Computer Forensics and What Is, and Is Not, There on Your Client s Computer. Rick Lavaty, Computer Systems Administrator, District of Arizona

Similar documents
New Hampshire Cyber Crime Initiative Overview Briefing. NH Assistant Attorney General Lucy H. Carrillo Internet Crimes Prosecutor

Digital Forensics for Attorneys Overview of Digital Forensics

Digital Forensics. Larry Daniel

Breakfast Meeting: Securing your Secured Data Digital Forensics, Fraud and Forensic Advancements

National District Attorneys Association National Center for Prosecution of Child Abuse. Computer Forensics for Prosecutors

Sensitive Incident Investigations. Digital Risk Management. Forensics Testing.

Legal Framework to Combat Cyber Crimes in the Region: Qatar as a Model. Judge Dr. Ehab Elsonbaty Cyber Crime expert ehabelsonbaty@hotmail.

Certified Digital Forensics Examiner

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Computer Forensics US-CERT

Loophole+ with Ethical Hacking and Penetration Testing

CERTIFIED DIGITAL FORENSICS EXAMINER

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

KIMMONS INVESTIGATIVE SERVICES, INC. Texas Largest & Most Experienced Investigative Firm

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

KIMMONS INVESTIGATIVE SERVICES, INC.

ITU Session Two: Conduct a forensically safe investigation Mounir Kamal Mkamal@Qcert.org Q-CERT

EC-Council Ethical Hacking and Countermeasures

Journal of Digital Forensic Practice

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Chapter 7 Securing Information Systems

Digital Forensics & e-discovery Services

S. Robert Radus, CPA CFE PI Curricula Vitae. Examination of plaintiff, respondent, and defendant books and records to determine:

Developing Computer Forensics Solutions for Terabyte Investigations

Digital Forensics & e-discovery Services

Incident Response and Computer Forensics

Summary. Natalie Marshall. Graduation Date: MArCH Honor Society Career Profile for: Lawyer. Type: Professional Area: Legal Subarea: Lawyer

ITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York

County of Monterey DISTRICT ATTORNEY INVESTIGATOR I

PREREQUISITE(S): CTS 1131, CTS 1133 and CTS 1120

A Practical Approach for Evidence Gathering in Windows Environment

Cyber Security Response to Physical Security Breaches

Computer Forensic Capabilities

FORBIDDEN - Ethical Hacking Workshop Duration

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Forensic Toolkit. Sales and Promotional Summary ACCESSDATA, ON YOUR RADAR

Digital Forensics for Attorneys - Part 2

Computer Forensics as an Integral Component of the Information Security Enterprise

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics

Information Security Incident Management Guidelines

2014 Spring Conference DIRECT FROM THE NATIONAL ACFE. Intro to Digital Forensics: Gathering and Preserving Electronic Evidence Presented by Cary Moore

Services. Computer Forensic Investigations

Computer Forensics. Computer Forensics: History, Tools and Outlooks. By John Burns IT Research Paper

Computer Forensics Today

What is Digital Forensics?

BOR 6432 Cybersecurity and the Constitution. Course Bibliography and Required Readings:

INTRODUCTION DEVELOPMENT AND PHENOMENA

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

EnCase 7 - Basic + Intermediate Topics

Build Context into Your Digital Forensic Exam With Online Evidence

plantemoran.com What School Personnel Administrators Need to know


Ten Deadly Sins of Computer Forensics

Digital Evidence Legal Issues and Trends

Immigration and Customs Enforcement Forensic Analysis of Electronic Media

Reynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students

OUTLOOK WEB ACCESS. User Guide

CURRICULUM VITAE. David T. Gallant (USAF Retired) President, Gallant Computer Investigative Services, LLC

Best Practices in Electronic Record Retention

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Cell Phone Forensics For Legal Professionals

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Case 9:14-cr KAM Document 135 Entered on FLSD Docket 07/27/2015 Page 1 of 2 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA

Digital Evidence. Robert J. O Leary, CFCE; DFCP Director NIJ ECTCoE 550 Marshall St. Suite B Phillipsburg, NJ 08865

Computer Hacking Forensic Investigator v8

Certified Cyber Security Analyst VS-1160

How To Get A Computer Hacking Program

Lance Eliot Sloves. Computer Forensic Services, Inc Allen St. #743

CYBER FORENSICS (W/LAB) Course Syllabus

MSc Computer Security and Forensics. Examinations for / Semester 1

10/11/2012. Digital Forensics for Attorneys - Part 2. Digital Forensics For Attorneys. Experts. Larry E. Daniel, EnCE, DFCP, BCE

AT&T Synaptic Storage as Service mobile business app for the Android Quick Start Guide

Purely applied tools. Thinking is difficult and sometimes unpleasant.

Publications Listing. (By Area of Law)

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Ace Hardware Corporation

BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE

Design and Implementation of a Live-analysis Digital Forensic System

Chapter 15: Computer and Network Security

Full version is >>> HERE <<<

Introduction. IMF Conference September 2008

Digital Evidence Collection and Use. CS 585 Fall 2009

ediscovery 101 Myth Busting October 29, 2009 Olivia Gerroll ediscovery Solutions Group Director

Hands-On How-To Computer Forensics Training

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

Conviction Integrity Unit Best Practices October 15, 2015

Overview of Computer Forensics

Thanks for showing interest in Vortex IIT Delhi & What After College (WAC) Ethical Hacking Workshop.

CHEVRON CORP AND TEXACO PETROLEUM COMPANY V. THE REPUBLIC OF ECUADOR EXPERT REBUTTAL REPORT OF J. CHRISTOPHER RACICH DECEMBER 16, 2013

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

BE SAFE ONLINE: Lesson Plan

8 Ways Quick Application Installations Ruin Performance

JURY QUESTIONNAIRE [PLEASE PRINT]

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Digital Forensic Techniques

Developing an Integrated e-discovery and Corporate Records Management Program. Presented by: Janeine Charpiat Information Security Professional

Transcription:

Computer Forensics and What Is, and Is Not, There on Your Client s Computer Rick Lavaty, Computer Systems Administrator, District of Arizona Eddy Archibeque, Computer Systems Administrator, District of New Mexico

Computer Forensics... A Defense Prospective Rick Lavaty, SCSA Federal Public Defender s Office, AZ Eddy Archibeque Federal Public Defender s Office, NM

What s computer forensics? Securing and collecting data without compromising the evidence Examination and analysis of data by persons with proper experience and training Document and preserve the seizure, examination, storage & transfer of data Working with attorneys and paralegals to develop electronic disclosure and discovery strategies Consulting on computer technology and infrastructure issues in litigation Testifying as an independent expert

Forensic Experts When do you need one? Fraud Identity Theft Intellectual Property Theft Stalking/Cyberstalking Child Pornography

Do you really need an expert? Yeah You do - unless this looks familiar

Working With an Expert Ensure that your expert knows both your client s and the adverse party s position, and has seen ALL disclosure Don t project a bias onto your expert; you want the good news and the bad news Give your expert the access needed to direct an investigation, avoid surprises, and form a valid and supportable opinion Give your expert the time needed from you to prepare for depositions and trial Don t place unrealistic time constraints on your expert this can be VERY slow and tedious work

Will my expert be expensive? Oh HELL YES! What influences costs? Time needed for the exam? What do you need to know? What kind of equipment is needed? How fast to you need a report? Theory of defense? Is it a Child Pornography Case?

What are we looking for?

The Enormous Amount of Data = 1 MB of data 20 MB hard drive 1.2 GB hard drive 80 GB hard drive 312 pages 32 inch stack 160 foot stack 10,000 foot stack

What does L.E. look for? Unlike some traditional forensic analyses that attempt to gather as much information as possible from an evidence sample, computer forensic analysis attempts to recover only probative information from a large volume of generally heterogeneous information. U.S. Department of Justice - Forensic Science Communications October 2000 Volume 2 Number 4 Recovering and Examining Computer Forensic Evidence

WHERE IS THE EVIDENCE? and how did it get there?

Proper Evidence Handling Chapter 3. Evidence Acquisition Principle: Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. For these reasons special precautions should be taken to preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion. A Guide for Law Enforcement Title: Forensic Examination of Digital Evidence: Author: National Institute of Justice Published: April 2004 Subject: Cyber/electronic crime

Seized drive properly handled? What s really on that hard drive? Viruses, Backdoors & Trojans? File access dates and times How reliable are they? How many images?.lnk files did your client access/view it? Wi-Fi Home Network? P2P File Sharing programs?

What We Know Before Forensic Exam Facts surrounding the crime Seizure (and acquisition) dates and times Type of media (HDD, Cell Phone, Camera) Specifications of media (Size, OS, Users, Time Zone) Registration information and user accounts Folder structure and file listing Whether the data is active or deleted Where the chargeable evidence exists

What We Don t Know Was the electronic evidence properly handled? What evidence of the crime exists on the media, if any? Where does ALL of the electronic evidence exist? (Not just the evidence the prosecution noted) How did it get there? Where did it come from? When was it created? Accessed? Deleted? Was it moved, copied, saved, viewed? Who had access to the evidence?

Who Had Access? Computer name - user accounts Online User names and passwords (Registry) On-line activity and personal data Wireless network?? Secure?? Malware Remote Access

DATE / TIME STAMP ANALYSIS Last Written (Modified) date/time when the file was last opened, edited and saved. Last Accessed date/time the file was last touched (This is turned off in Vista & Win 7) File Created date/time the file was created at that location on the media

DATE / TIME STAMP ANALYSIS When the Last Written date/time is equal to the File Created date/time, the file has not been modified or copied from another location. When Last Written date/time is prior to the File Created date/time, the file has been copied or moved from one location to another location. When a group of files is copied or moved, the File Created dates/times will be in sequence with very close and/or identical date/time stamps.

What can be found? If the client saw it.. A forensic expert can probably find it Internet sites Saved files User names, passwords, and IDs Deleted files Temp Files E-Mail

AOL Instant Messenger (AIM) users datgrillzgirl06 earnieluvsu iluvthedead06 imasexybtch6969 istalkthedead06 sarahmd12 wmssoccerlvr13 xosweetnsimple99 filelib cutieprox12 datgrillzgirl06 dwinston1969 earnieluvsu emmasauresrex emoluvlayoutsss iluvthedead06 imasexybtch6969 istalkthedead06 joshevans06 mycandyshop4boyz puplvr05 qtgirlie05 sarahmd12 sexybaby12rox teenkelly6969 teenman02 tskaterboy9304

[11: Oct: 2005, 08:43:01] Keylogger Started [10:59:59] Sign In - Microsoft Internet Explorer [Del]SNOWBOO55@HOTMAIL.COM MASH4077BOOBOO ( Changed window ) [19: Oct: 2005, 15:10:08] Keylogger Started [15:44:37] Sign in to Yahoo! - Microsoft Internet Explorer snowboo40 [TAB] booboo ( Return )

Got Hash? The L.E. Report Will Probably Say Something Like: Computer media was analyzed using standard computer forensics tools. Numerous pornographic images were located on the computer hard-drive. Comparison to hash values confirms that eleven (11) known child pornographic images were stored on the subject s harddrive.

What is HASH? The hash is a checksum (numeric representation) that is mathematically generated and uniquely identifies an application, or collection of data. This basically means the fingerprint of the file. Because it is calculated mathematically based on the binary information (1 s and 0 s that represent the content of a file), it can be used to identify a file regardless of the name/date/etc. Jerry Grant, ACE, INV FPD NYW

HASH Example Comparison D8BB84A520996EB591502D5783DB8ED5 BC4E00038B15305F352D55653310AA6B

Questions??

An Overview of Some Useful On-line Resources

National Institute of Justice Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors www.ojp.usdoj.gov/nij/pubssum/211314.htm

http://www.nij.gov/nij/topics/forensics/evidence/digital/welcome.htm

http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/oct2000/computer.htm

Other Useful References and Links Forensic Toolkit http://www.accessdata.com Encase Forensic http://www.guidancesoftware.com Others http://www.forensics-intl.com/intro.html http://www.digital-detective.co.uk/

Google: Computer Forensics

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information