Computer Forensics introduction part A Dr. Magdalena Szeżyńska, CISA Institute of Electronic Systems WUT m.szezynska@elka.pw.edu.pl Summer 2016
Digital Forensic Investigation Concepts A digital investigation is a process to answer questions about digital states and events. A digital forensic investigation is a special case of a digital investigation where the procedures and techniques that are used will allow the results to be entered into a court of law. Brian Carrier http://www.digital-evidence.org/di_basics.html 2
Computer Forensics Forensics Computing Computer forensics is the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable. R. McKemmish 'What is Forensic Computing?' (Australian Institute of Criminology, 1999) 3
Course Objective To deliver baselines (practical, bottom-oriented knowledge) of sound computer forensics practices enabling information technology and information security professionals to ensure the overall integrity and survivability of their IT infrastructure. Actually one needs many years of training and practice to become a computer forensics specialist. You are going to get here an introduction to CF and some guidance about what to study next. 4
Course Description - Lectures Introduction to baselines of computer forensics definitions, needs, requirements, legal and ethical aspects; investigation phases preparations and start of an investigation, case study, analysis of evidence, documentation. Computer forensics as a part of information (systems) security controls information security incident response, legal and regulatory aspects, successful investigations, forensic analysis. The discovery, recovery, preservation, analysis and control of electronic evidence, presentation standards. 5
Course Description - Lectures Tools of trade (TCT, Sleuthkit, Autopsy, CF-oriented Linux distributions, solutions for other platforms, commercial tools, ediscovery). Virtualization and computer forensics. Booting processes, start disks, boot sectors and partitions, system loaders and managers, preparing and using bootable CD/DVD and USB images. File systems specifications, data structures, investigation techniques. 6
Course Description - Lectures Identifying data types, reconstruction and analysis of files and data areas in search of evidence, interpretation of system and application logs, proving break-ins. Mobile device forensics. Investigation of live systems and network data flows, searching for evidence on the Internet. Case studies. 7
Course Description - Labs Tutorial: getting familiar with the lab environment, recovering files from a formatted and/or reused thumb drive image emphasis on documentation. Making and analyzing an image of a FAT file system partition and recovering hidden data from it questions and answers. Analyzing an image of an NTFS file system partition and recovering hidden data from it, using Linux- and Windowsbased tools reconstructing timelines. 8
Course Description - Labs Two of four: Performing post-intrusion analysis of a Linux system (based on known source images and solutions). Analyzing a feature mobile phone (based on known source images and solutions). Analyzing Windows 7 everything is in the Registry. Searching for sources of evidence regarding Internet-based criminal activities, e.g. an operation of an Internet investment service (HYIP type). 9
Assessment Method Lectures: Two closed notes tests in the middle and at the end of the semester (25 points each). 3 extra points for attendance at lectures (roll-call at random 3 times during the semester). Labs: Five 3-hour labs starting with 10-minute short test, then strictly individual work with emphasis put on documentation. 5 x 10 points to earn. 10
Assessment Method No retakes. No requirement to pass lecture tests and labs separately. Final score: Points earned for tests and labs sum up, more than 50 points required to pass, linear grade scale (up to 60 points for 3, up to 70 points for 3,5 etc.) 11
ECTS Credits Contact hours 45 h: lectures 30 h labs 15 h Private learning: labs 20 h Office hours 2 h Private learning: studying literature 15 h Private learning: preparation for tests/exams 20 h Total: 102 h == 4 ECTS credits. Informatyka śledcza - w01a - informacje wstępne 12
Course Page Learning materials, announcements etc. will be published at the CF course page: http://staff.elka.pw.edu.pl/~mszezyns/cf/index.html Recommended software: http://staff.elka.pw.edu.pl/~mszezyns/cf/tools.html Books and guides: http://staff.elka.pw.edu.pl/~mszezyns/cf/books.html Access to learning materials will require authentication. Individual user names and passwords will be issued to each student after they send an introductory e-mail to m.szezynska@elka.pw.edu.pl from their official address (@mini). 13
Who s Who Magdalena Szeżyńska, PhD, CISA specialization: electronics and computer engineering, cryptography, information security, information systems audit and control, computer forensics, course coordination, lectures, office hours: Tue. 12:30-1:30 p.m. or by appointment, room 249GE, e-mail: m.szezynska@elka.pw.edu.pl 14
Who s Who Krzysztof Gołofit, PhD (Eng), MSc specialization: electronics and computer engineering, cryptography, information security, information systems audit, computer forensics, work and organizational psychology, labs, support, office hours: by appointment, room 249GE, e-mail: k.golofit@elka.pw.edu.pl 15
Communication Please write to the official e-mail addresses of the teachers m.szezynska@elka.pw.edu.pl and k.golofit@elka.pw.edu.pl (no alternatives shall be read and/or answered). E-mails coming from addresses in the pw.edu.pl domain will be answered as soon as possible. E-mails coming from elsewhere will be answered sporadically (if ever). 16