Developing Computer Forensics Solutions for Terabyte Investigations



Similar documents
Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Incident Response and Computer Forensics

CYBER FORENSICS (W/LAB) Course Syllabus

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Computer Forensic Capabilities

EC-Council Ethical Hacking and Countermeasures

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Guide to Computer Forensics and Investigations, Second Edition

Digital Forensics Tutorials Acquiring an Image with FTK Imager

CDFE Certified Digital Forensics Examiner (CFED Replacement)

A Practical Approach for Evidence Gathering in Windows Environment

Overview of Computer Forensics

Computer Forensics. Securing and Analysing Digital Information

CTC 328: Computer Forensics

information security and its Describe what drives the need for information security.

Best Practices for Incident Responders Collecting Electronic Evidence

Chapter 7 Securing Information Systems

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

The Role of Digital Forensics within a Corporate Organization

Computer Forensics as an Integral Component of the Information Security Enterprise

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Certified Digital Forensics Examiner

Getting Physical with the Digital Investigation Process

Hands-On How-To Computer Forensics Training

National District Attorneys Association National Center for Prosecution of Child Abuse. Computer Forensics for Prosecutors

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Chapter 3: The Investigator s Office and Laboratory

Symantec Drive Encryption for Windows

MSc Computer Security and Forensics. Examinations for / Semester 1

How To Get A Computer Hacking Program

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Case Study: Hiring a licensed Security Provider

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

Digital Forensics. Larry Daniel

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

STELLAR PHOENIX for Novell NetWare Data Recovery Software User Manual

Computer Forensics Basics, First Responder, Collection of Evidence

Computer Forensics Discipline

CERTIFIED DIGITAL FORENSICS EXAMINER

Computer Forensics introduction part A

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

USB Portable Storage Device: Security Problem Definition Summary

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

Keywords: Computers, digital evidence, digital evidence bags, forensics, forensics tools

Web-Based Data Backup Solutions

Incident Response and Forensics

VANGUARD ONLINE BACKUP

Introduction to Data Forensics. Jeff Flaig, Security Consultant January 15, 2014

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

McAfee Endpoint Encryption for Files and Folders. Best Practices. For EEFF product version 4.0.0

Course Title: Computer Forensic Specialist: Data and Image Files

Impact of Digital Forensics Training on Computer Incident Response Techniques

Forensics on the Windows Platform, Part Two

Invincea Advanced Endpoint Protection

Design Document for Implementing a Digital Forensics Laboratory

Click to view Web Link, click Chapter 8, Click Web Link from left navigation, then click BIOS below Chapter 8 p. 395 Fig. 8-4.

System Security Policy Management: Advanced Audit Tasks

Guardium Change Auditing System (CAS)

COS/PSA 412 Computer Forensics and Investigations

Computer Hacking Forensic Investigator v8

Secure cloud access system using JAR ABSTRACT:

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

USB Portable Storage Device: Security Problem Definition Summary

Where is computer forensics used?

Computer Forensics and What Is, and Is Not, There on Your Client s Computer. Rick Lavaty, Computer Systems Administrator, District of Arizona

ITU Session Two: Conduct a forensically safe investigation Mounir Kamal Mkamal@Qcert.org Q-CERT

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS)

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

BDO CONSULTING FORENSIC TECHNOLOGY SERVICES

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

MARK J. ESKRIDGE, OWNER / INVESTIGATOR DIGITAL FORENSIC INVESTIGATIONS, INC. California Private Investigator license #26633

Introduction to BitLocker FVE

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Steven Kaplan, CISSP, CISA Accuvant Sandra Bittner, CISSP Arizona Public Service Palo Verde Nuclear Generating Station

Innovative Secure Boot System (SBS) with a smartcard.

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

FERPA: Data & Transport Security Best Practices

Online Backup by Mozy. Common Questions

CHAPTER 10: COMPUTER SECURITY AND RISKS

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Scene of the Cybercrime Second Edition. Michael Cross

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

CCE Certification Competencies

Transcription:

Developing Computer Forensics Solutions for Terabyte Investigations Eric Thompson Corporation Orem, Utah USA www.accessdata.com Overview Computer Forensic Definition, Objectives and Policies History of computer growth and the growth of computer forensics Problems facing computer forensics examiners both today as well as in the next several years computer forensics tools A look at the computer forensics tools of the future 1

What is Computer Forensics? IT Security Intrusion Detection Incident Response Electronic Discovery IT Intelligence Gathering Intrusion Incident Time Line Pre-Incident Preparation (IT Security) Post-Incident Recovery (Incident Response / IT Reconstruction) Incident (Intrusion Detection) Post-Incident Analysis (Computer Forensics) 2

Computer Forensics Objectives and Policies Computer Forensic: Emphasis is placed on data preservation. Hard drives data is preserved in hard drive image files. Hard drive write blocking devices are used to prevent accidental changes of the evidence. Hash value are used as fingerprints or digital DNA Discovery must be reproducible. Computer forensics expert must follow rules for handling evidenc e. Care must be taken during site triage not to contaminate computer data. Accidental contamination of computer data can make evidence inadmissible. Accidental modification of date and time stamps. Booting a MS Windows system will alter hard drive contents. The Need for Computer Forensics IT Network Security Post incident research (after the network is repaired and the security hole patched) gather information to be able to legally prove: Who attacked the network. How was the network attacked. What information may have been compromised. Investigate and document questionable behavior of employees including use / abuse of the computer or company network. Processing a computer that is incidental to a crime Crimes including illegal weapons, drug trafficking, illegal pornography, anarchy Searching through e-mails, deleted data space, registry files, etc. 3

Computer Forensics 1986-1991 Storage space is limited. Data is primarily stored primarily on 3 ½ and 5 ¼ floppy disks. Average hard drives are small <100 meg. Forensics tools are DOS based. Norton s DiskEdit and Mace Utilities are primary investigative tool of choice. Operating System is DOS and therefore did not require HD write protection. Large cases involve 10,000+ files. Computer forensics experts had little to no formal training. 1989 Ron Eatinger starts Computer Investigative Specialist program at University of North Texas later to be moved to FLETC. 1991 - IACIS (International Association of Computer Investigative Specialists) first conference in Portland, Oregon. Software applications with encryption are easily broken Computer Forensics 1992-1995 Storage space is still limited. Iomega Zip disks are replacing floppy disks as removable media. Average hard drive are relatively small <500 Meg. Microsoft Windows gains momentum with Windows 3.11 and Windows 95. Most investigations still involve only one computer. Large cases involve 100,000+ files. Increased activity at FBI, FLETC, IACIS to train US Law Enforcement Agents to become computer forensics experts. Most commercial applications with encryption are easily breakable however underground community starts to use PGP (free military grade encryption) Computer forensics tools still predominantly DOS based tools but are now optimized for high speed searching and data reconstruction. 4

Computer Forensics 1995-1999 Hard drive storage space grows rapidly. Average hard drive are several gigs. Microsoft s dominates PC s with Windows 95 and Windows 98 Many investigations start to involve more than just one computer. Large cases involve 1,000,000+ files. Increased international interest in computer forensics tools and training. Microsoft introduces 40-bit encryption in their office products. A single computer needs several months to break a single file. Introduction of specialized GUI computer forensics tools such as Expert Witness and EnCase. These tools are both based on a Windows Explorer model. Computer Forensics 2000-2004 Hard drive storage space continues to grow rapidly. Average hard drive are 40-100 gigs. Microsoft s continues their dominance with Windows 2000 and Windows XP. Linux gains momentum. Many investigations now involve 5 or more computers. Some investigations involve 50+ computers. Large cases involve 10,000,000+ files. Increased international interest in computer forensics In the year 2000 US Government demilitarized encryption. 128-bit encryption adopted by Microsoft and many others. introduces its computer forensics tool built upon a database rather than based on Windows Explorer. 5

Computer Forensics 2005+ Hard drive storage space will continue to grow. Personal computers will soon have terabyte hard drives. Microsoft s next generation OS will encrypt all user data automatically via EFS (128 bit encryption). Linux will continue to gain momentum. Investigations will involve 25+ electronic devices. Personal computers, PDAs, Internet storage, Digital cameras, USB thumb drives. Large cases will soon involve 100,000,000 files. Internet file sharing simplifies the exchange of digital contraband. Removable media will soon be able to store several gigs. Some Problems Facing Computer Forensics Examinations in the Future How long will it take traditional forensics software to process 100 million files: A single PC hashing and processing 250 files per second will take over 5 days to process 100 million files. How long will it take a PC perform a live search of 1 terabytes of data: At the rate of 10Meg per second it will take more than a day to complete a single search Problem once encryption is always active in the file system: No decryption keys.. no data File slack and unallocated space will be gibberish High speed hardware and software searches will be frustrated because data must be decrypted before searching can take place 6

Developing Future Computer Forensics Solutions Windows Explorer based tools will continue to be needed for field triage work Forensics tools for the lab will be built on relational database technology (Interbase, Microsoft SQL, Oracle, etc.) Distributed computing will automate the processing of numerous hard drive images Data searching performed via pre-built index tables Decryption technology seamlessly integrated into forensics tools Password recovery and code breaking performed by large distributed networks (200+ machines) Computer forensics performed by forensics examiners - Investigation performed by Investigators Input - HD Images Forensics Processing SQL Database Distributed Processing of Evidence (10+computers) Output - Case Database Password Recovery Distributed Code Breaking GUI Investigation Tool Case Report LAN/WAN clients 200+ machines 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information