Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chapter 3 cmp forensic


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Chapter 3 cmp forensic

  1. 1. Computer Forensics
  2. 2. Computer Forensics
  3. 3. Computer ForensicsA process of applying scientific and analyticaltechniques to computer Operating Systemsand File Structures to determining thepotential Legal Evidence.
  4. 4. Computer Forensics It is the practice of lawfully establishing evidenceand facts.This is science involving legal evidence that is foundin digital storage mediums and in computers. Subdivisions: - Disk forensics Network forensics Mobile forensics
  5. 5. Role of Computer forensic investigator  Evidence Collection and Chain of Custody  Who Who handled the evidence?  What  What procedures were performed on the evidence?  When  When was the evidence collected and/or transferred to another party?  Where  Where was the evidence collected and stored?  How  How was the evidence collected and stored?  Why  For what purpose was the evidence collected?
  6. 6. Forensics process Acquire data to be examined Photographs Make an image Review of logical file structure Review of unallocated space and file slack Recover deleted data (If any) Report Expert testimony
  7. 7. Importance of Evidence"Evidence" is anything the judge allows a jury toconsider in reaching a verdict.This can include the testimony ofwitnesses, photographs of the scene and "demonstrativeevidence" such as charts or sample equipment.
  8. 8. Source of Evidence Slack, Free, Swap, Recycle Bin Event Logs Registry Application files, temp files E-mail Browser history and cache
  9. 9. Types of ForensicsLive Forensics Non - Live Forensics Post Acquisition Analysis Technologies
  10. 10. Live Forensics Non - Live Forensics•Recovery of volatile data •Imaging•Gathering system information •Cloning•Gathering USB device history•System Explorer•Imaging and Cloning Post Acquisition Analysis •Mathematical authentication of data (Hash) •Virtualization •Malware analysis •Detection of obscene content •Image ballistics •Use of spyware (keyloggers) in investigations •Digital Evidence Analysis
  11. 11. Forensic Imaging & Cloning
  12. 12. Select source medium
  13. 13. Select source medium
  14. 14. Select destination for the image file
  15. 15. Post Acquisition Analysis
  16. 16. Mathematical Authentication of Data
  17. 17. Mathematical Authentication of Data
  18. 18. Select the algorithm•The Information Technology (Certifying Authorities) Amendment Rules, 2009amended Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000•It is advised that mathematical authentication of digital evidence must be done usingeither SHA-1 or SHA-2.•MD5 must not be used as such evidence may be unacceptable in a court of law.
  19. 19. Mathematical authentication of digital evidence achieved by using SHA-2.
  20. 20. Mathematical authentication of dataInput SHA1 Hash DigestApple 476432a3e85a0aa21c23f5abd2975a89b6820d63apple d0be2dc421be4fcd0172e5afceea3970e2f3d940Apple 476432a3e85a0aa21c23f5abd2975a89b6820d63a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
  21. 21. Mathematical Authentication of Data
  22. 22. Virtualization
  23. 23. Life Cycle of Computer Evidence
  24. 24. Evidence Life Cycle Management Document Management Electronic Discovery Services Create Capture Preserve Collect Process Review Produce Enterprise Document CreationDestroy Evidence Preservation Obligation Repositorie Repository Document Production s Request
  25. 25. Evidence Rule Admissible Reliable Authentic Complete (no tunnel vision) Believable
  26. 26. Types of Evidence Direct Evidence Real Evidence Documentary Evidence Demonstrative Evidence
  27. 27. Computer Evidence Processing Guidelines Pull the Plug Document the Hardware Configuration of theSystem Transport the Computer System to a Secure Location (Forensics lab) Make Bit Stream Backups of Hard Disks and Floppy Disks
  28. 28. Computer Evidence Processing Guidelines  Mathematically Authenticate Data on all storage devices (Hash)  Document the System Date and Time  Make a List of Key Search Words  Evaluate the Windows Swap File  Evaluate File Slack
  29. 29. Computer Evidence Processing Guidelines  Evaluate Unallocated Space (Erased Files)  Search Files, File Slack and Unallocated Space for Key Words  Document File Names, Dates and Times  Identify File, Program and Storage
  30. 30. Computer Evidence Processing Guidelines  Evaluate Program Functionality  Document Your Findings  Retain Copies of Software Used
  31. 31. Incidence ResponseComputer security Incident
  32. 32. Why forensics? Confirms or dispels whether an incident occurred Promotes accumulation of accurate information Establishes controls for proper retrieval and handling of evidence Protects privacy rights established by law and policy Minimizes disruption to business and network operations
  33. 33. Why forensics? Allows for criminal or civil action against perpetrators Provides accurate reports and useful recommendations Provides rapid detection and containment Minimizes exposure and compromise of proprietary data
  34. 34. Why forensics? Protects your organization’s reputation and assets Educates senior management Promotes rapid detection and/or prevention of such incidents in the future (via lessons learned, policy changes, and so on)
  35. 35. Cyber Crime Investigation Lifecycle Incident Expert Witness Awareness Testimony Preliminary Analysis Consultation Prevention Deposition/ Technologies Affidavit Improved Processes Image New Security PoliciesAcquisition/ Improved Configurations Recovery Preliminary/ Containment Detailed Final Report Analysis Presentation