1 / 14

Recovering and Examining Computer Forensic Evidence

Recovering and Examining Computer Forensic Evidence. Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google Scholar) Presentation by Bryan Pass. Significance.

ingo
Download Presentation

Recovering and Examining Computer Forensic Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recovering and ExaminingComputer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google Scholar) Presentation by Bryan Pass

  2. Significance • “Forensic Science Communications is a peer-reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists.” • An overview of Computer Forensic methods from the forensics authority, the FBI. • Not really new, more of an overview of current methods and thinking

  3. Outline • Significance • Open Research Topics • Computer Forensics for Traditional Crimes • Computer Forensics for Computer Crimes • Who are we dealing with? • Data Recovery • BackTracker • S-TLA+

  4. Open Research Topics • Education – How to better educate forensics and computer students about computer security and forensic methods • Honeypots / Honeynets – Setting up networks to attract hackers in order to study how they operate • Automated log examination – Filtering raw data to lower the amount of information that a human has to review • Data Recovery – Recovering data from physically damage media as well as recovering intentionally deleted information

  5. Computer Forensics for Traditional Crimes • Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. • Computer evidence is becoming more and more common place in investigations of traditional crimes. • Focus on extracting text, spreadsheets, human readable information • Computer Forensics relies on extracting only useful information. Unlike traditional forensics which attempts to gather all information from a piece of evidence. • 12 GB of printed text data would create a stack of paper 24 stories high.

  6. Traditional Crimes (cont.) • Constantly adapting to changing technology instead of static techniques • Finger printing, DNA Analysis, etc. • Set procedures and guidelines are difficult or impossible to follow because of the variation in equipment used • Operating System, File System, Physical Medium, and Application • Can make copies of the original evidence • Verification of copy • Privacy / Legality Concerns • Attorney’s data protected by confidentiality • E-mail or File servers with many users

  7. A Three-Level Hierarchical Model for Developing Guidelines for Computer Forensic Evidence

  8. Computer Forensics for Computer Crimes • Focus on analyzing log data from computer systems • Often one attack impacts multiple applications, physical systems, and even companies • Logs from applications on the target machine • Logs from other affected machines • Logs from routers, edge routers, firewalls, etc

  9. Computer Crimes (cont.) • Different crimes could result in very different kinds of evidence • DDoS could produce router logs and packet captures • Defacement could produce application logs, router logs, and more traditional evidence (linguistics, etc) • Routinely create legal nightmares of crossed borders and innocent participants • Data recovery techniques • Encryption schemes and export laws

  10. Who are we dealing with? • Determining the sophistication of the suspects • Tamper alarms, and traps • Must appear like a normal user to the device • Cutting the power might not be a good idea • Information in volatile memory even the user didn’t know was there

  11. Data Recovery • Physical damage • It might be harder than you think to destroy a medium beyond partial reconstruction • Clean rooms • Expensive and time consuming – is it worth it for the crime being investigated? • Using Magnetometers to reconstruct disk images • How to really erase something • Overwrite with 0, with random, with patterns, with compliment

  12. BackTracker • Backtracking Intrusions • Log access to other processes, files, sockets, etc • Construct a timeline of what happens after the initial intrusion (filtered dependency graph for bind attack)

  13. S-TLA+ • A formal logic-based language for computer forensics investigations • Describes evidence, helps construct and test hypotheses for hacking scenarios • S-TLAC – automated formal verification tool • Doesn’t seem to really be useful at all

  14. References • “Recovering and Examining Computer Forensic Evidence.” Noblett et al. Forensic Science Communications. October 2000. (http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm) (Cited by 13). • “Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. February 2005. (Cited by 29). • “A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Boudriga. 2005 ACM Symposium on Applied Computing.

More Related