ITU Session Two: Conduct a forensically safe investigation Mounir Kamal Mkamal@Qcert.org Q-CERT

Similar documents

Forensic Science : Course Syllabus Forensic Science : Secrets of the Dead

Computer Forensics US-CERT

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Computer Forensics Preparation

Best Practices for Incident Responders Collecting Electronic Evidence

Preserving Forensic Evidence. Preserving Forensic Evidence. at Crime Scenes. Preserving Forensic Evidence. Preserving Forensic Evidence

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Minneapolis Police Department Crime Lab ASCLD/LAB ISO International Accreditation

Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.

Forensic Science. The student will demonstrate the ability to explain the history and philosophy of forensic science.

Introduction to Forensic Science. So what is Forensic Science? Major Contributors. Chapter 1: Intro to FS

Evidence Technician s School

ACCEPTABLE USE AND TAKEDOWN POLICY

Digital Forensics. Larry Daniel

Computer Forensics and What Is, and Is Not, There on Your Client s Computer. Rick Lavaty, Computer Systems Administrator, District of Arizona

Chain of evidence refers to the continuity of custody of material and items collected as evidence.

BOR 6432 Cybersecurity and the Constitution. Course Bibliography and Required Readings:

Forensic Science: Crime Scene Basics. T. Trimpe

Crime Scene Investigation

MSc Computer Security and Forensics. Examinations for / Semester 1

Computer Forensics Basics, First Responder, Collection of Evidence

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Developing Computer Forensics Solutions for Terabyte Investigations

Forensic Science II: Course Syllabus Forensic Science II: More Secrets of the Dead

Computer Forensics Today

Texas University Law - General Use of Technology Resources

Framework for Live Digital Forensics using Data Mining

Design and Implementation of a Live-analysis Digital Forensic System

Best Practices. For Seizing Electronic Evidence. v.3 A Pocket Guide for First Responders. United States Secret Service

How To Understand Forensic Science

JHSPH Acceptable Use Policy

Digital Forensics Tutorials Acquiring an Image with FTK Imager

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

An overview of IT Security Forensics

COB 302 Management Information System (Lesson 8)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

An Overview of Cybersecurity and Cybercrime in Taiwan

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

Forensic Test 1 Review: Mathieu Orfila ( ) Father of Modern Toxicology 1814 wrote first treatise. (formal scientific work) Alphonse Bertillon

Cyber Security Response to Physical Security Breaches

Getting Physical with the Digital Investigation Process

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Acceptable Use Policy ("AUP")

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

BAA Course Approval submission: Introduction to Forensic Science 1:

Policing Together. A quick guide for businesses to Information Security and Cyber Crime

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

5957/1/10 REV 1 GS/np 1 DG H 2 B LIMITE EN

Chapter 15: Computer Security and Privacy

INTRODUCTION AREAS OF SPECIALIZATION

Computers and Society: Security and Privacy

CRIME SCENE MANAGEMENT: A GUIDE FOR LICENSEES

East Haven Police Department

CRIME SCENE INVESTIGATION

Number: TBD EFFECTIVE DATE: November 13, 2000 PROCEDURE STATEMENT

Introduction to Crime Scene Dynamics

DNA & CRIME VICTIMS: WHAT VICTIMS NEED TO KNOW

EC-Council Ethical Hacking and Countermeasures

Cyber Crimes in India A Closer look

Evidence Preservation in Sexual Assault: Between the Crime Scene and the Medical Examination

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Fighting Cyber Crime in the Telecommunications Industry. Sachi Chakrabarty

Part I: Ethics. Moral guidelines that govern use of computers and information systems. Unauthorized use of computer systems

Cybercrime in Canadian Criminal Law

Digital Forensic Model Based On Malaysian Investigation Process

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

Respectfully submit the Minutes of the December 7, 2010 Cabinet Meeting.

C R I M E S C E N E. Forensic Science CC Spring 2007 Prof. Nehru

Introduction. IMF Conference September 2008

CYBER CRIME AWARENESS

IAPE STANDARDS SECTION 16 DIGITAL EVIDENCE

Willmar Public Schools Curriculum Map

REPORTING INTELLECTUAL PROPERTY CRIME: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft

How To Protect Your Information From Being Hacked By A Hacker

CYBERSECURITY: Is Your Business Ready?

Should you wish to contact me: o Barry Fisher o (213) o bajfisher@earthlink.net

Modalities for Forensic Review of Computer Related Frauds

MISSOURI IDENTITY THEFT RANKING BY STATE: Rank 21, 67.4 Complaints Per 100,000 Population, 3962 Complaints (2007) Updated January 11, 2009

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy

CAREER: FORENSIC SCIENCE TECHNICIAN 1

So why is the head of a federal agency with jurisdiction over customs, immigration, and border crimes appearing at a

Responsible Access and Use of Information Technology Resources and Services Policy

POTENTIAL USE OF FINGERPRINTS IN FORENSIC INTELLIGENCE: CRIME SCENE LINKING

Threat Events: Software Attacks (cont.)

Ten Deadly Sins of Computer Forensics

SECTION FOUR PROTOCOLS FOR INVESTIGATING CHILD FATALITIES

ILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, Complaints (2007) Updated November 30, 2008

YOUR CONTACT DETAILS (ADDRESS, PHONE, etc.):

Sheridan College Institute of Technology and Advanced Learning Telephone and Computer Information Access Policy

Computer Forensics in Investigations and in Court

FORENSIC SCIENTIST MICHIGAN CIVIL SERVICE COMMISSION JOB SPECIFICATION

Somers Public Schools Somers, Connecticut Science Curriculum

Process Forensics - A Pilot Study on the Use of Checkpointing Technology

INTRODUCTION DEVELOPMENT AND PHENOMENA

T-CY Guidance Note #5

Transcription:

ITU Session Two: Conduct a forensically safe investigation Mounir Kamal Mkamal@Qcert.org Q-CERT

2 The Importance of Crime Scene One of the main goals in an investigation is to attribute the crime to its perpetrator by uncovering compelling links between the offender, victim, and crime scene. According to Locard's Exchange Principle, anyone, or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave.

3 Computer Crime Categories The computer as a target The attack seeks to deny the legitimate users or owners of the system access to their data or computers. A Denial-of-Service (a.k.a., DOS or DDOS) attack or a virus that renders the computer inoperable would be examples of this category. The computer as an instrument of the crime The computer is used to gain some other criminal objective. For example, a thief may use a computer to steal personal information. The computer as incidental to a crime The computer is not the primary instrument of the crime; it simply facilitates it. Money laundering and the trading of child pornography would be examples of this category. Crimes associated with the prevalence of computers This includes crimes against the computer industry, such as intellectual property theft and software piracy.

4 What is the Electronic Evidence Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. Electronic Evidence: Is often latent in the same sense as fingerprints or DNA evidence. Can transcend borders with ease and speed. Is fragile and can be easily altered, damaged, or Destroyed. Is sometimes time-sensitive.

5 The Fragility of Digital Evidence Once a crime scene has been secured, the evidence of a traditional crime such as fingerprints or firearms tends to obey The Dead Body Theorem ("It s not going anywhere"). When a computer is involved in the crime scene, however, the situation is not as clear. The very existence of evidence may not be obvious upon initial examination. There are no bullet holes to show where an intruder has gained unauthorized access nor blood stains to show where information has been destroyed.

6 Types of Fragile Evidence Transient data - Information that will be lost at shutdown, such as open network connections, memory resident programs, etc. Fragile data - Data that is stored on the hard disk, but can easily be altered, such as last accessed time stamps. Temporarily accessible data - Data that is stored on the disk, but for a period of time only In order to preserve fragile data, it has to be transported to a non-volatile medium as quickly as possible without disrupting any other part of the system (Live Response)

7 The Law Enforcement Response to Electronic Evidence The law enforcement response to electronic evidence requires that officers, investigators, forensic examiners, and managers all play a role. A first responder may be responsible for the recognition, collection, preservation, transportation, and/or storage of electronic evidence. Officers may encounter electronic devices during their day-to-day duties. Investigators may direct the collection of electronic evidence, or may perform the collection themselves. Forensic examiners may provide assistance at crime scenes and will perform examinations on the evidence.

8 How Is Electronic Evidence Handled at the Crime Scene? Handling electronic evidence at the crime scene normally consists of the following steps:. 1-Recognition and identification of the evidence 2-Documentation of the crime scene. 3-Collection and preservation of the evidence. 4-Packaging and transportation of the evidence.

9 Seizing Evidence Processes and Documentation Examples of Process to follow at Electronic Evidence Scene. Seizing PC Procedure Seizing PC Hard disk Form Seizing PDA/Cell Phone Procedure Seizing PDA/Cell Phone Form Seizing CDs, DVDs, Flash Memory, and Others Procedure Seizing CDs, DVDs, Flash Memory and Others Form

10

11

12

13

14

15

16

17 REFERNCES Electronic Crime Scene Investigation (US. Department of Justice) www.ojp.usdoj.gov/nij/pubs-sum/187736.htm The Collection of Digital Evidence http:// icsa.cs.up.ac.za Digital Evidence and Computer Crime-Forensic Science (Eoghan Casey)

Thank You www.qcert.org