Download to read offline
CS426_forensics.ppt
- 1. 1 Cyber Forensics The FascinatingWorld of Digital Evidence
- 2. 2 Presented By Shaikh mohammedAlihasan & Shaikh Mohammed Faiz Dept. of Computer Engineering
- 3. 3 • Includes: • Networks(Network Forensics) • Small Scale Digital Devices • Storage Media (Computer forensics) • Code Analysis Cyber Forensics
- 4. 4 Cyber Forensics The scientificexamination and analysis of digital evidence in such a way that the information can be used as evidence in a court of law.
- 5. 5 Cyber Forensic Activities Cyberforensics activities commonly include: the secure collection of computer data the identification of suspect data the examination of suspect data to determine details such as origin and content the presentation of computer-based information to courts of law the application of a country's laws to computer practice.
- 6. 6 The 3 As Thebasic methodology consists of the 3 As: –Acquire the evidence without altering or damaging the original –Authenticate the image –Analyze the data without modifying it
- 7. 7 Context of Cyber Forensics •HomelandSecurity •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Cyber Forensics
- 8. A Brief Timeline 1970’s1980’s 1990’s 2000 2008 2003 2001 Cyber Crime Legislation LE Investigative Units International LE Meeting 1st International Conference on CE IOCE Formed RCFL in USA COE Convention on Cyber Crime DFRWS ASCLD/LAB-DE USA ISO 17025 IOCE & SWGDE AAFS Subsection? Journals Conferences
- 9. 9 Crime Scenes Physical CrimeScenes vs. Cyber/Digital Crime Scenes Overlapping principals The basics of criminalistics are constant across both physical and cyber/digital Locard’s Principle applies • “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived”
- 10. 10 Cyber Forensic Principles •The 6 Principles are: 1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
- 11. 11 Identification The first stepis identifying evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple possible crime scenes
- 12. 12 Collection: Documentation • Takedetailed photos and notes of the computer / monitor • If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE
- 13. 13 Collection: Documentation Make sureto take photos and notes of all connections to the computer/other devices
- 14. 14 • Rule ofThumb: make 2 copies and don’t work from the original (if possible) • A file copy does not recover all data areas of the device for examination • Working from a duplicate image • Preserves the original evidence • Prevents inadvertent alteration of original evidence during examination • Allows recreation of the duplicate image if necessary Collection: Imaging
- 15. 15 Collection: Imaging •Digital evidencecan be duplicated with no degradation from copy to copy • This is not the case with most other forms of evidence
- 16. 16 Collection: Imaging Write blockers Software Hardware Hardwarewrite blockers are becoming the industry standard USB, SATA, IDE, SCSI, SIM, Memory Cards Not BIOS dependent But still verify prior to usage!
- 17. Issues lack of certificationfor tools Lack of standards lack of certification for professionals lack of understanding by Judiciary lack of curriculum accreditation Rapid changes in technology! Immature Scientific Discipline 17
- 18. Paths to Careersin CF Certifications Associate Degree Bachelor Degree Post Grad Certificate Masters Doctorate 18
- 19. Job Functions CF Technician CFInvestigator CF Analyst/Examiner (lab) CF Lab Director CF Scientist 19
- 20. Professional Opportunities Law Enforcement PrivateSector Intelligence Community Military Academia 20
Editor's Notes
- #5 What are the important components?
- #6 Application of laws very NB. Discuss this.
- #7 Why are these so importnat
- #15 Never do anything that might inadvertently cause something to be written to the suspect’s original media.
- #16 Whether analyzed on site or taken to the lab, it is essential to protect the integrity of the data. A duplicate image, also known as a bit-copy, image, or clone, is an exact, bit-for-bit copy of the source media. A duplicate image of a physical device will be a true, digital copy of the entire physical device, including partition tables, reserved areas, partitions and unused areas of the device. A duplicate image of a logical drive will be a bit-for-bit copy of the original logical drive, including Boot Record, FATs, Root Directory, Data Area, and Partition Slack.