What was found </li></ul><ul><li>Where was it found </li></ul><ul><ul><li>directory (path) </li></ul></ul><ul><ul><li>slack space (head/cylinder/sector address) </li></ul></ul><ul><li>What did you do to recover the data </li></ul><ul><li>Print out the data and include it with the report </li></ul>

×