Computer Forensic Capabilities

Similar documents
Digital Forensics Tutorials Acquiring an Image with FTK Imager

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

MSc Computer Security and Forensics. Examinations for / Semester 1

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Incident Response and Computer Forensics

Digital Forensic Techniques

About Your Presenter. Digital Forensics For Attorneys. Overview of Digital Forensics

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Computer Forensics as an Integral Component of the Information Security Enterprise

Digital Forensics. Larry Daniel

Technical Procedure for Evidence Search

Digital Forensics for Attorneys - Part 2

Developing Computer Forensics Solutions for Terabyte Investigations

Computer Forensics. Securing and Analysing Digital Information

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

EC-Council Ethical Hacking and Countermeasures

Digital Forensics, ediscovery and Electronic Evidence

Digital Forensics for Attorneys Overview of Digital Forensics

Digital Forensics & e-discovery Services

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Design and Implementation of a Live-analysis Digital Forensic System

Incident Response and Forensics

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Impact of Digital Forensics Training on Computer Incident Response Techniques

Certified Digital Forensics Examiner

EnCase 7 - Basic + Intermediate Topics

Certified Digital Forensics Examiner

Microsoft Vista: Serious Challenges for Digital Investigations

Computer Basics: Chapters 1 & 2

Guide to Computer Forensics and Investigations, Second Edition

Cloning Utility for Rockwell Automation Industrial Computers

Retailman POS Multi-location Setup

Print/Scan System (U)

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Course Title: Computer Forensic Specialist: Data and Image Files

B. Preservation is not limited to simply avoiding affirmative acts of destruction because day-to-day operations routinely alter or destroy evidence.

Digital Evidence Search Kit

Forensics on the Windows Platform, Part Two

ediscovery 6.0 Release Notes

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Fermilab Service Desk

Using WMI Scripts with BitDefender Client Security

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/ Fax: 802/

Using the Windows XP Backup Wizard. Introduction. Open the Backup Wizard

Computer Hacking Forensic Investigator v8

ERserver. iseries. Work management

Chapter 7 Securing Information Systems

DIGIPASS CertiID. Getting Started 3.1.0

Live System Forensics

SAMPLE ELECTRONIC DISCOVERY INTERROGATORIES AND REQUESTS FOR PRODUCTION

Windows OS File Systems

Build Context into Your Digital Forensic Exam With Online Evidence

EnCase v7 Essential Training. Sherif Eldeeb

Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI)

E-Discovery Technology Considerations

[DESCRIPTION OF CLAIM, INCLUDING RELEVANT ACTORS, EVENTS, DATES, LOCATIONS, PRODUCTS, ETC.]

Basic File Recording

... 2 HARDWARE AND FIRMWARE

NetWrix Server Configuration Monitor

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

UTILITIES BACKUP. Figure 25-1 Backup & Reindex utilities on the Main Menu

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Hands-On How-To Computer Forensics Training

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

The following features have been added to FTK with this release:

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

On the Trail of the Craigslist Killer: A Case Study in Digital Forensics

Microsoft Partner Network. Program End-User Guide to Software and Online Services Benefits

WHAT TO DO WHEN YOU RECEIVE A LITIGATION HOLD NOTICE. A Guide for University Faculty, Staff, and Others

Computer Forensics Discipline

What You Should Know About ediscovery

Guide to Computer Forensics and Investigations, Second Edition

Bug ID Name 8661 Matter Agenda Setup - you are now able to delete agenda groups 8766 Save current sort order for matter agenda groups has been

Iridium Extreme TM Satellite Phone. Data Services Manual

Computer Backup Strategies

Determining VHD s in Windows 7 Dustin Hurlbut

WESTERNACHER OUTLOOK -MANAGER OPERATING MANUAL

How to easily clean an infected computer (Malware Removal Guide)

Regional Computer Forensic Laboratory & Digital Forensics. Presented By: D. Justin Price FBI - Philadelphia Computer Analysis Response Team

Excerpts from EnCase Introduction to Computer Forensics

Best Practices for Incident Responders Collecting Electronic Evidence

File Management Where did it go? Teachers College Summer Workshop

Certified Digital Forensics Examiner

Workflow Templates Library

WA1791 Designing and Developing Secure Web Services. Classroom Setup Guide. Web Age Solutions Inc. Web Age Solutions Inc. 1

Table of Contents. Introduction: 2. Settings: 6. Archive 9. Search Browse Schedule Archiving: 18

Transcription:

Computer Forensic Capabilities

Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis

What is Computer Forensics? The preservation, identification, extraction, analysis, and interpretation of digital data, with the expectation that the findings will be introduced in a court of law.

Capabilities Reveals direct evidence on the machine Associates a machine with data Provides investigative leads Reveals evidence that corroborates or refutes allegations or alibis Reveals behavioral evidence

Case Agent-Examiner Relationship The case agent and forensic examiner must work as a team Case agent Involves examiner early Explains case Provides focused requests Forensic examiner Educates and advises investigator Explains results and limitations

Where to Find Computer Evidence Seize items specified in the search warrant. Computers, laptops, Network Equipment (hubs and switches) Peripherals: CDR s, DVD-R s, Digital cameras, PDA s External Media: CD s, floppy disks, USB thumb drives Paper notes, documentation and manuals, post-it notes. Document computer equipment and peripherals prior to removal. Digital pictures, diagrams

Types of Electronic Media Desktops to Servers

Variety of Media

But Wait, There s More

What is Forensic Imaging? Obtained by a method which does not, in any way, alter any data on the drive being duplicated Duplicate must contain a copy of every bit, byte and sector of the source drive Duplicate will not contain any data except filler characters (for bad areas of the media) other than that which was copied from the source media. Accurate, Verifiable, Reproducible

Value of Forensic Imaging Incident Response/Forensic Imaging is the MOST IMPORTANT step in the entire electronic investigation Failure can invalidate or make inadmissible all further information gathered from the digital evidence Or at least give attorneys a headache

The Imaging Process 010011 010101 01 010011 010101 01 WriteBlock Imaging Hardware or Software

Physical Write Blocks What Are They? Physical device that prevents writes to the evidence drive BEST method of imaging

Attaching Write Block

Attaching Write Block

Hardware Imager

Software Imaging Bootable CDs or floppies Control computer so it only issues read commands to the drive, never write Examples: FTK Imager EnCase DD Ghost Others

Logical data structure refers to how the information appears to a program or user as seen through the operating system. Logical imaging misses data from areas not seen by the operating system. Physical vs. Logical Physical data structure refers to the actual organization of data on a storage device. Physical imaging gets all the zeros and ones possible from the device.

What Can the Examiner Find? Deleted files Text fragments Enhanced metafiles (previously printed files) Enhanced metadata (embedded information) Date/time stamp information E-mail messages and chat logs Internet usage information (history) Archived and compressed files (zip) Encoded e-mail attachments Images (active and deleted) AND MORE...

Forensic Request from Case Agent EXAMPLE: Kidnapping assault of Heather Miller Evidence of defendant s involvement with abduction Search for victim s name Pictures of victim Evidence of threatening letter sent to victim Evidence of references to date rape drugs Evidence of conspirator Activity on the computer during time of crime User attribution Key word searches

Getting Started Keyword Searches Drawbacks to key word searches Adobe PDF documents Faxes Excel Registry Compound/Compressed Files Several others Victim Name

Getting Started Right now we have the Victim s name Heather Miller and we know what she looks like. What do you want to do first? Key word search for victim s name reveals no relevant Information. Next: review graphics Graphic Review

Graphics Review

Email with attachment Graphics Review

Email Review TO / FROM / SUBJECT/ DATE Deleted Attachment Headers

Time Analysis Email Headers

Types of Email Metadata What types of Metadata are available When Created How Created When Sent When Received Who Sent/Received Route Time Analysis Graphic Analysis Origination Who Created it When Created Application Logs Time analysis

Reply email Time Analysis

Same info in temp internet files Reply Email

Chat logs in time analysis Internet Cache-Copy of Message005

What have we learned Chat Logs

Joy.zip Metadata from Joy.zip How are we going to search for this? Keyword

Link File w/thumb drive Time Analysis

Log file c:\my joy\joy.zip Link File

What does this tell us? TRANSCEND? What is TRANSCEND - Google

What is Transcend?

Click on Images Tab Google is Your Friend

Next we find a LINK file Google is Your Friend (Images)

Web History Identify web surfing session Where/when did they open browser? How did they get to the significant finding? Web mail Other Activities? All goes toward user attribution

Summary Electronic evidence is everywhere Case agents must work closely with examiners Forensic examiners must look beyond the Single File Metadata can be critical to establishing user attribution Even if evidence itself has been deleted/destroyed, numerous artifacts can be found

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information