Docstoc

Intro

Document Sample
Intro Powered By Docstoc
					Introduction to Computer
Forensics




                           1
Acknowledgments



      Dr. David Dampier and the
 Center for Computer Security Research
                (CCSR)




                                         2
What is Forensics?

 Forensics is the art and study of
 argumentation and formal debate. It uses
 the application of a broad spectrum of
 sciences to answer questions of interest
 to the legal system.
 Forensic Science is the science and
 technology that is used to investigate and
 establish facts in criminal or civil courts
 of law.
                                               3
Criminal Justice Fundamentals
   How a case usually plays out:
     Law Enforcement notified of crime
     Evidence is gathered – may require search
      warrants
     Suspects are developed

     Interviews or interrogations are conducted

     Suspect is charged

     Case w/evidence is turned over to
      prosecutor
                                                   4
What is Computer Forensics?
   Computer forensics is forensics applied to
    information stored or transported on
    computers
   It “involves the preservation, identification,
    extraction, documentation, and interpretation
    of computer media for evidentiary and/or root
    cause analysis”
   Procedures are followed, but flexibility is
    expected and encouraged, because the unusual
    will be encountered.
                                                     5
What is Computer Crime?
   Three situations where you might find evidence on a
    digital device:
       Device used to conduct the crime
            Child Pornography/Exploitation
            Threatening letters
            Fraud
            Embezzlement
            Theft of intellectual property
       Device is the target of the crime
            Incident Response
            Security Breach
       Device is used to support the crime



                                                          6
What is evidence in terms of
Computer Forensics?

   Can be anything!
       As small as a few bytes
       Could be, and hopefully will be complete files
            Could be Deleted
            Could be Encrypted
       Likely will be fragments of files
            A few Words
            A couple of sentences
            Hopefully some paragraphs
       Registry entries, or log entries!

                                                         7
Where do we find it?

   Storage Media




   RAM
   Log Files
   Registry


                       8
How might the information be
stored?


 Might be plain data with no hidden
  agenda
 The data could be encrypted

 Data could be hidden

 Could be hostile code




                                       9
Data Encryption

 Encrypting data could guard the data in two
 ways.
     Protect data
          Use of Ciphers
          Files might need to be decrypted
          Decryption program generally stored fairly close to the file
           to be decrypted.
          Probably password protected.
     Prove integrity



                                                                     10
Data Hiding

   Data could be obfuscated
    encryption is some method of modifying data so that it is meaningless and
    unreadable in it’s encrypted form. It also must be reasonably secure, that is it must
    not be easily decrypted without the proper key. Anything less than that is
    obfuscation. This is data that is rendered unusable by some means, but is not
    considered as a serious form of encryption.

 Data could be compressed
 Data could be hidden in plain sight –
  innocent looking data has alternate
  meaning
 Data could be hidden within File system                                              11
Data Hiding (contd.)
   Data could be hidden in a file
       Steganography - science of writing hidden messages in such a way
        that no-one apart from the sender and intended recipient even realizes there is
        a hidden message
       Invisible names
       Misleading names
       No names
   Hidden data might not be in file
       Slack, swap, free space
   Removable Media

                                                                                     12
    Hostile Code

   Presume that any unknown code is hostile.
        Guilty until proven innocent.
   Any code used by an unauthorized person to gain
    advantage or power over someone else should be
    considered hostile.
     –   Remote access                   – Resource theft
     –   Data gathering                  – Circumvention of
     –   Sabotage                          access control
                                           mechanisms
     –   Denial-of-service
                                         – Social status
     –   Eluding detection
                                                              13
How do we go about the business
of Computer Forensics?

Three A’s of Computer Forensics
 Acquire the evidence without altering or
  damaging the original.
 Authenticate that your recovered
  evidence is the same as the originally
  seized data.
 Analyze the data without modifying it.



                                             14
Acquire the evidence

 How do we seize the computer?
 How do we handle computer evidence?
     What is chain of custody?
     Evidence collection
     Evidence Identification
     Transportation
     Storage

   Documenting the Investigation

                                        15
Authenticate the Evidence

   Prove that the evidence is indeed what
    the criminal left behind.
     Contrary to what the defense attorney might
      want the jury to believe, readable text or
      pictures don’t magically appear at random.
     Calculate a hash value for the data
         MD5

         SHA-1,SHA-256,SHA   -512


                                                16
Analysis

   Always work from an image of the
    evidence and never from the original.
     Prevent damage to the evidence
     Make two backups of the evidence in most
      cases.
   Analyze everything, you may need clues
    from something seemingly unrelated.


                                                 17
Tools

   Password crackers       CD-R Utilities
   Hard Drive Tools        Text search tools
       Fdisk on Linux      Drive Imaging
   Viewers                     Safeback
       QVP                     Linux dd
       Diskview            Disk Wiping
   Thumbsplus              Forensic Toolkits
   Unerase tools           Forensic Computers

                                                  18
Forensic Software

 Forensic Toolkit
 The Coroner’s Toolkit

 Sleuth Kit

 Encase

 ILook




                          19
    Digital Crime Scene
    Investigation Process

   No one right way to do it!


System Preservation              Evidence Searching      Event Reconstruction
      Phase                            Phase                    Phase




                      Carrier, B., Page. 5, Figure 1.1
                                                                                20

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:12/10/2011
language:
pages:20