Design Document for Implementing a Digital Forensics Laboratory
|
|
- Milo Jenkins
- 7 years ago
- Views:
Transcription
1 Design Document for Implementing a Digital Forensics Laboratory Version.00 Group CNWIS-G4 Department of Computer Science and Engineering University of Moratuwa Project Supervisors: Dr Chandana Gamage Project Members: Kumarage H.D Alles W.M.H.M. Buddhika R.A.P. Wijayapala M.H.V.L.A.
2 TABLE OF CONTENTS.. INTRODUCTION WHAT IS FORENSICS? DIGITAL FORENSICS PROPOSED PROJECT SYSTEM DESIGN TARGET ENVIRONMENT BASIC COMPONENTS OF THE SYSTEM Digital Forensics Framework Digital Forensics Website Documentation of forensics analyzing tools and user guides Policies and procedures Software Tools COMPONENT INTERACTION OF THE SYSTEM Website interaction with the user Forensics analyzer s interaction with the frame work Modified / created software tools and interaction with the forensics investigator SYSTEM IMPLEMENTATION FRAMEWORK IMPLEMENTATION Research work All in one forensics framework Data collection and analysis Report generator system DARK LAB WEBSITE IMPLEMENTATION DOCUMENTATION OF SOFTWARE TOOLS, RULES AND POLICIES DEVELOPMENT OF SOFTWARE TOOLS GLOSSARY
3 TABLE OF FIGURES FIGURE - DF LAB WEBSITE USE CASE... FIGURE 2 - FORENSICS FRAMEWORK USE CASE... 3 FIGURE 3 - FORENSICS FRAMEWORK ACTIVITY DIAGRAM... 5 FIGURE 4 - SCALPEL FRONT END USE CASE... 7 FIGURE 5- SCALPEL FRONT END MAIN WINDOW... 8 FIGURE 6 - NEW FILE CARVE PROJECT WINDOW... 8 FIGURE 7 - SELECT FILE TYPES WINDOW... 9 FIGURE 8 - SET OUTPUT DIRECTORY WINDOW... 9 FIGURE 9 - FORENSICS FRAMEWORK FIGURE 0 - INVESTIGATION SAMPLE REPORT PART FIGURE - INVESTIGATION SAMPLE REPORT PART FIGURE 2 - COMPONENT DIAGRAM (FRAMEWORK) FIGURE 3 - COMPONENT DIAGRAM (WEBSITE)
4 . Introduction. What is Forensics? Forensics can mainly be introduced as the application of a wide range of sciences to answer questions that are of importance to the legal system and the legal process. This may be in relation to a crime or either an event where evidence is needed to obtain a legal perspective. Therefore together with its relevance to the underlying legal system forensics provide a clear and well documented methodology or a framework in which authentication of an object or event is of great importance even from an outside perspective to the legal system. The need for forensics is based on the evidence that is collected for the particular object or event that needs authentication. The evidence is inherently unreliable and nothing is absolutely certain. It is the forensic analysis that through a systematic methodology and framework logically determines the degree of confidence that can be assigned to the relevant object or event. Therefore forensics is basically the art of reaching trusted inferences from a collection of un-trusted sources by the methodological application of scientific reasoning to the evidence. Throughout history forensic methodologies were used to authenticate events from the Eureka legend of Archimedes where density evaluations were used to the first use of a fingerprint by the Arabic merchant Suleiman to modern DNA matching and packet analysis in data networks. Forensics continues to provide the logical reasoning methodologies in analyzing evidence in evaluating the authenticity and the degree of confidence that can be applied to a certain belief..2 Digital Forensics Also known as computer forensics this is the branch of forensics that deals with the analysis of evidence obtained from computers and digital storage mediums. A digital forensics investigation explains the current state of the digital evidence gathered including the specifics of the data contained and the sequence of events that might have 4
5 occurred in order for the current state to be as it is. The digital evidence might have either been used or aided to commit a physical crime or it executed a digital event that violated a policy or law. An example for the first case is that a suspect might have used the internet and obtained specific information that aided in committing the crime and for the second case a situation where a user gains unauthorized access to a computer system and affects the integrity, confidentiality and the availability of the information or services. Therefore in a digital investigation test hypotheses are developed to answer questions about digital events using scientific methods to analyze digital evidence that can either support or refute hypotheses. Some of the cases where digital forensics is needed within a proper legal framework and methodology can be noted as follows. Analyze computer systems and other digital devices belonging to defendants in criminal activities. Analyze a computer system after an unauthorized break-in. Gain information about how computer systems work for debugging, performance optimization, or reverse engineering. To recover data in the event of a hardware or software failure Comparing the digital forensics process with general physical forensics some main contrasts can be drawn. Physical forensics mainly focuses on identification and individualization of objects through comparison and reasoning. Computer forensics on the other hand focuses on finding the relevant digital evidence and analyzing it. Therefore it has more similarities with a general crime scene investigation than the general physical forensics process. Therefore a digital forensics investigation is a process that uses science and technology to analyze digital objects and develop and test theories which can be validated in a court of law. Hence digital forensics provides the basic methodologies and framework in gathering the digital data and analyzing it to build and test hypotheses pertaining to the event. 5
6 .3 Proposed Project The increasingly globalized world today is dynamically being shaped on all aspects through the exponential use of technology. What is apparent today is that the core technology force that drives this change is computer and information technology. As Sri Lanka too tends to recognize itself as a major hub in the emerging worldwide markets on information technology there exists an ever growing need to cater to the security aspects of the IT industry in Sri Lanka. Therefore an organization has to be setup that deal with these needs and cater to the security aspects and provide the relevant digital forensics framework and methodologies and act as the frontline in identifying and preventing as well as solving cyber crime. Therefore this project will implement an advanced laboratory environment that can carry out digital forensics investigations in a well organized and efficient manner bound to the underlying legal framework. The following services will be provided mainly through the completion of this project. A consistent and standardized framework for digital forensic investigations Set of standardized digital forensic tools Mechanisms to apply and extend these tools to cater for future technologies Generalized procedure to correctly investigate cyber crime A website to report cyber crime and a report system to analyze the evidence Compile a comprehensive archive on reported attacks and solutions together with relevant methodologies Some of the main requirements for this project in the areas of hardware, software and other performance related aspects can be noted as follows. Interface converters, storage devices, Optical drives, hubs and plug and play Wi- Fi network cards Software tools for mirror imaging, file carving, hashing and memory dumping Tools for TCP scanning, port scanning and wireless network analyzing Operating system log scanning tools Access to relevant information and inter department and Inter-agency Corporation 6
7 Proper safeguards and access control methodologies Secure storage and reporting framework Therefore the final outcome of this project will define a procedure to be followed in a lab environment including specifications to gather evidence from the affected digital equipment, preserve the original samples of the subject as it is, analyze the obtained evidence accordingly and to make decisions regarding the attack and present them to relevant parties involved. Project work is responsible to define and aggregate hardware and software tools that are required to carry out forensics investigations. Additionally the operational policies of the lab will also be specified to make sure the lab work meets the standards of this field. 7
8 2. System Design 2. Target Environment The target environment for the digital forensics framework is Windows and Linux. In addition the front end file carving application can carve files irrespective of the file system. 2.2 Basic components of the system Implementation of digital forensics lab delivers several components as the end product. The following section describes about them Digital Forensics Framework This is the main component of the project. Forensics framework is a collection of software tools that helps a forensics investigator to perform required tasks. These include collecting evidence, store, and transfer evidence, analyze evidence, and generate report Digital Forensics Website This will include developing a website to help both forensics lab staff and customers. The customers can report a computer crime through website and he can keep track of his case through the website and finally get a full report Documentation of forensics analyzing tools and user guides It is not reasonable for someone to assume that the forensics investigator is a highly technical person with all the knowledge to use framework without any trouble or making any mistakes. Therefore documentation of framework, software tools included and proper 8
9 user guides will be prepared by us. This will help him to quickly get familiar with the framework and process. Following describes what will provide under this component of the project. Documentation paper work User guide paper work and tutorials Policies and procedures In addition to the documentation of tools and user guides certain protocols has to be maintained during an investigation. These will help to; Ensure trust between customer and forensics investigator Avoid misusage of sensitive data Avoid lost/ stolen data falls into the wrong hands. Maintain a proper investigation Software Tools Forensics framework consists of various number of. Software tools to perform different forensics analysis. It is an objective of the project to research and find existing software tools and modify if necessary to match our needs. The number of software tools we may have to modify might increase as with time and up to now we have identified two of such requirements.. Develop a front end GUI application for scalpel file carve tool. 2. Develop an application to analyze an image and identify whether it has been tampered. Please note that these are the currently identified requirements and these might increase with time. 9
10 2.3 Component interaction of the system This part of the document will describe the interaction of the components with users. Diagrams are provided in required places to give a clear understanding Website interaction with the user DF lab website will be helpful for the customer / victim to report a computer crime. The forensics organization will then let him know the date and time they will come to collect evidence data through the website. The user will also be able to know the status of the case and finally get a report covering the full case. Report generation will be done by the forensics framework and it ll be available to the user (only to him) via the website. A use case diagram for the digital forensics website is given below. 0
11 {Set required parameters} Report a crime Check the ongoing status Get the Final report Customer Print DF lab Website Figure - DF lab website use case
12 2.3.2 Forensics analyzer s interaction with the frame work The forensics analyzer plays an important role in collecting, analyzing, and setting up the report for the computer crime scenario. He must make sure that there are no loop holes in the way he performs all these tasks. Otherwise no matter what the report claims the suspect might use them at court for his advantage. To ensure the evidence he collected (basically some clone copy of hard drive) is a - copy of the original he can use hash value comparison of the image and actual data. The framework will be configured so that it ll support the required functionalities. Before starting a case the investigator has to fill some information about the case and people involved. The interaction between the forensics investigator and the framework can be given is a use case diagram as follows, 2
13 Start a case Choose catogory Collect evidence Secure transfer to remote location Forensics Analyser Analyze Forensics Analyser Generate report Digital Forensics Framework Figure 2 - Forensics framework use case 3
14 A description of each stage is given below. Starts a case - fill some information about the parties involved and other useful data. Choose category Perform live analysis, network analysis, and offline data analysis. Collect evidence based on chosen category evidence will be collected. E.g. in offline data analysis a clone of the victim s hard drive, in network analysis, traffic received /sent will be collected, etc. Secure transfer If there is no media to carry the evidence or for some reason it s risky to carry sensitive data he might transfer the evidence to forensics lab using an encrypted scheme. Analyze and generate report Analyze the data collected and generate report. A report with raw information will be generated by the framework and then forensic analyzer will make it complete. An activity diagram for the framework interaction with the forensics analyzer is given below. 4
15 Figure 3 - Forensics framework activity diagram 5
16 2.3.3 Modified / created software tools and interaction with the forensics investigator. To facilitate the framework s requirement various software tools will be used. Some of them might not be user friendly or some of them might not have GUI versions, etc. In such scenarios these open source tools will be modified to match our needs. Two of the currently identified needs are a front end application for Scalpel file carving software tool and create an Image Analyzer to find whether a digital image is tampered by some middle party. Scalpel file carving tool Scalpel is a powerful file carving tool that can recover deleted data from the empty space of a hard drive. One of the very good features about scalpel is it can recover data irrespective of the underlying file system (FAT, FAT32, NTFS, EX3, etc). But it has a very poor interface for the end user. It has to be run from command line and configuration of the config file has to be configured manually each time which is a hectic task. Therefore a front end GUI application will be developed to make it easier in usage. A use case diagram for the front end application is given below. 6
17 Start a case {Set parameters} Choose partition Set the file types forensics Analyzer Get restored files Scalpel frontend software tool Figure 4 - Scalpel front end use case 7
18 The developed application will look like following figures. Main application window Figure 5- Scalpel front end main window User can create new analysis, open previous session and reload, save current session (configuration details only), print report, etc Set Configurations window Figure 6 - New file carve project window Window allows to set options needed like select disk, sector block size, partition, etc 8
19 Set Configurations window Figure 7 - Select file types window File types needed to be carved can be set here. This will create the config file needed to be fed to the back end scalpel. Set output directory window Figure 8 - Set output directory window User has to set the output directory where the recovered files can be saved. 9
20 2.4 Design parameters Most of the time forensics investigator deals with highly confidential and sensitive data. Usage of encryption schemes is a must when taking evidence data from place to place as in case of data being stolen, the data have no value. Framework requirements Framework will be tested on test case studies to ensure that original data will not be tampered by any possible way. Forensics investigator s responsibilities He must make sure that NO physical damage to the original data sources will be done and they are handled with extreme care. Since this is not a software or hardware design parameter, documentation on policies will be provided. Next part of this document will describe about the system implementation details. 20
21 3. System Implementation 3. Framework Implementation Implementation of the digital forensics framework can be divided into several stages in time line. Each of these stages is described below in brief. 3.. Research work Research Areas Live system analysis (completed) Offline analysis (In progress) Network analysis Existing forensics frameworks and their features Purpose To get an understanding of the forensics, identify available tools, get familiar with them, identify what they lack and improve them. Outcome Documentation of research work 3..2 All in one forensics framework This is an important part of the project. When it comes to perform a forensics investigation, first the evidence has to be collected then they should be analyzed and finally a report must be produced. In this whole process collection of evidence and analysis plays 2 different roles. A person who collects evidence may not be the one who analyze them and most importantly the evidence is not analyzed at the very same time it has been collected. Therefore in our framework two separate sections can be identified as Evidence collector s framework Forensics analyzer s framework 2
22 Evidence collection will include filling up information of the parties involved, acquisition of evidence and secure transfer of data to storage for later analysis. Forensics analysis will include data analysis and report generation. We are following a forensics framework called helix The framework we develop will be similar to the given picture below. Figure 9 - Forensics framework 22
23 3..3 Data collection and analysis Concerned areas in data collection On site data collection and verify with the client that original data sources has not been tampered by the framework and - copy has been taken of original data. Implementation Verify MD5 hash of the acquired data, original data are the same. (Software tool will be developed to facilitate this) Encryption schemes will be used in data transportation. If this is network transfer from client site to forensics lab, Netcat server and client system will be used with encryption. Else the evidence data will be encrypted so it can be carried by hand without major risk. These encryption systems will be implemented by us. Concerned areas in analysis This includes receive the evidence stored in the lab s ftp server and perform analysis. The framework s analysis part will facilitate this requirement Report generator system Report system generates a report based on the analysis performed. The final report which will be generated by the framework will look similar to this. 23
24 Figure 0 - Investigation sample report part- 24
25 Figure - Investigation sample report part-2 Note: This not an actual figure and will be subjected to change depending on the type of analysis performed. 25
26 This concludes the implementation of Forensics framework. A component diagram for the framework is given below. Figure 2 - Component diagram (Framework) 26
27 3.2 Dark lab website Implementation Implementation of the dark lab website has already been started and the website is maintained and hosted in one of our project lab computers. As the project proceeds more components will be added. The design stages we discussed for the website are as follows. Stage Start with a simple website and host it. Include project work and important mile stones as the project proceeds. Stage 2 Implementation of authenticity, security features Website database design and implementation Stage 3 Add the other components required Website testing, final modifications and decorations 27
28 A component diagram for the website is given below. Figure 3 - Component diagram (Website) 3.3 Documentation of software tools, rules and policies Rules and policies documentation In the Dark Lab facility which we use as our digital forensic lab, we already have some standards and regulations and they have been documented as well. We can consider lab is physically secured because it is secure against intrusion, theft, and natural disasters. It also has controlled access methods, access restricted only to persons having valid requirement to enter. Access entries and logs are kept with signing in and signing out of the lab in case of evidence tampering. 28
29 To standardize all the operating procedures of the Dark Lab we are going to make a document called DARK LAB Digital Forensic Standard Operating Procedures (SOP). In this document we are going to provide detailed step by step procedure to complete each of following sections of digital forensic. Preparation Collection Preservation Analysis Presentation Some of above sections require special data entry forms which are used to fill when doing forensic procedures and evidence handling between parties while keeping chain of custody. We are going to make these forms in editable PDF format since they can be filled whenever needed and otherwise a printout can be taken and fill it by using a pen. This format of the documentation can provide access control in the areas of; Open in read only Open for writing / appending Printing Therefore not everyone who works will have access or write permission to these documents. Software tools documentation In the process of collection, examination, preservation, analysis and reporting of digital evidence lots of software and hardware tools are needed. While using these tools we have to maintain only relevant tools in the facility and all the software tools must be legally licensed. In the lab a wide variety of common software such as Windows, MS office and Linux must be kept so that evidence of every type can be examined. On the other hand wide variety of forensic software should be employed. Those includes all types of 29
30 acquisition and analyzing software, live response CDs, etc. This will allow us to perform flexible and accurate forensic analysis. We are going to categorize those forensic software and document about them. By using different types of test cases, we can check the accuracy, flexibility, reliability, speed and other performances of forensic software. In live system response scenarios we should be able to collect evidence with the minimum or no change to the victim system so that other evidences are preserved. By comparing test cases with each other we can recognize best live system response software. Then we are going to document about those tools so we can keep track of them and can select best software for the future investigation scenarios. In addition to the software tools, a forensic lab should have been equipped with all kinds of hardware components such as cables, drives, adapters, etc. Because chances are a forensic investigator run into a situation where a particular incident requires retrieving evidence from an older system, probably the investigator doesn t have a adaptor to connect. So maintaining a wide variety of older and newer hardware is essential. In the same manner maintaining a wide variety of storage media (i.e. hard disks, USB drives, zip disks, tape cartridges, floppy disks, etc.) as well as several sizes of hard disk drives is essential for evidence storage. Hardware write blockers are also essential while getting an evidence acquisition. As a forensic investigator team we have to document all the hardware components, their usage, comparison between all similar types of components and their performances; so that we can select perfect hardware components for a particular situation. 3.4 Development of software tools This part of the document describes about the implementation plan for the software tools that will be developed by us. Front end GUI application for Scalpel File Carve Tool We have already begun the implementation of this software tool. The implementation plan is broken down into stages and is given below. 30
31 Stage Stage 2 Stage 3 Identify the features of existing scalpel software (in progress) Identify the hex values of headers and footers of known file types. (In progress). The software will be developed such that new file types can be easily added to the software. Identify the target environment and choose a programming language platform for implementation. GUI design (pictures are given above in section 2) Stage 4 Code and implementation Test and debug software tool. Stage 5 Integration this with the forensics framework Tampered image recognition software Background and problem definition Since the beginning of 990 s, there has been a rapid growth in using digital multimedia data. Highly increased use of personal computers and Internet access has made the distribution of multimedia data much easier and faster. On the other hand, these digital contents (image, audio, and video) can be easily and illegally copied, tampered, and spread nowadays while the digital technology is highly developed. In the case of digital images, the wide availability of powerful image processing tools such as Photoshop has also made illegal image modifications possible. These tampered images can be used as false evidence for accusing people who didn t commit any crimes. In some cases these types of tampered images have been used for public humiliation of popular people. On the other hand copyright protection and content authentication of digital content has become a thorny problem and critical concern for content owners. Due to above reasons recognition, analysis, and recovery of tampered digital images has become a major concern of digital forensic investigators. So that, 3
32 Dr.Chandana Gamage, the supervisor of our project group gave us a requirement to provide a software solution for the above problem. As the members of the final year project group for conducting a digital forensic lab, we are considering to develop a software tool to recognize, analyze, and if possible recover tampered digital images. Design and implementation approaches - Image processing solution approach by using edge detection techniques Analyze the whole image bitwise and use header and footer details of the image to find any modifications. Watermarking method - embedding a watermark in the image and use it to recognize whether it is tampered or not and recover the original using it. Perform a spectrum analysis on the image to identify whether its digitally created or natural photograph. 32
33 4. Glossary CD DF DNA FAT GUI IT MS NTFS PDF SOP TCP USB Compact Disk Digital Forensics Deoxyribonucleic Acid File Allocation Table Graphical User Interface Information Technology Microsoft New Technology File System Portable Document Format Standard Operating Procedures Transmission Control Protocol Universal Serial Bus 33
MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationConcepts of digital forensics
Chapter 3 Concepts of digital forensics Digital forensics is a branch of forensic science concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationDigital Evidence Search Kit
Digital Evidence Search Kit K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K. H. Pun, W.W. Tsang, H.W. Chan Center for Information Security and Cryptography Department of Computer Science The University
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationInformation Technology Audit & Forensic Techniques. CMA Amit Kumar
Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques
More informationIncident Response and Forensics
Incident Response and Forensics Yiman Jiang, President and Principle Consultant Sumus Technology Ltd. James Crooks, Manager - Advisory Services PricewaterhouseCoopers LLP UBC 2007-04-12 Outline Computer
More informationA Short Introduction to Digital and File System Forensics
Antonio Barili Lab Dept. of Industrial and Information Engineering University of Pavia (Italy) antonio.barili@unipv.it Every contact leaves a trace Culprit Scene Victim Edmond Locard (1877-1966) 2015 -
More informationInformation Technology Security Policies
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationDriveLock and Windows 8
Why alone is not enough CenterTools Software GmbH 2013 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationCOMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)
COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements
More informationSecurity Considerations for Storage Area Networks
Security Considerations 1 Running Head: SECURITY CONSIDERATIONS FOR STORAGE AREA NETWORKS Security Considerations for Storage Area Networks Colleen Rhodes East Carolina University Security Considerations
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationDigital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC
Digital Forensics: The aftermath of hacking attacks AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Topics Digital Forensics: Brief introduction Case Studies Case I:
More informationSECURING A STORAGE AREA NETWORKS
RESEARCH ARTICLE OPEN ACCESS SECURING A STORAGE AREA NETWORKS R.Sumangali *1, Dr.B.Srinivasan #2 Assistant Professor, Department of Information Technology Gobi Arts & Science College, Gobichettipalayam,
More informationCyber Security Response to Physical Security Breaches
Cyber Security Response to Physical Security Breaches INTRODUCTION Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically
More informationGetting Physical with the Digital Investigation Process
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
More informationComputer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
More informationCERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford
CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS Brian Carrier & Eugene H. Spafford Center for Education and Research in Information Assurance and Security, Purdue University,
More informationLesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment
Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4
More informationElectronic Crime Scene Investigation: A Guide for First Responders, Second Edition
APR. 08 Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition Cover photographs copyright 2001 PhotoDisc, Inc. NCJ 219941 Chapter 1. Electronic Devices: Types, Description,
More informatione-discovery Forensics Incident Response
e-discovery Forensics Incident Response NetSecurity Corporation 21351 Gentry Drive Suite 230 Dulles, VA 20166 VA DCJS # 11-5605 Phone: 703.444.9009 Toll Free: 1.866.664.6986 Web: www.netsecurity.com Email:
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationBrightStor ARCserve Backup for Windows
BrightStor ARCserve Backup for Windows Agent for Microsoft SQL Server r11.5 D01173-2E This documentation and related computer software program (hereinafter referred to as the "Documentation") is for the
More informationSystem i and System p. Customer service, support, and troubleshooting
System i and System p Customer service, support, and troubleshooting System i and System p Customer service, support, and troubleshooting Note Before using this information and the product it supports,
More informationComputer Forensic Tools. Stefan Hager
Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationA review of BackupAssist within a Hyper-V Environment
A review of BackupAssist within a Hyper-V Environment By Brien Posey Contents Introduction... 2 An Introduction to BackupAssist... 3 Testing Methodologies... 4 Test 1: Restore a Virtual Machine s Configuration...
More informationFeedback Ferret. Security Incident Response Plan
Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret
More informationIntroduction. IMF Conference September 2008
Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer
More informationCYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.
CYBER FORENSICS KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad. 11 DIGITAL EVIDENCE? Cyber crimes Digital evidence Digital evidence is any information of
More informationwinhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR
winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation
More informationDigital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic
I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis
More informationTHE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE
THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationCYBER FORENSICS (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 CYBER FORENSICS (W/LAB) Course Syllabus Course Number: CSFS-0020 OHLAP Credit: Yes OCAS Code: 8134 Course Length: 130 Hours Career Cluster: Information
More informationBOR 6432 Cybersecurity and the Constitution. Course Bibliography and Required Readings:
BOR 6432 Cybersecurity and the Constitution Course Description This course examines the scope of cybercrime and its impact on today s system of criminal justice. Topics to be studied include: cybercrime
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationData Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
More informationReal-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics
Real-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics Tung-Ming Koo, Chih-Chang Shen, Hong-Jie Chen Abstract--The science of computer forensics is often used to judge computer
More informationLab VI Capturing and monitoring the network traffic
Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)
More informationTen Deadly Sins of Computer Forensics
Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This
More informationFORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
More informationTPM Key Backup and Recovery. For Trusted Platforms
TPM Key Backup and Recovery For Trusted Platforms White paper for understanding and support proper use of backup and recovery procedures for Trusted Computing Platforms. 2006-09-21 V0.95 Page 1 / 17 Contents
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationClearswift SECURE File Gateway
Security solutions for a changing world You wouldn t leave your front door unlocked if you were going out for the day, so why do the same with your business? In today s rapidly evolving business environment,
More informationDisable Redundant Windows XP Services which are Hogging Your RAM
X P Services Optimisation X 36/1 Disable Redundant Windows XP Services which are Hogging Your RAM With the information in this article you can: Configure your Windows XP Services for top performance Identify
More informationRobotics Core School 1
Robotics Core School 1 Robotics Core School 2 Cyber Forensics & Crime Investigation This workshop is dedicated on Cyber Forensics & Crime Investigation. Computer Forensics is a detailed and scientific
More informationInformation Technology Cyber Security Policy
Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please
More informationIT Networking and Security
elearning Course Outlines IT Networking and Security powered by Calibrate elearning Course Outline CompTIA A+ 801: Fundamentals of Computer Hardware/Software www.medallionlearning.com Fundamentals of Computer
More informationDeveloping Computer Forensics Solutions for Terabyte Investigations
Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of
More informationAre your multi-function printers a security risk? Here are five key strategies for safeguarding your data
Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data Printer Security Challenges Executive Summary Security breaches can damage both your operations
More informationCDFE Certified Digital Forensics Examiner (CFED Replacement)
Course: CDFE Certified Digital Forensics Examiner (CFED Replacement) Description: Price: $3,450.00 Category: Popular Courses Duration: 5 days Schedule: Request Dates Outline: COURSE OVERVIEW Computer Forensics
More informationParallels Remote Application Server
Parallels Remote Application Server White paper Parallels 2X RAS: Perfect Integration with IGEL Technology Parallels GEL Technology: What Exactly are Thin Clients? The end user interaction with a thin
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationComputer Forensic Capabilities
Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,
More informationInformation Technology Security Procedures
Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3
More informationCOWLEY COLLEGE & Area Vocational Technical School
COWLEY COLLEGE & Area Vocational Technical School COURSE PROCEDURE FOR Student Level: This course is open to students on the college level in either the freshman or sophomore year. Prerequisites: Basic
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationChapter 8: Security Measures Test your knowledge
Security Equipment Chapter 8: Security Measures Test your knowledge 1. How does biometric security differ from using password security? Biometric security is the use of human physical characteristics (such
More informationExchange Brick-level Backup and Restore
WHITEPAPER BackupAssist Version 4 Exchange Mailbox Add-on www.backupassist.com 2 Contents 1. Introduction and Overview... 3 1.1 What does the Exchange Mailbox Add-on do?... 3 1.2 Who needs the Exchange
More informationDocument Management Glossary
Document Management Glossary CVS - Concurrent Versions System and is a process of sharing, saving and recovering version information for people using code. Document - Information stored in files on a pc
More informationPolicy for the Acceptable Use of Information Technology Resources
Policy for the Acceptable Use of Information Technology Resources Purpose... 1 Scope... 1 Definitions... 1 Compliance... 2 Limitations... 2 User Accounts... 3 Ownership... 3 Privacy... 3 Data Security...
More informationBACKUP SECURITY GUIDELINE
Section: Information Security Revised: December 2004 Guideline: Description: Backup Security Guidelines: are recommended processes, models, or actions to assist with implementing procedures with respect
More informationOnline Backup Solution Features
CCC Technologies, Inc. 700 Nicholas Blvd., Suite 300 Elk Grove Village, IL 60007 877.282.9227 www.ccctechnologies.com Online Backup Solution Features Introduction Computers are the default storage medium
More informationExam: 070-215 QUESTION 1 QUESTION 2 QUESTION 3 QUESTION 4
Exam: 070-215 QUESTION 1 You want to provide complete redundancy for all data stored on your hardware RAID-5 disk array. You install a second hardware RAID-5 disk array. You want to create a mirror of
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationStoring and securing your data
Storing and securing your data Research Data Management Support Services UK Data Service University of Essex April 2014 Overview Looking after research data for the longer-term and protecting them from
More informationThe Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities
Briefing Paper The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities Sean A. Ensz University of Oklahoma 200 Felgar Street, Norman, Oklahoma 73019 405.325.3954 Office 405.325.1633 Fax
More informationData Security 2. Implement Network Controls
UNIT 19 Data Security 2 STARTER Consider these examples of computer disasters. How could you prevent them or limit their effects? Compare answers within your group. 1 You open an email attachment which
More informationSTATE OF WYOMING Electronic Mail Policy
Introduction: STATE OF WYOMING Electronic Mail Policy Pursuant to Executive Order 1999-4 dated the 23rd of December, 1999 Electronic mail (e-mail) enables the user to send and receive messages, make appointments,
More informationCourse Title: Computer Forensic Specialist: Data and Image Files
Course Title: Computer Forensic Specialist: Data and Image Files Page 1 of 9 Course Description The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and prosecute
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationSample Career Ladder/Lattice for Information Technology
Click on a job title to see examples of descriptive information about the job. Click on a link between job titles to see the critical development experiences needed to move to that job on the pathway.
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More informationChapter 7 Securing Information Systems
1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,
More informationAcquisition of the Microsoft Surface RT
Acquisition of the Microsoft Surface RT Author: Darren Freestone Lock and Code Pty Ltd darren@lockandcode.com Date: 7 April 2013 Revision 1.01 Contents Acquisition of the Microsoft Surface RT... 1 Step-by-Step
More informationData storage, collaboration, backup, transfer and encryption
Data storage, collaboration, backup, transfer and encryption Scott Summers UK Data Archive Practical research data management 19 April 2016 Overview Looking after research data for the longer-term and
More informationCell Phone Forensics For Legal Professionals
1 Cell Phone Forensics For Legal Professionals Lars E. Daniel, EnCE, ACE, AME, CTNS, SCE, SCCM, SCA Digital Forensics Examiner Cell Phone Acquisition and Examination Collection and Acquiring Cell Phones
More informationOpen Source Digital Forensics Tools
The Legal Argument 1 carrier@cerias.purdue.edu Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
More informationOverview of Computer Forensics
Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
More informationGFI White Paper: GFI FaxMaker and HIPAA compliance
GFI White Paper: GFI FaxMaker and HIPAA compliance This document outlines the requirements of HIPAA in terms of faxing protected health information and how GFI Software s GFI FaxMaker, an easy-to-use fax
More informationAcceptable Use Policy (AUP): Policy which provides rules governing use of district technology.
Glossary Acceptable Use Policy (AUP): Policy which provides rules governing use of district technology. Access Fees: Fee charged to user for usage of services. Application: A program written to perform
More informationChapter 12 Network Administration and Support
Chapter 12 Network Administration and Support Objectives Manage networked accounts Monitor network performance Protect your servers from data loss Guide to Networking Essentials, Fifth Edition 2 Managing
More informationWHITE PAPER: TECHNICAL OVERVIEW. NetBackup Desktop Laptop Option Technical Product Overview
WHITE PAPER: TECHNICAL OVERVIEW NetBackup Desktop Laptop Option Technical Product Overview Mayur Dewaikar, Sr. Technical Product Manager NetBackup Platform Symantec Technical Network White Paper EXECUTIVE
More information21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES 21.11.2013. 21 CFR Part 11 Compliance PLA 2.1
21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES Compliance of PLA 2.1 21.11.2013 21 CFR Part 11 Compliance PLA 2.1 SEC. 11.2 IMPLEMENTATION. (a) For records required to be maintained but not submitted
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationEnterprise Content Management. A White Paper. SoluSoft, Inc.
Enterprise Content Management A White Paper by SoluSoft, Inc. Copyright SoluSoft 2012 Page 1 9/14/2012 Date Created: 9/14/2012 Version 1.0 Author: Mike Anthony Contributors: Reviewed by: Date Revised Revision
More informationNetwork Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶
Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course
More informationUSB Portable Storage Device: Security Problem Definition Summary
USB Portable Storage Device: Security Problem Definition Summary Introduction The USB Portable Storage Device (hereafter referred to as the device or the TOE ) is a portable storage device that provides
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationIBM i Version 7.2. Security Service Tools
IBM i Version 7.2 Security Service Tools IBM i Version 7.2 Security Service Tools Note Before using this information and the product it supports, read the information in Notices on page 37. This edition
More informationIAPE STANDARDS SECTION 16 DIGITAL EVIDENCE
IAPE STANDARDS SECTION 16 DIGITAL EVIDENCE IAPE STANDARD SECTION 16.1 DIGITAL EVIDENCE Standard: Digital evidence is a critical element of modern criminal investigation that should be maintained in strict
More information