Digital Forensics Digital Forensics

Document Sample
Digital Forensics Digital Forensics Powered By Docstoc
 Brett Garrison
Quick Facts
   More than 90% of today’s information is created
    and stored or processed electronically.
   More than 70% are never printed or produced
    into a hard copy
   Information can be erased, moved around, or
    hidden with ease.
   A good forensic examiner can restore or find this
    missing information.
   Using computer science to aid
    in the legal process and to
    conduct investigations.
       Gathering data for evidence
       Aid police investigations
       Recover data
       Provide testimony in court
       Gather any other information
        that can be found on a digital
        or electronic media.
   Information gathered can be
    audio, video, or graphical.
   Computer systems
   PDAs
   Cell phones
   USB drives
   CD-ROMs
   Laptops
   Any other storage
When is digital forensics used?
   Property disputes
   Contract disputes
   Fraud or
   Wrongful termination
   Sexual harassment
   Medical malpractice
What do they do?
   Forensics experts extract both visible and invisible computer data.
   More than simply data recovery:
      Locate data throughout the system
      Recover data
      Responsible for maintaining the integrity of the information found,
       preventing damage, data corruption, or virus exposure. (All data must
       be acceptable for use in a court of law.)
   Results of forensic investigation must be reproducible in such a way
    that the information is authenticated and reliable
   Work closely with law enforcement, government officials, and
   Must be well-versed in relevant case law.
Data Recovery
   A skilled forensic worker can
    recover all of the files on a
    computer or storage device.
      Active files
      Invisible files
      Deleted but remaining files
      Hidden files
      Encrypted files
      Pass-word protected files
   Most information that is
    gathered is undetectable or
    unviewable to the average
    computer user.
Data Recovered
   Digital forensic practitioners are generally
    concerned with three types of data:
     Active  data: information that is readily available and
      easily accessed on the computer. Ex: Programs,
      files, and other data used by the operating system.
     Archival data: data that has been backed up and
      stored. Ex: hard disks, cd’s, USB drives
     Latent or Ambient data: data that requires special
      tools or skills to retrieve. Ex: data that has been
      overwritten or deleted
         Steps for Investigating an
             Electronic Device
Step 1
   All files that have been deleted or have not yet
    been overwritten are recovered.
     Computers   constantly write data to the hard drive
      when in use. The operating system over writes data
      on the hard drive that is no longer needed or used.
     This data can be retrieved if not completely
Step 2
   All data found in special
    or inaccessible areas of
    the device are analyzed.
       Areas of disk that are not
        currently in use, but have
        had data previously stored
        on them.
       Slack Space- unused
        space at end of file where
        previously created
        information could be stored
Final Step
   Report the analysis of the device or
     Provide  copies of data collected
     Arranged into support for legal theories or
   Often provide expert testimony or advice
    when necessary.
Tools Used
   Light analyzers
        Tools that analyze lighting
         allow forensics practitioners to
         determine if a photo has been
         tampered with
   Win Hex
        Data Recovery
   Microsoft Log Parser
        Extract information of almost
         any format
   PMDump
        Dumps memory contents of a
         process into a file without
         stopping the procedure
    Famous Cases Solved with Digital
   Chandra Levy
        Last seen alive on April 23,
        Digital forensics lead to the
         discovery that someone had
         conducted an internet search
         for Rock Creek Park’s Klingle
         Mansion, near Washington,
        Police scoured the area and a
         man walking his dog found
         Levy’s remains on May 22,
         2002, approximately one year
         later, confirming that the case
         was in fact a homicide.
                       Famous Cases
   Dennis Rader
       Known as BTK killer in Wichita,
        KS area.
       Murdered 10 people between
        1974 and 1991.
       Communicated with police
        through letters for years. Sent a
        message on a floppy disk in
        February 2005.
       Examination of the disk’s
        properties revealed the words
        “Dennis” and “Christ Lutheran
       DNA tests confirmed him a match
        and he was arrested 9 days later.
       Rader was planning his first
        murder since 1991.
 Digital forensics is a very high tech field
 Can be expensive
 Has immense potential in law
  enforcement, and especially in the future
  of law enforcement.
 Field grows in leaps and bounds every

Shared By: