Chapter 13: Computer and Network Forensics - PowerPoint PPT Presentation

Chapter 13 computer and network forensics
Download
1 / 16

Chapter 13: Computer and Network Forensics Computer Network Security Computer Forensics Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

Related searches for Chapter 13: Computer and Network Forensics

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentationdownload

Chapter 13: Computer and Network Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter 13 computer and network forensics l.jpg

Chapter 13: Computer and Network Forensics

Computer Network Security


Computer forensics l.jpg

Computer Forensics

  • Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

  • Arose as a result of the growing problem of computer crimes.

  • Computer crimes fall into two categories:

    • Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes.

      • Investigation into these crimes often involves searching computers suspected to be involved.

    • Computer itself is a victim of a crime – this commonly referred to as incident response.

      • It refers to the examination of systems that have been remotely attacked.

  • Forensics experts follow clear, well-defined mythologies and procedures

Kizza - Computer Network Security


Slide3 l.jpg

  • History Of Computer Forensics

    • Computer forensics started a few years ago- when it was simple to collect evidence from a computer.

    • While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists.

Kizza - Computer Network Security


Slide4 l.jpg

  • Basic forensic methodology consists of:

    • Acquire the evidence without altering or damaging the original

      • Look for evidence

      • Recover evidence

      • Handle evidence with care

      • Preserve evidence

    • Authenticate that your recovered evidence is the same as the originally seized data

    • Analyze the data without modifying it.

Kizza - Computer Network Security


Acquire the evidence l.jpg

Acquire the Evidence

  • Keep in mind that every case is different

  • Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system.

  • Consider the following issues:

    • Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised.

    • Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to:

      • Who collected it

      • How and where

      • Who took possession of it

      • how was it stored and protected in storage

      • Who took it out of storage and why?

Kizza - Computer Network Security


Storage media l.jpg

Storage Media

  • Hard Drives

    • Make an image copy and then restore the image to a freshly wiped hard drive for analysis

    • Remount the copy and start to analyze it.

    • Before opening it get information on its configuration

    • Use tools to generate a report of lists of the disk’s contents ( PartitionMagic)

    • View operating system logs.

Kizza - Computer Network Security


Handle evidence with care l.jpg

Handle Evidence With Care

  • Collection

    • You want the evidence to be so pure that it supports your case.

  • Identification

    • Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled.

  • Transportation

    • Evidence is not supposed to be moved so when you move it be extremely careful.

  • Storage

    • Keep the evidence in a cool, dry, and appropriate place for electronic evidence.

  • Documenting the investigation

    • Most difficult for computer professionals because technical people are not good at writing down details of the procedures.

Kizza - Computer Network Security


Authenticating evidence l.jpg

Authenticating evidence

  • Authenticating evidence is difficult because:

    • Crime scenes change

    • Evidence is routinely damaged by environmental conditions

    • Computer devices slowly deteriorate

  • Keep proof of integrity and timestamp the evidence through encryption of files of data

    • Two algorithms (MD5 and SHA-1) are in common use today

Kizza - Computer Network Security


Analysis l.jpg

Analysis

  • Use any well known analysis tools.

  • Make two backups

Kizza - Computer Network Security


Data hiding l.jpg

Data Hiding

  • There are several techniques that intruders may hide data.

    • Obfuscating data through encryption and compression.

    • Hiding through codes, steganoraphy, deleted files, slack space, and bad sectors.

    • Blinding investigators through changing behavior of system commands and modifying operating systems.

  • Use commonly known tools to overcome

Kizza - Computer Network Security


Network forensics l.jpg

Network Forensics

  • Unlike computer forensics that retrieves information from the computer’s disks, network forensics, in addition retrieves information on which network ports were used to access the network.

  • There are several differences that separate the two including the following:

    • Unlike computer forensics where the investigator and the person being investigated, in many cases the criminal, are on two different levels with the investigator supposedly on a higher level of knowledge of the system, the network investigator and the adversary are at the same skills level.

    • In many cases, the investigator and the adversary use the same tools: one to cause the incident, the other to investigate the incident. In fact many of the network security tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used to gain information on the network configurations, can be used by both the investigator and the criminal.

    • While computer forensics, deals with the extraction, preservation, identification, documentation, and analysis, and it still follows well-defined procedures springing from law enforcement for acquiring, providing chain-of-custody, authenticating, and interpretation, network forensics on the other hand has nothing to investigate unless steps were in place ( like packet filters, firewalls, and intrusion detection systems) prior to the incident.

Kizza - Computer Network Security


Network forensics intrusion analysis l.jpg

Network Forensics Intrusion Analysis

  • Network intrusions can be difficult to detect let alone analyze. A port scan can take place without a quick detection, and more seriously a stealthy attack to a crucial system resource may be hidden by a simple innocent port scan.

  • So the purpose of intrusion analysis is to seek answers to the following questions:

    • Who gained entry?

    • Where did they go?

    • How did they do it?

Kizza - Computer Network Security


Damage analysis l.jpg

Damage Analysis

  • It is difficult to effectively assess damage caused by system attacks.

  • It provides a trove of badly needed information showing how widespread the damage was, who was affected and to what extent.

Kizza - Computer Network Security


Slide14 l.jpg

  • To achieve a detailed report of an intrusion detection, the investigator must carry out a post mortem of the system by analyzing and examining the following:

    • System registry, memory, and caches. To achieve this, the investogator can use dd for Linux and Unx sytems.

    • Network state to access computer networks accesses and connections. Here Netstat can be used.

    • Current running processes to access the number of active processes. Use ps for both Unix and Linux.

    • Data acquisition of all unencrypted data. This can be done using MD5 and SHA-1 on all files and directories. Then store this data in a secure place.

Kizza - Computer Network Security


Forensic electronic toolkit l.jpg

Forensic Electronic Toolkit

  • Computer and network forensics involves and requires:

    • Identification

    • Extraction

    • Preservation

    • Documentation

  • A lot of tools are needed for a thorough work

  • The “forensically sound “ method is never to conduct any examination on the original media.

  • Before you use any forensic software, make sure you know how to use it, and also that it works.

  • Tools:

    • Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic)

    • File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)

Kizza - Computer Network Security


More tools cont l.jpg

More tools (cont.)

  • Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins.

  • CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics

  • Text – because text data can be huge, use fast scans tools like dtSearch.

  • Other kits:

    • Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems

    • Coroner toolkit - to investigate a hacked Unix host.

    • ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux.

    • New Technologies Incorporated (NTI)

    • EnCase

    • Hardware- Forensic-computers.com

Kizza - Computer Network Security


ad
  • Login