Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Intro by panniuniu


									Introduction to Computer


      Dr. David Dampier and the
 Center for Computer Security Research

What is Forensics?

 Forensics is the art and study of
 argumentation and formal debate. It uses
 the application of a broad spectrum of
 sciences to answer questions of interest
 to the legal system.
 Forensic Science is the science and
 technology that is used to investigate and
 establish facts in criminal or civil courts
 of law.
Criminal Justice Fundamentals
   How a case usually plays out:
     Law Enforcement notified of crime
     Evidence is gathered – may require search
     Suspects are developed

     Interviews or interrogations are conducted

     Suspect is charged

     Case w/evidence is turned over to
What is Computer Forensics?
   Computer forensics is forensics applied to
    information stored or transported on
   It “involves the preservation, identification,
    extraction, documentation, and interpretation
    of computer media for evidentiary and/or root
    cause analysis”
   Procedures are followed, but flexibility is
    expected and encouraged, because the unusual
    will be encountered.
What is Computer Crime?
   Three situations where you might find evidence on a
    digital device:
       Device used to conduct the crime
            Child Pornography/Exploitation
            Threatening letters
            Fraud
            Embezzlement
            Theft of intellectual property
       Device is the target of the crime
            Incident Response
            Security Breach
       Device is used to support the crime

What is evidence in terms of
Computer Forensics?

   Can be anything!
       As small as a few bytes
       Could be, and hopefully will be complete files
            Could be Deleted
            Could be Encrypted
       Likely will be fragments of files
            A few Words
            A couple of sentences
            Hopefully some paragraphs
       Registry entries, or log entries!

Where do we find it?

   Storage Media

   RAM
   Log Files
   Registry

How might the information be

 Might be plain data with no hidden
 The data could be encrypted

 Data could be hidden

 Could be hostile code

Data Encryption

 Encrypting data could guard the data in two
     Protect data
          Use of Ciphers
          Files might need to be decrypted
          Decryption program generally stored fairly close to the file
           to be decrypted.
          Probably password protected.
     Prove integrity

Data Hiding

   Data could be obfuscated
    encryption is some method of modifying data so that it is meaningless and
    unreadable in it’s encrypted form. It also must be reasonably secure, that is it must
    not be easily decrypted without the proper key. Anything less than that is
    obfuscation. This is data that is rendered unusable by some means, but is not
    considered as a serious form of encryption.

 Data could be compressed
 Data could be hidden in plain sight –
  innocent looking data has alternate
 Data could be hidden within File system                                              11
Data Hiding (contd.)
   Data could be hidden in a file
       Steganography - science of writing hidden messages in such a way
        that no-one apart from the sender and intended recipient even realizes there is
        a hidden message
       Invisible names
       Misleading names
       No names
   Hidden data might not be in file
       Slack, swap, free space
   Removable Media

    Hostile Code

   Presume that any unknown code is hostile.
        Guilty until proven innocent.
   Any code used by an unauthorized person to gain
    advantage or power over someone else should be
    considered hostile.
     –   Remote access                   – Resource theft
     –   Data gathering                  – Circumvention of
     –   Sabotage                          access control
     –   Denial-of-service
                                         – Social status
     –   Eluding detection
How do we go about the business
of Computer Forensics?

Three A’s of Computer Forensics
 Acquire the evidence without altering or
  damaging the original.
 Authenticate that your recovered
  evidence is the same as the originally
  seized data.
 Analyze the data without modifying it.

Acquire the evidence

 How do we seize the computer?
 How do we handle computer evidence?
     What is chain of custody?
     Evidence collection
     Evidence Identification
     Transportation
     Storage

   Documenting the Investigation

Authenticate the Evidence

   Prove that the evidence is indeed what
    the criminal left behind.
     Contrary to what the defense attorney might
      want the jury to believe, readable text or
      pictures don’t magically appear at random.
     Calculate a hash value for the data
         MD5

         SHA-1,SHA-256,SHA   -512


   Always work from an image of the
    evidence and never from the original.
     Prevent damage to the evidence
     Make two backups of the evidence in most
   Analyze everything, you may need clues
    from something seemingly unrelated.


   Password crackers       CD-R Utilities
   Hard Drive Tools        Text search tools
       Fdisk on Linux      Drive Imaging
   Viewers                     Safeback
       QVP                     Linux dd
       Diskview            Disk Wiping
   Thumbsplus              Forensic Toolkits
   Unerase tools           Forensic Computers

Forensic Software

 Forensic Toolkit
 The Coroner’s Toolkit

 Sleuth Kit

 Encase

 ILook

    Digital Crime Scene
    Investigation Process

   No one right way to do it!

System Preservation              Evidence Searching      Event Reconstruction
      Phase                            Phase                    Phase

                      Carrier, B., Page. 5, Figure 1.1

To top