Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
|
|
- Ursula Wilson
- 8 years ago
- Views:
Transcription
1 Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene Investigation! Legal aspects and considerations! Data preservation, acquisition and analysis Live incident response Data duplication Forensic analysis techniques! Applicability of computer forensics Defining the word forensic Introduction to Computer Forensics! American Heritage Dictionary definition of forensic: Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law.! Many methods use science and technology to investigate and establish facts.! Forensics are used when the results of the method should be valid in a court of law Defining Computer forensics! Corresponding definition for computer forensics would be: Relating to the use of computer science or technology in the investigation and establishment of facts or evidence regarding crimes committed with computers, or against computers, in a court of law. or The art and science of applying computer science to aid the legal process or The application of computer investigation and analysis techniques to determine potential legal evidence The Digital Investigation Thus, when computers are involved in the process of establishing facts that should be valid in a court of law, we denote this process as computer forensics 1
2 The digital investigation The digital investigation! However, not all investigations goes to court.. Corporate investigations Private investigations!..and therefore, all investigations are not computer forensics A better name for the investigation process is digital investigation, or digital crime scene investigation! A digital investigation takes place when a digiatal incident is reported and evidence needs to be found! Analogy to physical investigation: A physical investigation considers fibers, footprints, blood stains and fingerprints. A digital investigation considers text files, messages, log entries and alerts. The digital investigation: Targets The digital investigation: purpose The digital investigation regards: Crimes committed against computers:! Intrusions and break-ins and insider jobs by networked attackers Crimes committed with computers:! Communication between criminals engaged in murder, kidnapping, assault, extortion, drug dealing, espionage, terrorism, child pornography.! Its purpose is to provide information about: What happened When did events that led to the crime occur In what order did the events occur What was the cause of the events Who caused the events to occur What enabled the events to take place What was affected, how much was it affected The digital event The digital event A digital event is any activity or transition Interrupts, command invocations, process termination, network data transmission/reception! A digital event changes the state of one or more digital objects! A digital object is a discrete collection of digital data A file, a hard disk sector, a network packet, a process! The state of a digital objects is the collection of object characteristics File name, file content, MAC times A running process PCB, memory content! A digital event can be the cause of a data object, or the effect of a data object A process can create a file A file can be created by a process X Y Z E X X Y Z E 1 X W E 2 W Three cause objects, one effect object Event chain with two events 2
3 Digital evidence and incidents! Some systems have policies that forbid certain digital events! If one or more of the forbidden digital events occur anyway, the policy is violated, and an incident has occurred. Conducting a Digital Crime Scene Investigation! Digital evidence contains reliable information that supports or refutes a hypothesis about an incident! A data object is evidence of the forbidden event if the event changed the state of the object Digital crime scene investigation Investigation process: Preparations When an incident has occurred and we need to determine the whats, whens and whos of the incident. Preparation phase Preparation Pack your bags with equipment to perform the investigation System preservation Minimize amount of data that is changed/deleted Investigation phases Evidence search Determine what you are looking for, and where you expect to find it Event reconstruction Use evidence to determine what events occurred! Before entering the crime scene: Be sure to bring the necessary tools! Digital cameras, screwdrivers, flashlights, IDE-cables, SCSI cables.! Prepared forensic workstation, i.e., computer with a set of reliable tools. And the necessary forms for the investigation! Evidence worksheets, system worksheets, evidence labels, chain of custody forms! To be able to document your every step, which is necessary if the case comes to court and you are appointed as expert witness Investigation process: System preservation Investigation process: Evidence search! Preserve the crime scene to prevent it from changes that are introduced by: Investigation process Attacker, e.g., booby traps, deletion upon shutdown! Preservation depends on situation: 1. Non-critical assets, or legal use! Perform full disk duplication of suspect computer, i.e., copy entire content of disk(s) to backup disk 2. Semi-critical assets! Contain suspect computer, i.e., plug network cables into empty hubs, copy critical log data, kill suspect processes, enable system monitoring 3. Critical assets (no downtime allowed)! Perform live incident response, i.e., keep computer running, copy what you can, monitor Evidence Searching Phase 1: Phase 2: Target Definition Data Extraction and Interpretation Target Data Data Object Object Object Phase 4: Phase 3: Knowledge Update Data Comparison Target Target Data Object Object Object Overlaps with Event Reconstruction 3
4 Evidence search! Phase 1: Target Definition Define target for locating evidence Base target definition on either previous experience or previously found evidence.! Phase 2: Data Extraction and Interpretation Use the target to locate relevant data objects Conduct searches in ordered pattern! Use interpretation or abstraction layers, i.e., look at each file, each sector or each network packet. Evidence search! Phase 3: Data Comparison Compare extracted data to the target Matching data objects are considered as potential evidence! Phase 4: Knowledge Update Search the data objects for new targets Update general investigation knowledge Restart from Phase 1 with new target definitions Investigation process: Event reconstruction Investigation process: event reconstruction process Overlaps with Search Phase Evidence Examination Phase Event Reconstruction Phase Role Classification Phase Event Construction and Testing Phase Event Sequencing Phase Hypothesis Testing Phase Goal: To examine each piece of evidence and determine what events it was involved in so that we can determine which events occurred at the crime scene! Develop and test hypothesis about the events that an object was effect of and, when applicable, to determine what events it could have been a cause of.! Attempt to deduce the previous states by examining the events in which an object may have been involved! Question why an object has properties, where they could have come from, and when they were created Digital evidence and the law Legal aspects and considerations! Digital evidence may be used in a court of law! Evidence may support a physical witness, or be used stand-alone! The investigator may then be called as an expert witness to explain the relevance of the evidence! To be credible, the investigator need to show: That certain measures have been taken during investigation That no changes have been introduced to the crime scene during investigation 4
5 Guidelines for collecting digital evidence Collection procedure! There is no established check list for how to collect evidence for use in a court of law! However, there are guidelines: Are the theories and techniques employed during evidence collection tested; Do the techniques for evidence collection have a known error rate; Are the techniques subject to standards governing their application; Do the theories and techniques enjoy widespread acceptance.! Verify that no changes have been introduced to the crime scene during investigation Physical: Don t move furniture, reposition bodies or wash up stains. Isolate environment. Don t walk around in the area! Digital: Don t move files, run programs or remove data. Isolate computer. Don t walk around in the file system! Physical: Take photos, samples, wear gloves to not introduce new objects. Document your actions! Digital: Take snapshots of computer state, duplicate data, use write blockers. Document your actions! Expertise needed by investigator The investigator as expert witness Legal Procedures & Laws of evidence Investigative techniques Computer technology! The investigator as an expert witness in a court of law: Help judges and juries to understand e-evidence Raise doubt in or remove doubt from the minds of the jury Have knowledge to reconstruct or explain what happened without having observed it directly Is qualified by knowledge, skill, experience, training, or education Preservation, acquisition and analysis Live Incident Response -Live Incident Response -Forensic Duplications -Forensic Analysis Techniques 5
6 Live incident response Live incident response! Live incident response: When suspect computer is still running Collect all relevant data to confirm whether an incident has occurred Collect both volatile and non-volatile data! Volatile data disappears when computer is powered off Example: Process memory content! Non-volatile data can still be recovered after power off, but might be easier to read if captured with proper system tools. Example: Easier to read already formatted system logs than raw binary data.! Connect your prepared forensic workstation to the suspect computer Forensic workstation Suspect computer! Set up channel between the suspect and the workstation! Run commands to produce data, transfer data over the channel! Hash the data to protect its integrity Live incident response Volatile data! Volatile data: Disappears if power off System date and time Current network connections Open TCP or UDP ports and related processes Users currently logged on Running processes Open files Process memory dumps System memory dumps! System date and time Important to correlate time between suspect computers May reveal system and file timestamp tampering! Current network connections The attacker may still be connected to the suspect computer The attacker may use the suspect to brute force passwords on other computers! Open TCP and UDP ports and related processes Useful for filtering out commonly used ports from suspicious ports Useful for finding suspicious processes by observing name or path for the processes involved in connections Volatile data Volatile data! Users currently logged on Allows us to find out who is accessing the system exactly now May reveal attackers that are currently logged in and whose accounts they are using! Running processes Allows us to find suspicious processes currently running May reveal the name of certain binaries not normally existing on the system! Open files Allows us to see what files, pipes and sockets each running processes are using May reveal information regarding files that are accessed, and also their names! Process memory dumps Allows us to find cleartext passwords, unencrypted data and the command line used to execute the process! System memory dumps Allows us to find remnants of previous sessions and other intrusive processes 6
7 Non-volatile data Non-volatile data! Non-volatile data: Persistent after power off System version and patch level System event logs User accounts Web-server logs Suspicious files! System version and patch level Version and patch level implies what attacks the system is vulnerable against, i.e., the starting point for the investigation! System event logs Security logs, application logs and system logs Allows us to find relevant entries regarding security issues, or events that either applications or system finds notable! User accounts Listing the account list, allows us to see if any new accounts have been created by the attacker Non-volatile data! Web-server logs Type of application logs, but should be treated more carefully since webservers are highly exposed assets If attacks are automated, we can find this out from the timestamps of individual log items We can also find if the webserver executed commands on the host! Suspicious files Allows us to find more information regarding the attack Usually done unless a forensic duplication is done Forensic Duplications Forensic duplications Forensic duplications! A forensic duplication means to make a complete, byte-by-byte copy of the contents of a storage device! The goal is to transfer all data from the suspect system to the forensic copy without altering the suspect system in any way! Special devices that block writing operations to the suspect system is used! Commercial solutions: Commercial Hardware system The RoadMASSter 3 Forensics Data Acquisition and Analysis tool Related software, EnCase or Forensic Tool Kit 7
8 Forensic duplications Forensic duplications! Non-commercial solutions UNIX programs will do for creating copies Don t underestimate the power of the write blocker, especially if legal requirements Tools! Data Dump (dd) program performs byte copy from source to destination! dcfldd program copies data and produces hash on every copied 512-byte block! Differences between commercial and noncommercial duplications: Commercial software costs money, but provides nice interfaces and (hopefully) support, and is more credible in a court of law Commercial hardware costs money, but might be necessary in a court to assure that no changes have been done to evidence disk Forensic analysis techniques Forensic Analysis Techniques! Steps that are common for the majority of investigations, i.e., what you need to do Recovering deleted files Production of time stamps and other metadata for files Removing known files String searching and file fragments Recovering deleted files Production of time stamps and metadata! Different approaches for different operating systems and file systems The investigator needs good knowledge of how the file system is organized and how the operating system treats deleted data. Usually, the type of file system is provided to the tool. The tool then investigates the file system accordingly! Files exist in two shapes, logical and deleted Metadata: full file names, sizes, MAC times MD5 Used for file name searches, timeline analyses and reporting Common UNIX tools can do this for logical data. Specialized tools can do it also for deleted data 8
9 Removing known files String searching and file fragments! Limit the number of files that need to be considered! Remove the files that are considered as normal Compare the hash of every file in the file system to the hashes of a known good set of hashes! Collections of hashes exist! Remove matches! When searching for data, two situations may come up:! A data object, e.g., a file, is found Inspect the file directly with a suitable application Look for keywords that can forward the search! A keyword or string, e.g., b0mb is present Search the system for data objects containing the string Investigate the rest of the data object Application areas Application areas! tracing! Web browsing reconstruction! Intrusion analysis! Cell phone and PDA forensics! USB and Flash memory forensics! Static and dynamic binary analysis Conclusion! Computer forensics is the application of technology and science to establish facts in a court of law! A digital investigation preserves the crime scene, searches for evidence, and reconstructs events! A digital investigator needs to know computers, the legal system, and draw conclusions! Different approaches to the investigation is required depending on the situation, on one extreme, we have live response, on the other we have forensic duplication! Several techniques are available to reduce and to pinpoint the important objects! Forensics have many application areas, including PDA forensics and intrusion analysis 9
MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationGetting Physical with the Digital Investigation Process
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
More informationCERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford
CERIAS Tech Report 2003-29 GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS Brian Carrier & Eugene H. Spafford Center for Education and Research in Information Assurance and Security, Purdue University,
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationComputer Forensic Capabilities
Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationDesign and Implementation of a Live-analysis Digital Forensic System
Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan amber8520@gmail.com
More informationDigital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic
I Digital Forensic A newsletter for IT Professionals Education Sector Updates Issue 10 I. Background of Digital Forensic Definition of Digital Forensic Digital forensic involves the collection and analysis
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationIntroduction. IMF Conference September 2008
Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer
More informationA Short Introduction to Digital and File System Forensics
Antonio Barili Lab Dept. of Industrial and Information Engineering University of Pavia (Italy) antonio.barili@unipv.it Every contact leaves a trace Culprit Scene Victim Edmond Locard (1877-1966) 2015 -
More informationDigital Forensic Techniques
Digital Forensic Techniques Namrata Choudhury, Sr. Principal Information Security Analyst, Symantec Corporation Professional Techniques T23 CRISC CGEIT CISM CISA AGENDA Computer Forensics vs. Digital Forensics
More informationDigital Forensics for Attorneys Overview of Digital Forensics
Lars Daniel,, EnCE, ACE, CTNS Digital Forensic Examiner Digital Forensics for Attorneys Overview of Digital Forensics Digital Forensics For Attorneys Overview of Digital Forensics Types of Digital Evidence
More informationComputer Hacking Forensic Investigator v8
CÔNG TY CỔ PHẦN TRƯỜNG CNTT TÂN ĐỨC TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC LEARN MORE WITH LESS! Computer Hacking Forensic Investigator v8 Course Description: EC-Council releases the most advanced Computer
More informationThe Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices
The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationDigital Forensics. Larry Daniel
Digital Forensics Larry Daniel Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters
More informationINCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION
" - * INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements
More informationInformation Technology Audit & Forensic Techniques. CMA Amit Kumar
Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques
More informationDigital Evidence Search Kit
Digital Evidence Search Kit K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K. H. Pun, W.W. Tsang, H.W. Chan Center for Information Security and Cryptography Department of Computer Science The University
More informationState of the art of Digital Forensic Techniques
State of the art of Digital Forensic Techniques Enos K. Mabuto 1, H. S Venter 2 Department of Computer Science University of Pretoria, Pretoria, 0002, South Africa Tel: +27 12 420 3654 Email: nasbutos@yahoo.co.uk
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More informationOverview of Computer Forensics
Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National
More informationScene of the Cybercrime Second Edition. Michael Cross
Scene of the Cybercrime Second Edition Michael Cross Chapter 1 Facing the Cybercrime Problem Head-On 1 Introduction 2 Defining Cybercrime 2 Understanding the Importance of Jurisdictional Issues 3 Quantifying
More informationIncident Response and Forensics
Incident Response and Forensics Yiman Jiang, President and Principle Consultant Sumus Technology Ltd. James Crooks, Manager - Advisory Services PricewaterhouseCoopers LLP UBC 2007-04-12 Outline Computer
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT
ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct
More informationWhere is computer forensics used?
What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic
More informationTo Catch a Thief: Computer Forensics in the Classroom
To Catch a Thief: Computer Forensics in the Classroom Anna Carlin acarlin@csupomona.edu Steven S. Curl scurl@csupomona.edu Daniel Manson dmanson@csupomona.edu Computer Information Systems Department California
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationCyber Security Response to Physical Security Breaches
Cyber Security Response to Physical Security Breaches INTRODUCTION Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically
More informationForensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)
s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM) s Unix
More informationTen Deadly Sins of Computer Forensics
Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This
More informationChapter 14 Analyzing Network Traffic. Ed Crowley
Chapter 14 Analyzing Network Traffic Ed Crowley 10 Topics Finding Network Based Evidence Network Analysis Tools Ethereal Reassembling Sessions Using Wireshark Network Monitoring Intro Once full content
More informationIntroduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics
Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating
More informationOpen Source Digital Forensics Tools
The Legal Argument 1 carrier@cerias.purdue.edu Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
More informationComputer Forensics CHAPTER
Computer Forensics 17 CHAPTER In this chapter, you will Learn the rules and types of evidence Review the collection of evidence Study the preservation of evidence Discover the importance of a viable chain
More informationDigital Forensics for Attorneys - Part 2
Lars Daniel, EnCE Digital Forensics for Attorneys - Part 2 Experts, Analysis, Challenging Evidence Digital Forensics For Attorneys Part I Overview of Digital Forensics Types of Digital Evidence Acquisition
More informationImpact of Digital Forensics Training on Computer Incident Response Techniques
Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,
More informationNEW IMPROVEMENT IN DIGITAL FORENSIC STANDARD OPERATING PROCEDURE (SOP)
NEW IMPROVEMENT IN DIGITAL FORENSIC STANDARD OPERATING PROCEDURE (SOP) Sundresan Perumal 1, and Norita Md Norwawi. 2 1 Universiti Sains Islam Malaysia,sundresan@hotmail.com 2 Universiti Sains Islam Malaysia,
More informationGuidelines on Digital Forensic Procedures for OLAF Staff
Ref. Ares(2013)3769761-19/12/2013 Guidelines on Digital Forensic Procedures for OLAF Staff 1 January 2014 Introduction The OLAF Guidelines on Digital Forensic Procedures are internal rules which are to
More informationCOMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)
COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching
More information1/26/15. Chapter 2 Crime Scene
Chapter 2 Crime Scene Chapter 2 Crime Scene By the end of this chapter you will be able to: By the end of this chapter you will be able to: Investigation and Evidence Collection 1 Investigation and Evidence
More informationProcess Forensics - A Pilot Study on the Use of Checkpointing Technology
Process Forensics: A Pilot Study on the Use of Checkpointing Technology in Computer Forensics Mark Foster Joseph N. Wilson University of Florida Abstract The goal of this paper is to introduce a new area
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationNetwork Monitoring for Cyber Security
Network Monitoring for Cyber Security Paul Krystosek, PhD CERT Network Situational Awareness 2006 Carnegie Mellon University What s Coming Up The scope of network monitoring Cast of characters Descriptions
More informationComputer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit
Computer Forensics Processing Checklist Pueblo High-Tech Crimes Unit Cmdr. Dave Pettinari Pueblo County Sheriff's Office davepet@cops.org The purpose of this document is to provide computer forensic technicians
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software
Incident Response Six Best Practices for Managing Cyber Breaches Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software www.encase.com 2014 Guidance Software Inc., All Rights
More informationLive View. A New View On Forensic Imaging. Matthiew Morin Champlain College
Live View A New View On Forensic Imaging Matthiew Morin Champlain College Morin 1 Executive Summary The main purpose of this paper is to provide an analysis of the forensic imaging tool known as Live View.
More informationComputer Forensic Tools. Stefan Hager
Computer Forensic Tools Stefan Hager Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2 Important
More informationConcepts of digital forensics
Chapter 3 Concepts of digital forensics Digital forensics is a branch of forensic science concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence
More information10/11/2012. Digital Forensics for Attorneys - Part 2. Digital Forensics For Attorneys. Experts. Larry E. Daniel, EnCE, DFCP, BCE
Larry E. Daniel, EnCE, DFCP, BCE Digital Forensics for Attorneys - Part 2 Experts, Analysis, Challenging Evidence Digital Forensics For Attorneys Part I Overview of Digital Forensics Types of Digital Evidence
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student
More informationKeywords: VoIP calls, packet extraction, packet analysis
Chapter 17 EXTRACTING EVIDENCE RELATED TO VoIP CALLS David Irwin and Jill Slay Abstract The Voice over Internet Protocol (VoIP) is designed for voice communications over IP networks. To use a VoIP service,
More informationAbout Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics
Larry E. Daniel, EnCE, DFCP, BCE Digital Forensic Examiner Digital Forensics for Attorneys An Overview of Digital Forensics About Your Presenter EnCase Certified Examiner (EnCE) Digital Forensics Certified
More informationContents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix
Honeynet2_bookTOC.fm Page vii Monday, May 3, 2004 12:00 PM Contents Preface Foreword xix xxvii P ART I THE HONEYNET 1 Chapter 1 The Beginning 3 The Honeynet Project 3 The Information Security Environment
More informationFramework for Live Digital Forensics using Data Mining
Framework for Live Digital Forensics using Data Mining Prof Sonal Honale #1, Jayshree Borkar *2 Computer Science and Engineering Department, Aabha Gaikwad College of Engineering, Nagpur, India Abstract
More informationCHAPTER 18 CYBER CRIMES
CHAPTER 18 CYBER CRIMES 18.1 With increased use of computers in homes and offices, there has been a proliferation of computer-related crimes. These crimes include: Crimes committed by using computers as
More informationChapter 8: On the Use of Hash Functions in. Computer Forensics
Harald Baier Hash Functions in Forensics / WS 2011/2012 2/41 Chapter 8: On the Use of Hash Functions in Computer Forensics Harald Baier Hochschule Darmstadt, CASED WS 2011/2012 Harald Baier Hash Functions
More informationSignificance of Hash Value Generation in Digital Forensic: A Case Study
International Journal of Engineering Research and Development e-issn : 2278-067X, p-issn : 2278-800X, www.ijerd.com Volume 2, Issue 5 (July 2012), PP. 64-70 Significance of Hash Value Generation in Digital
More informationKeywords: Computers, digital evidence, digital evidence bags, forensics, forensics tools
Computer Forensics Procedures, Tools, and Digital Evidence Bags 1 Computer Forensic Tools Keywords: Computers, digital evidence, digital evidence bags, forensics, forensics tools Computer Forensics Procedures,
More informationForensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationChapter 7 Securing Information Systems
1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationChapter 8 Router and Network Management
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by
More informationDesign and Implementation of a Cloud Digital Forensic Laboratory
C o p y r i g h t 2 0 1 3 T h e I n s t i t u t e o f E l e c t r o n i c s, I n f o r m a t i o n a n d C o m m u n i c a t i o n E n g i n e e r s SCIS 2013 The 30th Symposium on Cryptography and Information
More informationDigital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics
Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over
More informationForensic Analysis of Physical Memory and Page File. Hameed Iqbal
Forensic Analysis of Physical Memory and Page File Hameed Iqbal Master s Thesis Master of Science in Information Security 30 ECTS Department of Computer Science and Media Technology Gjøvik University College,
More informationDigital Forensics & e-discovery Services
Digital Forensics & e-discovery Services U.S. Security Associates Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities
More informationComputer Forensics as an Integral Component of the Information Security Enterprise
Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,
More informationGoal to recognize, document and collect evidence at a crime scene
Crime Scene Investigation and Evidence Collection Lecture Credits: Anthony (Bud) Bertino Goal to recognize, document and collect evidence at a crime scene Sherlock Holmes» Sir Arthur Conan Doyle in the
More informationComputer Forensics Today
L A W, I N V E S T I G A T I O N S, A N D E T H I C S Computer Forensics Today Kelly J. (KJ) Kuchta When people hear the word forensics, it often generates a mental image of the movie series with Jack
More informationNetwork Security: Workshop
Network Security: Workshop Protocol Analyzer Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network decodes,, or dissects,,
More informationBest Practices for Computer Forensics
Scientific Working Group on Digital Evidence Best Practices for Computer Forensics Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification
More informationDigital Forensics & e-discovery Services
Digital Forensics & e-discovery Services Andrews International Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities
More informationDeveloping Computer Forensics Solutions for Terabyte Investigations
Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of
More informationModern Digital Forensics!!
ISA 785 Research in Digital Forensics Modern Digital Forensics!! ISA 785! Angelos Stavrou, George Mason University! Modern Digital Forensics What s New 2! New Intellectual property concerns! IP/Brand related
More informationGENERAL DIRECTIONS OF DEVELOPMENT IN DIGITAL FORENSICS
1. Petar ČISAR, 2. Sanja Maravić ČISAR GENERAL DIRECTIONS OF DEVELOPMENT IN DIGITAL FORENSICS 1. TELEKOM SRBIJA, SUBOTICA, SERBIA 2. SUBOTICA TECH COLLEGE OF APPLIED SCIENCES, DEPARTMENT OF INFORMATICS,
More informationSufficiency of Windows Event log as Evidence in Digital Forensics
Sufficiency of Windows Event log as Evidence in Digital Forensics Nurdeen M. Ibrahim & A. Al-Nemrat, Hamid Jahankhani, R. Bashroush University of East London School of Computing, IT and Engineering, UK
More informationDigital Forensics Tutorials Acquiring an Image with Kali dcfldd
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can
More informationIntroduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014
Introduction to Data Forensics Jeff Flaig, Security Consultant January 15, 2014 WHAT IS COMPUTER FORENSICS Computer forensics is the process of methodically examining computer media (hard disks, diskettes,
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationFORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres
FORENSIC ANALYSIS OF USB MEDIA EVIDENCE Jesús Alexander García Luis Alejandro Franco Juan David Urrea Carlos Alfonso Torres Manuel Fernando Gutiérrez UPB 2012 Content INTRODUCTION... 3 OBJECTIVE 4 EVIDENCE
More informationInfoSec Academy Forensics Track
Fundamental Courses Foundational Courses InfoSec Academy Specialized Courses Advanced Courses Certification Preparation Courses Certified Information Systems Security Professional (CISSP) Texas Security
More informationDeveloping an Effective Incidence Response Plan
DATACOM SYSTEMS INC Developing an Effective Incidence Response A guide for converged networks A DATACOM SYSTEMS WHITE PAPER Vital Data Incident Response is defined as a specific process developed and designed
More informationFIRE INVESTIGATOR LEAD EVALUATOR HANDBOOK
LEAD EVALUATOR HANDBOOK Reference Material needed for this course: NFPA 1033: Standard for Professional Qualifications for fire Investigator, 2009 Edition Jones and Bartlett, Fire Investigator, 3 rd Edition
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 6, 2015 An overview to incident response Detection Analysis Containment Investigation
More informationDigital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC
Digital Forensics: The aftermath of hacking attacks AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC Topics Digital Forensics: Brief introduction Case Studies Case I:
More informationC HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR
Page: 1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 Page: 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge
More informationComputer Forensics Basics, First Responder, Collection of Evidence
May 7, 2008 1 Computer Forensics Basics, First Responder, Collection of Evidence Omveer Singh Joint Director / Scientist D omveer@cert-in.org.in Indian Computer Emergency Response Team (CERT-In) Department
More informationComputer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
More informatione-discovery Forensics Incident Response
e-discovery Forensics Incident Response NetSecurity Corporation 21351 Gentry Drive Suite 230 Dulles, VA 20166 VA DCJS # 11-5605 Phone: 703.444.9009 Toll Free: 1.866.664.6986 Web: www.netsecurity.com Email:
More informationDesign Document for Implementing a Digital Forensics Laboratory
Design Document for Implementing a Digital Forensics Laboratory Version.00 Group CNWIS-G4 Department of Computer Science and Engineering University of Moratuwa Project Supervisors: Dr Chandana Gamage Project
More informationReal-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics
Real-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics Tung-Ming Koo, Chih-Chang Shen, Hong-Jie Chen Abstract--The science of computer forensics is often used to judge computer
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Frank Adelstein, Senior Principal Scientist, ATC-NY Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well
More informationITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York
INSTRUCTOR INFORMATION Name: Sanjay Goel Email: goel@albany.edu Phone: (518) 442-4925 Office Location: BA 310b, University at Albany Office Hours: TBD CLASS INFORMATION Time: N/A Location: Online Dates:
More information