Aug. 11, 2000 for
COMPUTER FORENSICS CAN BE MANY THINGS
Corporate or University Child Pornography
internal investigation Fraud
FBI or (unlikely) Sheriff Espionage & Treason
investigation Corporate or University
Computer Security Policy Violation
Post Mortem or Damage
Computer Forensics ultimately support or refute a case
someone cares to make.
FORENSICS IS A FOUR STEP PROCESS
RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC
Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt,
Federal Bureau of Investigation, Baltimore, Maryland (4/96)
PRESENTATION – Starting at the End
Many findings will not be
evaluated to be worthy of
presentation as evidence.
Many findings will need to
examination by another
The evaluator of evidence
may be expected to defend
their methods of handling the
evidence being presented.
The Chain of Custody may be
EVALUATION – What the Lawyers Do
This is what lawyers (or those
concerned with the case) do.
Presentation of findings is
key in this phase.
Findings submitted for
evaluation as evidence will
not only be evaluated for
content but for “chain of
IDENTIFICATION – Technical Analysis
Opinion to support relevance of findings
Handling and labeling of objects submitted for
forensic analysis is key.
Following a documented procedure is key.
FBI List of Computer Forensic Services
Content (what type of data)
Comparison (against known
Extraction (of data)
Deleted Data Files (recovery)
Limited Source Code
(analysis or compare)
Storage Media (many types)
THE EVIDENCE LOCKER
Restricted Access and
Low Traffic, Camera
Video Surveillance &
Long Play Video
Baggies for screws and
Sign In/Out for Chain of
ACQUISITION – What Are the Goals?
Track or Observe a Live
Assess Extent of Live
Preserve “Evidence” for
Close the Holes and Evict the
Support for Sheriff, State
Police or FBI Arrest?
Support for Court Ordered
GROUND ZERO – WHAT TO DO
do not start looking through files
start a journal with the date and time, keep detailed notes
unplug the system from the network if possible
do not back the system up with dump or other backup utilities
if possible without rebooting, make two byte by byte copies of the physical disk
capture network info
capture process listings and open files
capture configuration information to disk and notes
collate mail, DNS and other network service logs to support host data
capture exhaustive external TCP and UDP port scans of the host
contact security department or CERT/management/police or FBI
if possible freeze the system such that the current memory, swap files, and even
CPU registers are saved or documented
RCMP Article on the Forensic Process. http://www.rcmp-
Lance Spitzner’s Page: Forensic Analysis, Building Honeypots
Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix),
Computer Forensic Class Handouts. http://www.fish.com/forensics/
The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm
Long Play Video Recorders. http://www.pimall.com/nais/vrec.html
FBI Handbook of Forensic Services.
Solaris Fingerprint Database for cryptographic comparison of system
Inspecting Your Solaris System and Network Logs for Evidence of
Thank you …
… very much, MIT!