Digital Forensics. Larry Daniel

Size: px
Start display at page:

Download "Digital Forensics. Larry Daniel"

Transcription

1 Digital Forensics Larry Daniel

2 Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters of all US households containing PCs by 2007.

3 Introduction The UCLA study found that surprising numbers of households have more than one PC. In cases where more than one PC is present, the home computers are often networked. As of December of 2005, 71.4% of US households have computers.

4 Some Famous Criminal Cases Scott Peterson Internet history showing searches for dump sites. Michelle Theer and other documents. (Over 20 thousand documents) Michael Jackson Internet history and . BTK Killer Used to trace letter back to church computer.

5 Different Sides Different Roles Prosecution Side Sworn Law Enforcement Officer Writes Search Warrants Receives Evidence Computers, etc. Acquires Images, Analyzes Data Presents findings to Prosecutors and Detectives May not be involved again until arrest is made or case goes to trial.

6 Different Sides Different Roles Defense Side Private Expert Receives Evidence from Law Enforcement Agency. Consults with Attorney on Relevant Facts Active Member of Defense Team May Review Other Evidence to Enhance Computer Analysis May Interview Defendant May Work with Other Experts.

7 The basic computer looks like these. Some Basics

8 Common Misteaks Calling these monitors, CPUs, Hard Drives, etc.

9 Monitors Newer LCD on Left Older Analog CRT on Right Nothing is stored in these. They just make pretty pictures.

10 CPU CPU Central Processing Unit Only performs calculations. Stores nothing. The brain of the computer.

11 Inside The Computer The Hard Drive stores the evidence

12 Inside The Computer Hard drives can hold thousands of Documents Pictures Music files Movies Passwords s

13 Inside The Computer RAM Random Access Memory Only contains data while the computer is turned on. Temporary processing storage only used while operating the computer. Is cleared when the computer shuts down or restarts.

14 Introduction A Digital, AKA Computer Forensics investigation, involves four major areas: Acquisition Obtaining the original evidence. Preservation Protecting the original evidence. Analysis Finding relevant evidence. Presentation Presenting the evidence in court.

15 Forensics Tools Encase Forensics Software Used by NC SBI, FBI, Air Force OSI, Scotland Yard, US Navy, Fayetteville PD Most widely used forensics software in the world. Paraben Examiner Specially designed to recover .

16 Acquisition First contact with the original evidence. Most critical time for protecting the originals. Most likely time for police or others to damage or change evidence. General rules MUST be followed to preserve and protect evidence during this critical first response period. First point in establishing chain of custody.

17 Digital Evidence Location not always obvious. Easy to conceal. Easy to miss. Easy to damage.

18 Digital Evidence Hard Drive CD-ROM Floppy Disk

19 Digital Evidence Picture Phones Blackberry ipod

20 Digital Evidence USB Drives Digital Cameras Smart Media

21 Acquisition First responders should be trained to handle this type of evidence. Digital evidence is fragile. Digital evidence is easily altered if not handled properly. Simply turning a computer on or operating the computer changes and damages evidence.

22 Fragile Nature of Digital Evidence "The problem is the uninitiated police officer who will go in and turn on a computer to look to see if it's worthwhile to send the computer in for examination," said Peter Plummer, assistant attorney general in Michigan's high-tech crime unit. "When you boot up a computer, several hundred files get changed, the date of access, and so on," Plummer said. "Can you say that computer is still exactly as it was when the bad guy had it last?" Source: AP Article from Computers Today Section

23 Fragile Nature of Digital Evidence The nature of computer based evidence makes it inherently fragile. Data can be erased or changed without a trace, impeding an investigator s job to find the truth. The efforts of first responders are critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations

24 Fragile Nature of Digital Evidence Fragile data are those things stored on the hard drive but that can be easily altered, especially by a first responder trying to determine if an incident has occurred. These could include access dates on files or temporary files. Once these files have been altered by a first responder, there is no way to recover the original data. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations

25 Fragile Nature of Digital Evidence The simple act of turning a computer on can destroy or change critical evidence and render that evidence useless. Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file. Computer Forensics, Computer Crime Scene Investigation, 2 nd Ed. John R. Vacca

26 Fragile Nature of Digital Evidence The next 3 slides demonstrate what happens when you operate a computer. Evidence is modified. Evidence is destroyed. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations

27 Files In Original Condition

28 Files After Opening and Viewing The last accessed date and time changes any time a file is opened and viewed while the computer is in operation.

29 Files After Saving The last written date and time changes any time a file is saved or copied while the computer is in operation.

30 Seizing Computer Evidence General Guidelines

31 General Guidelines for Seizing Computers and Digital Evidence Seizing a Stand-Alone Home Computer in a Residence If the computer is powered off, DO NOT turn it on. If the computer is powered on, do not allow the suspect or any associate to touch it. Offers to shut the computer down may be a ruse to start a destructive program that may destroy the evidence. This can be done with one keystroke. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

32 General Guidelines for Seizing Computers and Digital Evidence Before touching the computer, place an unformatted or blank floppy disk into the floppy disk drive(s), document, videotape and/or photograph the computer system, and write detailed notes about what is on the computer s screen. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

33 General Guidelines for Seizing Computers and Digital Evidence Photograph the back of the computer and everything that is connected to it. Photograph and label the back of any computer components with existing connections to the computer. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

34 General Guidelines for Seizing Computers and Digital Evidence If you have a computer specialist on the scene, he will have been trained to recognize the operating system and will know the proper way to shut down the computer system without altering files or losing any evidence. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

35 General Guidelines for Seizing Computers and Digital Evidence If you do not have a computer specialist on the scene, the safest way to turn off a Windows 98/95/3.1/DOS computer, is to Pull the plug from the back of the computer. Pulling the plug could severely damage the system; disrupt legitimate business, and create officer and department liability. It is especially important to have a specialist available when dealing with business computers, networked computers and computers based on Macintosh, Windows NT, and Unix/Linux operating systems. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

36 General Guidelines for Seizing Computers and Digital Evidence After shutting the computer down and powering the computer off: Disconnect all power sources; unplug the power cords from the wall and the back of the computer. Notebook computers may need to have their battery removed. Place evidence tape over each drive slot, the power supply connector, and any other opening into the computer. This should include sealing the case itself Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

37 General Guidelines for Seizing Computers and Digital Evidence Only specially trained and qualified Computer Forensic Investigators working in a laboratory setting should analyze computers and other forms of digital evidence. The simple act of turning a computer on can destroy or change lritical evidence and render that evidence useless. The Maryland State Police Computer Forensics Laboratory will not routinely accept digital evidence for analysis if that evidence has been tainted though handling by unqualified personnel. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

38 Preservation Once digital evidence is seized it must be handled carefully to preserve and protect the evidence. Everything should be tagged. No one should operate or preview any evidence on writable media without proper tools and training. Forensically sound copies of all original evidence must be made before analysis. Records must be kept.

39 Analysis Analysis involves recovering and analyzing evidence for relevance to the case. Accepted tools should be used. Search and analysis must be within the scope of the warrant. Bench notes should be kept by the examiner.

40 What are you looking for? Pictures Internet History Documents Spreadsheets Internet Chat Logs Financial Data PDF Files Suspiciously Renamed Files Yahoo Messenger, AOL Chat, MSN Messenger, Internet Relay Chat Many Others

41 Hiding The Evidence Deleting Files Deleting Internet History Formatting Drives Re-Partitioning Drives Physically Destroying Hard Drives and Floppies Passwords Using On-Line Hotmail Yahoo Mail IPods and personal storage devices that can be overlooked.

42 Recovering The Evidence Find Deleted Files Un-Format Drives Rebuild Partitions Recover Passwords Find hidden files and folders. Re-construct web pages. Locate deleted

43 Analysis Metadata Many types of files contain metadata. Metadata is information embedded in the file itself that contains information about the file. Microsoft Office Documents Computer name Total Edit Time Number of editing sessions. Where printed. Number of times saved. Digital camera pictures. Make and model of camera Dates and times

44 Document Metadata

45 Picture Metadata

46 Internet History Before Clearing

47 Internet History After Clearing

48 Presentation Court presentation for a jury must be simple and straightforward. Timelines s Documents Pictures

49 How Computer Evidence is Used Verify Alibis Establish Relationships Between Defendant and Victim or Accomplices Establish Documentation of Events Establish Mitigating Circumstances Documents for use by Forensic Psychologists Document Time Lines

50 Discovery Officer s investigator s notes Forensic investigator s bench notes Search warrant Forensically sound copies of all imaged media Forensics report

51 Questions?

Digital Forensics for Attorneys Overview of Digital Forensics

Digital Forensics for Attorneys Overview of Digital Forensics Lars Daniel,, EnCE, ACE, CTNS Digital Forensic Examiner Digital Forensics for Attorneys Overview of Digital Forensics Digital Forensics For Attorneys Overview of Digital Forensics Types of Digital Evidence

More information

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics Larry E. Daniel, EnCE, DFCP, BCE Digital Forensic Examiner Digital Forensics for Attorneys An Overview of Digital Forensics About Your Presenter EnCase Certified Examiner (EnCE) Digital Forensics Certified

More information

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations

More information

Overview of Computer Forensics

Overview of Computer Forensics Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National

More information

MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1

MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1 MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:

More information

Hands-On How-To Computer Forensics Training

Hands-On How-To Computer Forensics Training j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE

More information

Best Practices for Incident Responders Collecting Electronic Evidence

Best Practices for Incident Responders Collecting Electronic Evidence Best Practices for Incident Responders Collecting Electronic Evidence rev. April 2013 Prepared by: Rick Clyde Forensic Examiner rick.clyde@cwcsecurity.com M: (402) 709-6064 Chris Hoke Principal and Owner

More information

Computer Intrusion Forensics Literature Review

Computer Intrusion Forensics Literature Review Computer Intrusion Forensics Literature Review Nathan Balon CIS 544 October 20, 2003 Title Computer Forensics: Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser Reviewed by Nathan Balon

More information

Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065

Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation

More information

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014 Introduction to Data Forensics Jeff Flaig, Security Consultant January 15, 2014 WHAT IS COMPUTER FORENSICS Computer forensics is the process of methodically examining computer media (hard disks, diskettes,

More information

Digital Forensics for Attorneys - Part 2

Digital Forensics for Attorneys - Part 2 Lars Daniel, EnCE Digital Forensics for Attorneys - Part 2 Experts, Analysis, Challenging Evidence Digital Forensics For Attorneys Part I Overview of Digital Forensics Types of Digital Evidence Acquisition

More information

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Digital Forensics Tutorials Acquiring an Image with FTK Imager Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,

More information

Chapter 7 Securing Information Systems

Chapter 7 Securing Information Systems 1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,

More information

CHAPTER 18 CYBER CRIMES

CHAPTER 18 CYBER CRIMES CHAPTER 18 CYBER CRIMES 18.1 With increased use of computers in homes and offices, there has been a proliferation of computer-related crimes. These crimes include: Crimes committed by using computers as

More information

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene

More information

Computer Forensics and What Is, and Is Not, There on Your Client s Computer. Rick Lavaty, Computer Systems Administrator, District of Arizona

Computer Forensics and What Is, and Is Not, There on Your Client s Computer. Rick Lavaty, Computer Systems Administrator, District of Arizona Computer Forensics and What Is, and Is Not, There on Your Client s Computer Rick Lavaty, Computer Systems Administrator, District of Arizona Eddy Archibeque, Computer Systems Administrator, District of

More information

10/11/2012. Digital Forensics for Attorneys - Part 2. Digital Forensics For Attorneys. Experts. Larry E. Daniel, EnCE, DFCP, BCE

10/11/2012. Digital Forensics for Attorneys - Part 2. Digital Forensics For Attorneys. Experts. Larry E. Daniel, EnCE, DFCP, BCE Larry E. Daniel, EnCE, DFCP, BCE Digital Forensics for Attorneys - Part 2 Experts, Analysis, Challenging Evidence Digital Forensics For Attorneys Part I Overview of Digital Forensics Types of Digital Evidence

More information

Computer Forensic Capabilities

Computer Forensic Capabilities Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,

More information

What is Digital Forensics?

What is Digital Forensics? DEVELOPING AN UNDERGRADUATE COURSE IN DIGITAL FORENSICS Warren Harrison PSU Center for Information Assurance Portland State University Portland, Oregon 97207 warren@cs.pdx.edu What is Digital Forensics?

More information

Computer Forensics as an Integral Component of the Information Security Enterprise

Computer Forensics as an Integral Component of the Information Security Enterprise Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,

More information

First Responder s Manual

First Responder s Manual DEPARTMENT OF ENERGY COMPUTER FORENSIC LABORATORY First Responder s Manual U.S. Department of Energy Computer Forensic Laboratory P.O. Drawer A Aiken, SC 29802 Phone: SRS-EOC (803) 725-1911 Fax (803) 725-2368

More information

Introduction. IMF Conference September 2008

Introduction. IMF Conference September 2008 Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer

More information

COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)

COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching

More information

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit Computer Forensics Processing Checklist Pueblo High-Tech Crimes Unit Cmdr. Dave Pettinari Pueblo County Sheriff's Office davepet@cops.org The purpose of this document is to provide computer forensic technicians

More information

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection GUIDANCE SOFTWARE EnCase Portable EnCase Portable Extend Your Forensic Reach with Powerful Triage & Data Collection GUIDANCE SOFTWARE EnCase Portable EnCase Portable Triage and Collect with EnCase Portable

More information

To Catch a Thief: Computer Forensics in the Classroom

To Catch a Thief: Computer Forensics in the Classroom To Catch a Thief: Computer Forensics in the Classroom Anna Carlin acarlin@csupomona.edu Steven S. Curl scurl@csupomona.edu Daniel Manson dmanson@csupomona.edu Computer Information Systems Department California

More information

Digital Forensics. Dr. Vic Fay-Wolfe Department of Computer Science University of Rhode Island

Digital Forensics. Dr. Vic Fay-Wolfe Department of Computer Science University of Rhode Island Digital Forensics Dr. Vic Fay-Wolfe Department of Computer Science University of Rhode Island Topics What is Digital Forensics? Cases Digital Forensics Practice Algorithms and Computer Sci Digital Forensics

More information

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of computer

More information

Breakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements

Breakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements Breakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements 9 April 2013 Facilitator: Dr. Sheau-Dong Lang, Coordinator Master of Science in Digital Forensics University

More information

Criminal Investigation CRJ141. Matthew McCarty

Criminal Investigation CRJ141. Matthew McCarty Criminal Investigation CRJ141 Matthew McCarty Chapter 1 Criminal Investigation: An Overview CSI Effect The exaggerated depiction of how television forensic science operates, creating a phenomenon in which

More information

Best Practices for Computer Forensics

Best Practices for Computer Forensics Scientific Working Group on Digital Evidence Best Practices for Computer Forensics Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification

More information

Incident Response and Forensics

Incident Response and Forensics Incident Response and Forensics Yiman Jiang, President and Principle Consultant Sumus Technology Ltd. James Crooks, Manager - Advisory Services PricewaterhouseCoopers LLP UBC 2007-04-12 Outline Computer

More information

10 Ways to Not Get Caught Hacking On Your Mac

10 Ways to Not Get Caught Hacking On Your Mac 10 Ways to Not Get Caught Hacking On Your Mac Three18 is a Comprehensive Technology Solutions Provider Apple Certified Partner Microsoft Gold Partner Symantec Security Solutions Partner Novell and RedHat

More information

Digital Evidence Collection and Use. CS 585 Fall 2009

Digital Evidence Collection and Use. CS 585 Fall 2009 Digital Evidence Collection and Use CS 585 Fall 2009 Outline I. II. III. IV. Disclaimers Crime Scene Processing Legal considerations in Processing Digital Evidence A Question for Discussion Disclaimers

More information

Best Practices. For Seizing Electronic Evidence. v.3 A Pocket Guide for First Responders. United States Secret Service

Best Practices. For Seizing Electronic Evidence. v.3 A Pocket Guide for First Responders. United States Secret Service Best Practices For Seizing Electronic Evidence v.3 A Pocket Guide for First Responders U.S. Department of Homeland Security United States Secret Service BEST PRACTICES FOR SEIZING ELECTRONIC EVIDENCE This

More information

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Information Technology Audit & Forensic Techniques. CMA Amit Kumar Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques

More information

Computer Forensics Today

Computer Forensics Today L A W, I N V E S T I G A T I O N S, A N D E T H I C S Computer Forensics Today Kelly J. (KJ) Kuchta When people hear the word forensics, it often generates a mental image of the movie series with Jack

More information

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York INSTRUCTOR INFORMATION Name: Sanjay Goel Email: goel@albany.edu Phone: (518) 442-4925 Office Location: BA 310b, University at Albany Office Hours: TBD CLASS INFORMATION Time: N/A Location: Online Dates:

More information

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING MODULE A INTRODUCTION TO COMPUTER FORENSICS AND NVESTIGATIONS A1.0 Explain concepts related to computer forensics. A1.1 This module is measured

More information

Computer Forensics CHAPTER

Computer Forensics CHAPTER Computer Forensics 17 CHAPTER In this chapter, you will Learn the rules and types of evidence Review the collection of evidence Study the preservation of evidence Discover the importance of a viable chain

More information

CDFE Certified Digital Forensics Examiner (CFED Replacement)

CDFE Certified Digital Forensics Examiner (CFED Replacement) Course: CDFE Certified Digital Forensics Examiner (CFED Replacement) Description: Price: $3,450.00 Category: Popular Courses Duration: 5 days Schedule: Request Dates Outline: COURSE OVERVIEW Computer Forensics

More information

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Computing forensics: a live analysis

Computing forensics: a live analysis April 18th, 2005 1 2 3 Objectives Evidence acquisition Recovery and examination of suspect digital evidence (think Warrick Brown on CSI) Hardware: servers, workstations, laptops, PDAs, mobiles, cameras

More information

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems A+ Guide to Managing and Maintaining Your PC, 7e Chapter 16 Fixing Windows Problems Objectives Learn what to do when a hardware device, application, or Windows component gives a problem Learn what to do

More information

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating

More information

Incident Response and Computer Forensics

Incident Response and Computer Forensics Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident

More information

102 ediscovery Shakedown: Lowering your Risk. Kindred Healthcare

102 ediscovery Shakedown: Lowering your Risk. Kindred Healthcare 102 ediscovery Shakedown: Lowering your Risk Long-Term Care Session HCCA Compliance Institute April 27, 2009 Las Vegas, Nevada Presented by: Diane Kissel, Manager IS Risk & Compliance Kindred Healthcare,

More information

Getting Physical with the Digital Investigation Process

Getting Physical with the Digital Investigation Process Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this

More information

How is Your Company Positioned to Deal With Law Enforcement?

How is Your Company Positioned to Deal With Law Enforcement? How is Your Company Positioned to Deal With Law Enforcement? Tim Proffitt September 2009 GIAC GSEC, GCIH, GCPM, GSLC, GLEG, GSNA SANS Technology Institute - Candidate for Master of Science Degree 1 1 Introduction

More information

Technical Procedure for Evidence Search

Technical Procedure for Evidence Search Technical Procedure for Evidence Search 1.0 Purpose - The purpose of this procedure is to provide a systematic means of searching digital evidence in order to find data sought by the search authorization.

More information

Developing Computer Forensics Solutions for Terabyte Investigations

Developing Computer Forensics Solutions for Terabyte Investigations Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of

More information

Ten Deadly Sins of Computer Forensics

Ten Deadly Sins of Computer Forensics Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This

More information

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad. CYBER FORENSICS KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad. 11 DIGITAL EVIDENCE? Cyber crimes Digital evidence Digital evidence is any information of

More information

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis

More information

Windows 8 Backup, Restore & Recovery By John Allen

Windows 8 Backup, Restore & Recovery By John Allen Windows 8 Backup, Restore & Recovery By John Allen Restore and recovery options for Windows 8 are different to earlier versions of Windows, and, of course, the terminology has changed. These are a lot

More information

Operating Instructions - Recovery, Backup and Troubleshooting Guide

Operating Instructions - Recovery, Backup and Troubleshooting Guide Personal Computer Operating Instructions - Recovery, Backup and Troubleshooting Guide Please create your recovery discs immediately after setup. Please read this manual carefully before using your product.

More information

Where is computer forensics used?

Where is computer forensics used? What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic

More information

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual Copyright 2001 by Stellar Information Systems Ltd. All Rights Reserved The information contained in this documentation is subject to

More information

How to Avoid The Biggest Electronic Evidence Mistakes. Ken Jones Senior Technology Architect Pileum Corporation

How to Avoid The Biggest Electronic Evidence Mistakes. Ken Jones Senior Technology Architect Pileum Corporation How to Avoid The Biggest Electronic Evidence Mistakes Ken Jones Senior Technology Architect Pileum Corporation Why is Proper Handling of Electronic Data Important? Most of the evidence in your case isn

More information

Cell Phone Forensics For Legal Professionals

Cell Phone Forensics For Legal Professionals 1 Cell Phone Forensics For Legal Professionals Lars E. Daniel, EnCE, ACE, AME, CTNS, SCE, SCCM, SCA Digital Forensics Examiner Cell Phone Acquisition and Examination Collection and Acquiring Cell Phones

More information

SOLVING VIOLENT CRIMES WITH A UNIFIED WORKFLOW

SOLVING VIOLENT CRIMES WITH A UNIFIED WORKFLOW Use Case SOLVING VIOLENT CRIMES WITH A UNIFIED WORKFLOW In a Violent Home Invasion Investigation, the UFED Series Seamlessly Unifies Workflows from Field to Lab A series of violent home invasions has everyone

More information

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix

More information

Can Computer Investigations Survive Windows XP?

Can Computer Investigations Survive Windows XP? Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive

More information

Investigation Techniques

Investigation Techniques Investigation Techniques Planning and Conducting a Fraud Examination 2013 Association of Certified Fraud Examiners, Inc. Fraud Examination Fraud examination refers to a process of resolving allegations

More information

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević, DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia

More information

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Forensics Processes - objectives Investigation Process Forensic Ethics Issues Forensic

More information

White Paper Automated Digital Evidence Collection and Publishing: Reduce Investigation Time and Costs May 2011

White Paper Automated Digital Evidence Collection and Publishing: Reduce Investigation Time and Costs May 2011 White Paper Automated Digital Evidence Collection and Publishing: Reduce Investigation Time and Costs May 2011 FBI 2009 Report: 1,756 terabytes of data processed 58,609 pieces of digital media 21,810 CDs

More information

Large Scale Cloud Forensics

Large Scale Cloud Forensics Large Scale Cloud Forensics Edward L. Haletky AstroArch Consulting, Inc. Sam Curry RSA, The Security Division of EMC Session ID: STAR-302 Session Classification: Advanced Happenstance Lo and Behold Sam

More information

On the Trail of the Craigslist Killer: A Case Study in Digital Forensics

On the Trail of the Craigslist Killer: A Case Study in Digital Forensics On the Trail of the Craigslist Killer: A Case Study in Digital Forensics Presenters: Sharon Nelson and John Simek President and Vice President, Sensei Enterprises www.senseient.com snelson@senseient.com;

More information

Windows 7 for beginners

Windows 7 for beginners Windows 7 for beginners Hardware Hardware: the physical parts of a computer. What s in the computer? CPU: the central processing unit processes information (the brain) Hard drive: where all of your software

More information

Chain of evidence refers to the continuity of custody of material and items collected as evidence.

Chain of evidence refers to the continuity of custody of material and items collected as evidence. University of Wisconsin Madison Police Policy: 83.2 SUBJECT: EVIDENCE PROCESSING EFFECTIVE DATE: 06/01/10 REVISED DATE: 12/31/11, 11/01/13 REVIEWED DATE: 01/07/15 INDEX: 83.2.1 COLLECTING, PROCESSING,

More information

Microsoft Vista: Serious Challenges for Digital Investigations

Microsoft Vista: Serious Challenges for Digital Investigations Proceedings of Student-Faculty Research Day, CSIS, Pace University, May 2 nd, 2008 Microsoft Vista: Serious Challenges for Digital Investigations Darren R. Hayes and Shareq Qureshi Seidenberg School of

More information

CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS Brian Carrier & Eugene H. Spafford Center for Education and Research in Information Assurance and Security, Purdue University,

More information

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1 File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New

More information

Serial ATA RAID PCI. User's Manual

Serial ATA RAID PCI. User's Manual Serial ATA RAID PCI User's Manual Chapter 1 Introduction Table of Contents 1-1 Features and Benefits. 1 1-2 System Requirements. 1 Chapter 2 RAID Arrays 2-1 RAID Overview.. 2 2-1.1 RAID 0 (striping)...

More information

Using GIGABYTE Notebook for the First Time

Using GIGABYTE Notebook for the First Time Congratulations on your purchase of the GIGABYTE Notebook. This manual will help you to get started with setting up your notebook. The final product configuration depends on the model at the point of your

More information

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student

More information

Scientific Working Group on Digital Evidence

Scientific Working Group on Digital Evidence Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or

More information

Design and Implementation of a Live-analysis Digital Forensic System

Design and Implementation of a Live-analysis Digital Forensic System Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan amber8520@gmail.com

More information

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student

More information

Chapter 3. Computer Forensics. Margaret A. (Peggy) Daley. Duff & Phelps, LLC; Chicago

Chapter 3. Computer Forensics. Margaret A. (Peggy) Daley. Duff & Phelps, LLC; Chicago Computer Forensics Margaret A. (Peggy) Daley Duff & Phelps, LLC; Chicago Excerpt reprinted from the Commercial Fraud Manual (American Bankruptcy Institute, 2010) with permission by the American Bankruptcy

More information

Computer Forensics Discipline

Computer Forensics Discipline Computer Forensics Discipline Technical Procedure Manual Computer Forensics Discipline Technical Procedure Manual Approved By: Date: Reviewed By: Date: Reviewed By: Date: Table of Contents General Flow

More information

Crime Scene Search and Processing

Crime Scene Search and Processing Objective: Crime Scene Search and Processing Crime scene search scenarios involve significant teamwork. Each team member should be assigned a specific duty during the crime scene processing. Explorers

More information

CNIT 121: Computer Forensics. 8 Forensic Duplication

CNIT 121: Computer Forensics. 8 Forensic Duplication CNIT 121: Computer Forensics 8 Forensic Duplication Types of Duplication Simple duplication Copy selected data; file, folder, partition... Forensic duplication Every bit on the source is retained Including

More information

CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS

CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS Chapter 22 CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS April Tanner and David Dampier Abstract Research in digital forensics has yet to focus on modeling case domain information involved in investigations.

More information

Forensic Triage in a Multi-TB Era Ady Cassidy, Nuix

Forensic Triage in a Multi-TB Era Ady Cassidy, Nuix Forensic Triage in a Multi-TB Era Ady Cassidy, Nuix Ady Cassidy Systems Consultant Nuix Ady is a computer forensic investigator and ediscovery consultant with more than 10 years experience as a Computer

More information

Modern Digital Forensics!!

Modern Digital Forensics!! ISA 785 Research in Digital Forensics Modern Digital Forensics!! ISA 785! Angelos Stavrou, George Mason University! Modern Digital Forensics What s New 2! New Intellectual property concerns! IP/Brand related

More information

The Fallacy of Software Write Protection in Computer Forensics Mark Menz & Steve Bress Version 2.4 May 2, 2004

The Fallacy of Software Write Protection in Computer Forensics Mark Menz & Steve Bress Version 2.4 May 2, 2004 The Fallacy of Software Write Protection in Computer Forensics Mark Menz & Steve Bress Version 2.4 May 2, 2004 1.0 Table of Contents 1. Table of Contents 2. Abstract 3. Introduction 4. Problems a. Controlled

More information

Using GIGABYTE Notebook for the First Time

Using GIGABYTE Notebook for the First Time Congratulations on your purchase of the GIGABYTE Notebook. This manual will help you to get started with setting up your notebook. The final product configuration depends on the model at the point of your

More information

Chapter 15: Computer Security and Privacy

Chapter 15: Computer Security and Privacy Understanding Computers Today and Tomorrow 12 th Edition Chapter 15: Computer Security and Privacy Learning Objectives Explain why all computer users should be concerned about computer security. List some

More information

Presented by: Greg Chatten, CEO Forensic Computer Service, Inc. 636.273.4400 gchatten@forensiccomputerservice.com (c) Forensic Computer Service, Inc.

Presented by: Greg Chatten, CEO Forensic Computer Service, Inc. 636.273.4400 gchatten@forensiccomputerservice.com (c) Forensic Computer Service, Inc. Presented by: Greg Chatten, CEO Forensic Computer Service, Inc. 636.273.4400 gchatten@forensiccomputerservice.com Before consumer electronics hit the world electronic recovery and examination of computer

More information

Data Recovery Cable Quick Start Guide

Data Recovery Cable Quick Start Guide Data Recovery Cable Quick Start Guide DISCLAIMER: any repair or computer recovery should be done by a professional, trained computer technician. Do any of the below steps at your own risk. We are not responsible

More information

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

More information

Forensics on the Windows Platform, Part Two

Forensics on the Windows Platform, Part Two 1 of 5 9/27/2006 3:52 PM Forensics on the Windows Platform, Part Two Jamie Morris 2003-02-11 Introduction This is the second of a two-part series of articles discussing the use of computer forensics in

More information

Computer Components Study Guide. The Case or System Box

Computer Components Study Guide. The Case or System Box Computer Components Study Guide In this lesson, we will briefly explore the basics of identifying the parts and components inside of a computer. This lesson is used to introduce the students to the inside

More information

Decades of Successful Sex Crimes Defense Contact the Innocence Legal Team Now

Decades of Successful Sex Crimes Defense Contact the Innocence Legal Team Now Criminal Court Felonies The U.S. has the highest rate of felony conviction and imprisonment of any industrialized nation. A felony crime is more serious than a misdemeanor, but the same offense can be

More information

Corsair Flash Voyager USB 2.0 Flash Drive UFD Utility User s Manual

Corsair Flash Voyager USB 2.0 Flash Drive UFD Utility User s Manual Corsair Flash Voyager USB 2.0 Flash Drive UFD Utility User s Manual Contents For AP v2.10.0.0 Release For Windows 98/ME/2000/XP Version 1.1B (08/27/2004) Contents...1 Introduction...1 Features & Specifications...2

More information

ESTABLISHING A COMPUTER INCIDENT RESPONSE PLAN

ESTABLISHING A COMPUTER INCIDENT RESPONSE PLAN 82-02-70 DATA SECURITY MANAGEMENT ESTABLISHING A COMPUTER INCIDENT RESPONSE PLAN David Adler and Kenneth L. Grossman INSIDE The Constituency; The Computer Incident Response Team (CIRT); Incident Reporting

More information

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes Table of Contents UFED Basics...3 Extraction Types...4 Logical extraction...5 Logical extractions of ios devices...5

More information