COMPUTER FORENSIC Ibrahim Khoury, Eralda Caushaj
|
|
- Charlotte Harris
- 8 years ago
- Views:
Transcription
1 COMPUTER FORENSIC Ibrahim Khoury, Eralda Caushaj ABSTRACT The process of using scientific knowledge to collect, analyze and present digital evidence to court is identified as Computer Forensic. To be able to examine large amounts of data in a timely manner, in search of important evidence during crime investigations is essential to the success of computer forensic examinations. The limitations in time and resources, both computational and human, have a negative impact in the results obtained. Thus, better uses of the resources available are necessary, beyond the capabilities of the currently used forensic tools. In order to improve the current software used in computer forensic the use of Artificial Intelligence tools is necessary. 1. INTRODUCTION Computer forensics has recently gained significant popularity with many local law enforcement agencies. It is currently employed in fraud, theft, drug enforcement and almost every other enforcement activity [1, 2]. Computer forensics involves the preservation, identification, extraction and documentation of digital evidence in the form of magnetically, optically or electronically stored media [3]. Computer and mobile devices forensic techniques are not as advanced as those of the more mature and mainstream forensics techniques used by law enforcement, such as blood typing, ballistics, fingerprinting, and DNA testing [9]. Its immaturity is attributable to the fast-paced changes in technology. Recently we have been researching on wide area of Forensic computing like , mobile and computer forensic, but we decided to focus more on offline and network analysis. Artificial intelligence tools in computer forensic will be our focus in this paper as well. Section 2 will be dedicated to the origin of computer forensic as well as an analysis of what is considered forensic and non-forensic tools. Section 3 will be focused on offline analysis, and section 4 on network analysis and EnCase Enterprise software. Artificial Intelligence in Computer Forensic and MADIK tool is covered in section 5. Neural network and support vector machine are introduced in section ORIGIN OF THE TERM The term computer forensics in the late 1980s was used to refer to the process of examining standalone computers for digital evidence of crime, by early law enforcement practitioners. Some researchers have argued that forensic computing is a more accurate term, because digital evidence is increasingly captured from objects not commonly thought of as computers, but from mobile devices as well. In Computer Forensic, the term forensics implies the use of tools to present some aspect of evidence not available through standard observation. 2.1 NON FORENSIC-TOOLS Standard file copy programs or routines that search for text are not considered forensic tools [1]. Data manipulation with other processes that transform information in some fashion cannot be considered as forensic operations. Encryption, data compression and other types of encoding are not considered as forensic tools. These methods are only used to transform the same evidence into a different form and do not serve to uncover new evidence. 2.2 FORENSIC-TOOLS The reconstruction of files by uncovering patterns of bytes, or obtaining data from a microscopic view of a medium s magnetic domains does serve as suitable candidates for forensic research [1]. 3. OFFLINE ANALYSIS Investigators in a crime scene cannot proceed without following a protocol which includes the following steps: Taking pictures from outside and inside the computer is the first evidence in identifying the physical situation of computer. Determine if a destructive program in running or not should be done as well. The offline analysis of the computer is possible when the investigator powers down the computer and remove it from the network. Creating an extract physical copy of the evidence is the next step in acquiring digital evidence. According to Kruse and Heiser this copy is called a bit-stream image or forensic image [3]. Forensic images are important for several reasons. Courts look favorably upon forensic images, because it demonstrates that all of the evidence was captured. Authentication is another step in computer forensic. It is important to authenticate that the copy of the evidence is exactly the same as the original. Analyzing the data and presenting it in an acceptable format at court is the last step in computer forensic.
2 Administrative Consideration System Preservation Evidence Acquisition Comparision Evidence Examination Physical Presentation Policy and Procedure Development Determine if a destructive program is running Turn off the computer Make a digital copy of the original hard disk Authenticate that the copy of the evidence is exactly the same as the original. Analyze the digital copy Documenting and Reporting Figure 1: Computer Forensic steps In figure 1 all the above steps are illustrated. A digital copy of the hard disk can be done as follows [3]: Use write blocker: a hardware mechanism that allows reading from, but not writing to the hard disk. Write blocker procedure is used usually if we are imaging using a Windows-based application, because Window s will automatically mount the hard drive as read + write. Therefore the possibility for changing files on hard drive is evident. In Linux is not necessary because manually the hard drive can be mounted as read only. Bit stream image of the original hard disk that contain all the physical and deleted files. The analyzing of the digital copy of hard drive can be obtained as follows: Mounting the image: In order to access the file system of the hard drive we must mount the forensic image. Mounting the disk or image makes a file system available to the operating system s kernel. When the image is mounted any tool necessary to work with files (search, view, sort, print, etc.) can be used. The forensic image should be mounted in a read-only mode, in order to not change it. Hash analysis (MD5Deep): Files in a hash set typically fall into one of two categories known or notable. Known files are ones that can be ignored, such as typical system files (iexplore.exe, winword.exe, etc), instead of the notable files are ones that have been identified as illegal or inappropriate, such as child pornography. Hash analysis compares the hashes of the files to a set of hashes of files of a known content. Signature analysis: is an automated procedure for comparing the header or footer of the file with the file extension. File signature is a header or footer (or both) within a file that indicates the application associated with a typical file. File signatures are useful for evaluating whether a suspect is attempting to hide files by changing the extension. search: can be an important source of evidence for many types of investigations. To conduct an investigation the mailbox files must be located. The mailbox locations differ depending upon the version of Windows and the application used, therefore different path directories should be considered. File type search: Law enforcement might want to find all graphics files on a subject s hard drive that contains over 500,000 files. An effective search in this case could be searching for files with the appropriate graphical file extension like jpg, gif etc. Keyword search: Searching for specific keywords within the forensic image is done after the investigator reduces the search space by identifying and filtering known files. Also the suspect files can be identified via signature analyses. Web based The most common webmail services which are Yahoo Mail, Hotmail and Gmail are good source for investigation. Webmail messages are stored in html format with the extension html or htm and are thus readable with any web browser (Mozilla, IE). The messages that are downloaded from or uploaded to the Web are stored in the Temporary Internet Folders. Cookies: are pieces of information generated by a Web server and stored in the user's computer, ready for future access. Cookies are embedded in the HTML information flowing back and forth between the user's computer and the servers [4]. Most users may be unaware that these cookies are being placed on their hard drives. The cookies directory contains the individual cookies as well as an index.dat that consists of the activity records for each of the cookies in the directory. These files can be a valuable source of information during investigations. Swap file: is virtual memory that is used as an extension of the computer systems RAM. Even if the file was forensically deleted from a hard drive, the
3 swap file can contain evidence that has been previously removed. If the swap file was forensically deleted then the file within the swap is unrecoverable, although there is a possibility still to find copies in unallocated or slack space. The windows swap file is win386.swp, pagefile.sys. Deleted files are a very important evidence, the investigators try to retrieve deleted files by first, looking at INFO2 files that tracks important information about deleted files. FAT (File Allocation Table) is a good source to find deleted files. Temporary files: Many Windows applications create temporary files that are usually written to the hard drive. Investigators retrieve those files from the hard disk even if you overwrite the original files. For example Homework1.doc and ~homework1.tmp Print Spool Files: when a file is printed, an enhance metafile (EMF) is written to the hard disk. Investigators recover those files from the hard disk, even if the suspect deletes the original file. 4. NETWORK ANALYSIS The study of analyzing network activity in order to discover the source of security policy violations or information assurance breaches is network forensic [5]. Capturing network activity for forensic analysis is simple in theory, but relatively trivial in practice [6]. Not all the information captured or recorded will be useful for analysis. Identifying key features that reveal information deemed worthy for further intelligent analysis is a problem of great interest to the researchers in the field. Network analysis focus on the packets captured from intrusion detection systems. Investigators analyze the network packets and activities to find evidences. Intrusion Detection Systems (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations. IDS are the most important source of information for investigators in network attacks. Intrusion Detection Systems can detect various types of attacks [3]: Denial of service attack: is a class of attacks in which an attacker makes some computing or memory resource too busy or too full to handle legitimate requests, or denies legitimate users access to a machine [3]. Scan ports: is a software application designed to scan a network host for open ports. Viruses: A virus is a small piece of software that piggybacks on real programs. Eavesdropping: Secretly gaining unauthorized access to confidential communications Spoofing attacks: is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Smurf attack: is a way of generating significant computer network traffic on a victim network. A range of information can be retrieved by IDS: Source and destination IP addresses Source and destination DNS names Source and destination ports Type of attack The original packets To analyze more in details the offline and network analyzes we will introduce EnCase Enterprise tool that is widely used in federal agencies for investigation purposes. EnCase Enterprise is used in a network, but the previous version EnCase was used just for standalone computers EnCASE ENTERPRISE EnCase Enterprise software is used to investigate networked environments and it allows investigators to securely investigate multiple machines simultaneously, at the disk and memory levels, without taking computers offline. EnCase provides the following functionalities as defined by the NIST (National Institute of Standards and Technology) [7]: Immediate response capability: EnCase Enterprise has the ability to conduct immediate forensic analysis of any system on a WAN (wide area network), without disrupting operations. The immediate response capability of EnCase Enterprise enables many federal agencies to better identify incidents as they occur. Initial System Snapshot: is one of the most important features of EnCase Enterprise. For any compromised system on WAN a snapshot of all the key volatile and binary data can be quickly obtained. Analyze live systems with minimal invasiveness: EnCase has the ability to analyze online the systems, without being visible to the user of the attacker in a forensically manner. Volatile data acquisition and analysis: EnCase Enterprise can capture and examine the volatile data from several systems at once, such as open ports or
4 files, running processes and live registry. The software does it remotely without disrupting the system being investigated. Forensic hard drive data acquisition: EnCase Enterprise is capable of obtaining complete and accurate forensic images of hard drives. It can create images on a local drive, but using EnCase Enterprise we can images of any computer in WAN. Computer forensic analysis: Besides disk imaging EnCase provides industry leading computer forensic analysis capability. It includes all the functions determined from NIST as follows: Identifying and recovering file fragments, hidden and deleted files, directories from any location Examining file structures Displaying the contents of all graphic files Performing complex searches Graphically displaying the acquired drive s directory structure Generating reports. Establish a proper chain of custody with a message digest hash algorithm: The EnCase acquisition process features an integrated process to establish a proper chain of custody, including the secure generation of a MD5 hash for the forensic image and CRC s for every 32K of data for authentication. Log file acquisition and analysis: Log files are really important in terms of information they can provide to investigators. Skilled attackers know the importance of log files and may delete them in attempts to cover their tracks, but EnCase supports the collection, parsing and analysis of those files. Ability to correlate multiple time zones of acquired media: EnCase is designed to support the analysis and correlation of dates and times originating in different time zones. Validated computer forensic technology via courts and independent testing: It is crucial that Federal agencies utilize forensic technologies that meet legal requirements for the admission of computer evidence. EnCase is exceptionally accepted by the courts in appellate and trial court decisions [8]. 5. ARTIFICIAL INTELLIGENCE IN COMPUTER FORENSIC The success of computer forensic examinations depends on the ability to examine large amounts of data in a timely manner in search of important evidence during crime investigations. The limitations in time and resources, both computational and human, have a negative impact in the results obtained. In order to improve the current software used in computer forensic the use of Artificial Intelligence tools is necessary. The MADIK (MULTI-AGENT DIGITAL INVESTIGATION TOOLKIT) tool is used for offline analysis; neural network and SVM (Support Vector Machine) are used in network analysis [6] MADIK (MULTI-AGENT DIGITAL INVESTIGATION TOOLKIT) MADIK is a multiagent system used to assist the computer forensic experts on its examination. Figure 1 presents the architecture of MADIK, which is divided into four layers, named strategic, tactical, and operational and specialist levels. The strategic manager receives the requests for investigation cases and distributes them to the tactical managers. The tactical manager will assign each evidence that belong to its case to one of its operational managers. Finding the appropriate specialized agents to examine the evidence received from its manager, is a task performed by the operational manager. The operational manager has an important role in the architecture, because it determines which specialized agent will be employed. The system is composed of a set of ISAs (Intelligent Software Agent) that perform different analysis on the digital evidence related to a case on a distributed manner [10]. In MADIK, each ISA contains a set of rules and a knowledge base, both based on the experience of the expert on a certain kind of investigation. MADIK has six specialized intelligent agents as follows [11]: HashSetAgent: calculates the MD5 hash from a file and compares it with its knowledge base, which contains sets of files known to be ignorable or important. FilePathAgent: keeps on its knowledge base a collection of folders which are commonly used by several application which may be of interest to the investigation like P2P (peer-to-peer), VoIP and instant messaging applications. FileSignatureAgent: the file headers (the first 8 bytes of the file) are examined, to determine if they match the file extension. TimelineAgent: dates of creation, access and modification to determine events like system and software installation, backups, web browser usage and other activities are examined, some which can be relevant to the investigation. WindowsRegistryAgent: files related to the windows registry and extracts valuable information such as system installation date, time zone configuration, removable media information are examined.
5 KeywordAgent: searches for keywords. Regular expressions are used to extract information from files such as credit card numbers, URLs or addresses. estimate that it matches with the data it has been trained to recognize. By training the system with both the input and output of the desired problem, the neural network gains initially the experience. Neural network is used to classify the intrusion detection data to important and unimportant. Investigators look deeply to the important data. Neural network reduce the amount of search space. Although neural network is a very successful tool to classify data, many tests prove that machine support vectors are more effective and 99% accurate. 6.2 SUPPORT VECTOR MACHINE Figure 2: MADIK s architecture The different agents can diverge in their decisions, what causes a conflict in the blackboard that must be solved by the operational manager. 6. NEURAL NETWORK AND SVM WITH IDS The first step in using neural network or SVM is feature selection which is an important issue in network forensic, because the elimination of useless features enhances the accuracy of detection while speeding up the computation. Elimination of useless features improves the overall performance of the detection mechanism. In cases where there are no useless features, concentrating on the most important ones may well improve the time performance of the detection mechanism, without affecting the accuracy of detection in statistically significant ways [7]. The use SVMs for network analysis has the following benefits: Fast results Reduced size of data Eliminate human analysis 6.1 NEURAL NETWORK The collection of processing elements that are highly interconnected and transform a set of desired outputs is defined as artificial neural networks. The result of the transformation is determined by the characteristics of the elements and the weights associated with the interconnections among them. A neural network conducts an analysis of the information and provides a probability Support vector machines are learning machines that plot the training vectors in high-dimensional feature space, labeling each vector by its class. Classification of data in SVMs can be done by determining a set of support vectors, which are members of the set of training inputs that outline a hyper plane in the feature space [6]. SVMs provide a generic mechanism to fit the surface of the hyper plane to the data through the use of a kernel function. The user may provide a function (e.g., linear, polynomial, or sigmoid) to the SVMs during the training process, which selects support vectors along the surface of this function. The number of free parameters used in the SVMs depends on the margin that separates the data points, but not on the number of input features. There are many reasons that we use SVMs for intrusion detection data. The first is speed; because real-time performance is of primary importance to intrusion detection systems, any classifier that can potentially run fast is worth considering. The second reason is scalability; SVMs are relatively insensitive to the number of data points and the classification complexity does not depend on the dimensionality of the feature space, so they can potentially learn a larger set of patterns and scale better than neural networks. Once the data is classified into two classes, a suitable optimizing algorithm can be used, if necessary, for further feature identification, depending on the application. 7. CONCLUSION Computer Forensic is the process of using scientific knowledge to collect, analyze and present digital evidence to court. There is strict procedure that the investigators should follow in order to get digital evidences. In offline and network analysis the limitations in time and resources, both computational and human, have a negative impact in the results obtained. The use of artificial intelligence tools in computer forensic has
6 resulted very helpful. Multiagents, neural network and SVM systems are used in network forensic. 9. REFRENCES [11] Bruno W. P. Hoelz, Célia Ghedini Ralha, Rajiv Geeverghese, Artificial Intelligence Applied to Computer Forensics, ACM, Symposium on Applied Computing, 2009 [1] Bhanu Prakash Battula, KeziaRani, Satya Prasad, T. Sudha, Techniques in Computer Forensics: A Recovery Perspective, Volume: 3, Issue: 2 Pages: 27-35, Publication Date: March/April 2009, ISSN (Online): [2] Michael Yip, Signature analysis and Computer Forensics, School of Computer Science University of Birmingham, December, 2008 [3] J. Philip Craiger, Computer Forensics Procedures and Methods, Handbook of Information Security. John Wiley & Sons [4] The Cookie Concept: {accessed August 5, 2010} [5] Eoghan Casey, Network traffic as a source of evidence: tool strengths, weaknesses, and future needs, Digital Investigation, Volume 1, Issue 1, February 2004, Pages [6] Srinivas Mukkamala, Andrew H. Sung, Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques, International Journal of Digital Evidence, Winter 2003, Volume 1, Issue 4 [7] NIST Computer Security Incident Handling Guide, January 2004 [8] State v. Cook, 2002-Ohio-4812, 2002 WL (Appellate court expressly validates the authenticity of an EnCase image); Williford v. State, 2004 WL (Tex.App.-Eastland) (EnCase validated under Frye/Daubert standard). [9] Ibrahim Baggili, Ashwin Mohan, and Marcus Rogers, SMIRK: SMS Management and Information Retrieval Kit, Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering 2010 [10] Bruno W. P. Hoelz, C elia G. Ralha, Rajiv Geeverghese and Hugo C. Junior, A Cooperative Multi- Agent Approach to Computer Forensics, 2008 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology
MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationDigital Forensic Techniques
Digital Forensic Techniques Namrata Choudhury, Sr. Principal Information Security Analyst, Symantec Corporation Professional Techniques T23 CRISC CGEIT CISM CISA AGENDA Computer Forensics vs. Digital Forensics
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationDigital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic
I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis
More informationOverview of Computer Forensics
Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationInformation Technology Audit & Forensic Techniques. CMA Amit Kumar
Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques
More informationState of the art of Digital Forensic Techniques
State of the art of Digital Forensic Techniques Enos K. Mabuto 1, H. S Venter 2 Department of Computer Science University of Pretoria, Pretoria, 0002, South Africa Tel: +27 12 420 3654 Email: nasbutos@yahoo.co.uk
More informationThe Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices
The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations
More informationDigital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC
Digital Forensics: The aftermath of hacking attacks AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Topics Digital Forensics: Brief introduction Case Studies Case I:
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationOpen Source Digital Forensics Tools
The Legal Argument 1 carrier@cerias.purdue.edu Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
More informationComputer Forensics as an Integral Component of the Information Security Enterprise
Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,
More informationIntroduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics
Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating
More informationIncident Response and Forensics
Incident Response and Forensics Yiman Jiang, President and Principle Consultant Sumus Technology Ltd. James Crooks, Manager - Advisory Services PricewaterhouseCoopers LLP UBC 2007-04-12 Outline Computer
More informationFramework for Live Digital Forensics using Data Mining
Framework for Live Digital Forensics using Data Mining Prof Sonal Honale #1, Jayshree Borkar *2 Computer Science and Engineering Department, Aabha Gaikwad College of Engineering, Nagpur, India Abstract
More informationForensics on the Windows Platform, Part Two
1 of 5 9/27/2006 3:52 PM Forensics on the Windows Platform, Part Two Jamie Morris 2003-02-11 Introduction This is the second of a two-part series of articles discussing the use of computer forensics in
More informationOn A Network Forensics Model For Information Security
On A Network Forensics Model For Information Security Ren Wei School of Information, Zhongnan University of Economics and Law, Wuhan, 430064 renw@public.wh.hb.cn Abstract: The employment of a patchwork
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationCourse Title: Computer Forensic Specialist: Data and Image Files
Course Title: Computer Forensic Specialist: Data and Image Files Page 1 of 9 Course Description The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and prosecute
More informationDigital Evidence Search Kit
Digital Evidence Search Kit K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K. H. Pun, W.W. Tsang, H.W. Chan Center for Information Security and Cryptography Department of Computer Science The University
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationConcepts of digital forensics
Chapter 3 Concepts of digital forensics Digital forensics is a branch of forensic science concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence
More informationTHE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE
THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationIntroduction. IMF Conference September 2008
Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer
More informationGetting Physical with the Digital Investigation Process
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationInformation Security Incident Management Guidelines
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
More informationComputer Forensics Principles and Practices
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 7: Investigating Windows, Linux, and Graphics Files Objectives Conduct efficient and effective investigations of Windows
More informationCOMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)
COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching
More informationAlternate Data Streams in Forensic Investigations of File Systems Backups
Alternate Data Streams in Forensic Investigations of File Systems Backups Derek Bem and Ewa Z. Huebner School of Computing and Mathematics University of Western Sydney d.bem@cit.uws.edu.au and e.huebner@cit.uws.edu.au
More informationSync Security and Privacy Brief
Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical
More informationCERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford
CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS Brian Carrier & Eugene H. Spafford Center for Education and Research in Information Assurance and Security, Purdue University,
More informationKEITH LEHNERT AND ERIC FRIEDRICH
MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationSufficiency of Windows Event log as Evidence in Digital Forensics
Sufficiency of Windows Event log as Evidence in Digital Forensics Nurdeen M. Ibrahim & A. Al-Nemrat, Hamid Jahankhani, R. Bashroush University of East London School of Computing, IT and Engineering, UK
More informationAN INVESTIGATION INTO THE METHODS USED FOR TRAFFICKING OF CHILD ABUSE MATERIAL
AN INVESTIGATION INTO THE METHODS USED FOR TRAFFICKING OF CHILD ABUSE MATERIAL Dr. Allan Charles Watt, PhD, CFCE, CFE Macquarie University, Sydney, Australia Session ID: CLE W02 Session Classification:
More informationIntroduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014
Introduction to Data Forensics Jeff Flaig, Security Consultant January 15, 2014 WHAT IS COMPUTER FORENSICS Computer forensics is the process of methodically examining computer media (hard disks, diskettes,
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationCOSC 472 Network Security
COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html
More informationSpyware Doctor Enterprise Technical Data Sheet
Spyware Doctor Enterprise Technical Data Sheet The Best of Breed Anti-Spyware Solution for Businesses Spyware Doctor Enterprise builds on the strength of the industry-leading and multi award-winning Spyware
More informationFortKnox Personal Firewall
FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationCloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu
Cloud Forensics Written & Researched by: Maegan Katz & Ryan Montelbano 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu November 4, 2013 Disclaimer: This document
More informationComputer Forensics US-CERT
Computer Forensics US-CERT Overview This paper will discuss the need for computer forensics to be practiced in an effective and legal way, outline basic technical issues, and point to references for further
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationP Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis
Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for
More informationIJMIE Volume 2, Issue 3 ISSN: 2249-0558
Artificial Intelligence Applied to digital Email for forensic Application Mr. Shrimant B. Bandgar* Mr. Mahesh Sale** Dr. B. B. Meshram*** ABSTRACT: The number of computer security incidents is growing
More informationNetwork Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶
Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course
More informationHow to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper
How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter A Cymphonix White Paper How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter Introduction Internet connectivity
More informationHow To Protect Your Network From Attack From A Hacker On A University Server
Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
More informationKeywords: Computers, digital evidence, digital evidence bags, forensics, forensics tools
Computer Forensics Procedures, Tools, and Digital Evidence Bags 1 Computer Forensic Tools Keywords: Computers, digital evidence, digital evidence bags, forensics, forensics tools Computer Forensics Procedures,
More informationNetwork-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar
Network-Based and Host- Based Intrusion Detection Graduate Seminar 1 Goal This presentation is an in-depth overview of intrusion detection. As such, the purpose of the presentation is for reference. 2
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of computer
More informationComputer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
More informationHTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity
Improving File Sharing Security: A Standards Based Approach A Xythos Software White Paper January 2, 2003 Abstract Increasing threats to enterprise networks coupled with an ever-growing dependence upon
More informationScene of the Cybercrime Second Edition. Michael Cross
Scene of the Cybercrime Second Edition Michael Cross Chapter 1 Facing the Cybercrime Problem Head-On 1 Introduction 2 Defining Cybercrime 2 Understanding the Importance of Jurisdictional Issues 3 Quantifying
More informationInternational Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015
RESEARCH ARTICLE OPEN ACCESS Data Mining Technology for Efficient Network Security Management Ankit Naik [1], S.W. Ahmad [2] Student [1], Assistant Professor [2] Department of Computer Science and Engineering
More informationStopping secure Web traffic from bypassing your content filter. BLACK BOX
Stopping secure Web traffic from bypassing your content filter. BLACK BOX 724-746-5500 blackbox.com Table of Contents Introduction... 3 Implications... 4 Approaches... 4 SSL CGI Proxy... 5 SSL Full Proxy...
More informationEUCIP - IT Administrator. Module 5 IT Security. Version 2.0
EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationFifty Critical Alerts for Monitoring Windows Servers Best practices
Fifty Critical Alerts for Monitoring Windows Servers Best practices The importance of consolidation, correlation, and detection Enterprise Security Series White Paper 6990 Columbia Gateway Drive, Suite
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationBreakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements
Breakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements 9 April 2013 Facilitator: Dr. Sheau-Dong Lang, Coordinator Master of Science in Digital Forensics University
More informationHOST BASED INTERNAL INTRUSION DETECTION AND PREVENTION SYSTEM.
HOST BASED INTERNAL INTRUSION DETECTION AND PREVENTION SYSTEM. 1 Rane Ankit S., 2 Waghmare Amol P., 3 Payal Ashish M., 4 Markad Ashok U, 3 G.S.Deokate. 1,2,3,4 Department of Computer Engineering SPCOE
More informationTHE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems
THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT April 2009 EXAMINERS' REPORT Network Information Systems General Comments Last year examiners report a good pass rate with
More informationBasic computer security
Mag. iur. Dr. techn. Michael Sonntag Basic computer security E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information Processing and Microprocessor Technology
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationDriving Company Security is Challenging. Centralized Management Makes it Simple.
Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More information'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy
Created: 2/18/2011 Page 1 of 8 'Namgis First Nation is hereinafter referred to as "the government." 1.0 Overview Though there are a number of reasons to provide a user network access, by far the most common
More informationSIPAC. Signals and Data Identification, Processing, Analysis, and Classification
SIPAC Signals and Data Identification, Processing, Analysis, and Classification Framework for Mass Data Processing with Modules for Data Storage, Production and Configuration SIPAC key features SIPAC is
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationCloud Computing Architecture and Forensic Investigation Challenges
Cloud Computing Architecture and Forensic Investigation Challenges Ghania Al Sadi Sohar University, Computing Department Sohar, University Rd, 311 Sultanate of Oman ABSTRACT Contrasting to traditional
More informationAdvanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech
Advanced Topics in Distributed Systems Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Security Introduction Based on Ch1, Cryptography and Network Security 4 th Ed Security Dr. Ayman Abdel-Hamid,
More informationChap. 1: Introduction
Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed
More informationELECTRONIC INFORMATION SECURITY A.R.
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
More informationEnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection
GUIDANCE SOFTWARE EnCase Portable EnCase Portable Extend Your Forensic Reach with Powerful Triage & Data Collection GUIDANCE SOFTWARE EnCase Portable EnCase Portable Triage and Collect with EnCase Portable
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationUnited Tribes Technical College Acceptable Use Policies for United Tribes Computer System
United Tribes Technical College Acceptable Use Policies for United Tribes Computer System 1.0 Policy The purpose of this policy is to outline the acceptable use of computer equipment at United Tribes Technical
More informationNetwork Usage Guidelines Contents
Network Usage Guidelines Contents Network Usage...2 Peer to Peer and File Sharing...2 Servers or Server Technologies...2 Routers...2 Wireless...2 Network Storage...2 Security and Privacy...3 Security...3
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationCONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS
Chapter 22 CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS April Tanner and David Dampier Abstract Research in digital forensics has yet to focus on modeling case domain information involved in investigations.
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Shinu Mathew John http://shinu.info/ Chapter 1 Introduction http://shinu.info/ 2 Background Information Security requirements
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationFirewalls, NAT and Intrusion Detection and Prevention Systems (IDS)
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan
More informationChapter 7 Securing Information Systems
1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More information