Computer forensics 101 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Computer Forensics 101 PowerPoint PPT Presentation


  • 205 Views
  • Updated On :
  • Presentation posted in: General

SCALI Annual Seminar May 8, 2004. Computer Forensics 101. Essential Knowledge for 21 st Century Investigators with Case Studies Presented by Steve Abrams, M.S. Abrams Computer Forensics Charleston, SC / Long Island, NY (866) 301-5331 * www.AbramsForensics.com.

Download Presentation

Computer Forensics 101

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer forensics 101 l.jpg

SCALI Annual Seminar

May 8, 2004

Computer Forensics 101

Essential Knowledge for

21st Century Investigators

with Case Studies

Presented by Steve Abrams, M.S.

Abrams Computer Forensics

Charleston, SC / Long Island, NY

(866) 301-5331 * www.AbramsForensics.com


What is computer forensics l.jpg

What is Computer Forensics ?

The search for, and the collection of, evidence from computer systems in a standardized and well-documented manner to maintain its admissibility and probative value in a legal proceeding.


Computer forensics is not hacking l.jpg

Computer Forensics is not “Hacking”

Never use “Spy-ware”

Never “hack” a password

Never login to an account unauthorized

(without a warrant or court order)

Keystroke loggers no longer legal

All of these violations are now (usually) afelony.The law is in flux, beware!


Computer forensics is not hacking4 l.jpg

Computer Forensics is not “Hacking”

Stick to the evidence left on the hard drive, and you should be on safe legal ground. Provided you have proper consent to search the hard drive.


C omponent s teps of c omputer f orensics l.jpg

Component Steps of Computer Forensics

  • Make a Forensic Image

  • Create Indexes and setup “case”

  • Look for evidence within the image

  • Generate Report (CD-ROM / Written)


C omponent s teps of c omputer f orensics6 l.jpg

Component Steps of Computer Forensics

Make a Forensic Image

  • Requires Extensive Knowledge of Computer Hardware and Software, Especially Operating Systems and File Systems.

  • Requires Special “Forensics” Hardware and Software

  • Requires Knowledge of Proper Evidence Handling.

  • In Most States Requires a P.I. License, and Consent to Search the Computer.


Consent l.jpg

Consent

Who Can Consent to a Search

(Spouse, Parent, Business Owner)

Get it in Writing

(Boilerplate Affidavits)


Slide8 l.jpg

STATE OF SOUTH CAROLINA )

)

COUNTY OF _______________ )

Affidavit of _______________________

Consent given to search a personal computer.

PERSONALLY appeared before me the undersigned who duly sworn and says as follows:

1. My Name is _______________________________________. I reside

at _____________________________________________________

2.I have hired Steven M. Abrams, M.S., P.I., to conduct a computer forensics examination of a hard drive from a personal computer, which is in my possession.

3. I have consented to a search by Mr. Abrams of all data contained on the hard drive.

4. I attest that the computer hard drive which I have consented to have searched is marital property; to which I have had unfettered access.

5. I acknowledge that I have been informed that state and federal law requires Mr. Abrams to notify law enforcement authorities of any suspected child pornography or evidence of criminal activity found on a computer during his examination.


C omponent s teps of c omputer f orensics9 l.jpg

Component Steps of Computer Forensics

Make a Forensic Image

Rule #1 – Never Alter the Evidence Media in the Process of making a Forensic Image.

This necessitates special hardware and software.


C omponent s teps of c omputer f orensics10 l.jpg

Component Steps of Computer Forensics

Create Indexes and setup “case”

Access Data Forensic Toolkit (FTK)

Based on the dtSearch Engine, requires an index step which can take several hours or days to complete. After which keyword / expression searches are instantaneous.


C omponent s teps of c omputer f orensics11 l.jpg

Component Steps of Computer Forensics

Create Indexes and setup “case”

Access Data Forensic Toolkit (FTK)

  • Implements “Hashing” which allows standard system software and duplicate files to be safely ignored, and dangerous files (e.g. Child Porn) to be identified automatically.

  • FTK Hashing is Based on the Known File Filter (KFF) Engine.


Hashing l.jpg

A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. In Computer Forensics, hashes are used to uniquely identify a specific file. The hash value generated from a file becomes its “digital fingerprint”. MD5 and SHA are the two most common hash algorithms used in computer forensics.

Hashing


Hashing13 l.jpg

Hash codes can be used to quickly match files found during your investigations to lists of “Known Files” maintained by the Federal Government and Federal Law Enforcement Agencies.

These “Known Files” can include innocent files, such as components of MS Windows and “off the shelf” application software, that can safely be ignored by your investigations.

These “Known Files” can also include contraband files, such as child pornography and hacker tools, that should be highlighted by your investigations.

Hashing


C omponent s teps of c omputer f orensics14 l.jpg

Component Steps of Computer Forensics

Look for evidence within the image

  • View Graphics, Emails, Documents, etc.

  • Keyword Searches

  • Bookmark relevant material for inclusion into report

  • Good investigation skills needed, must interview the client to get background material needed to focus the CF investigation.


C omponent s teps of c omputer f orensics15 l.jpg

Component Steps of Computer Forensics

Generate CF Report

  • Usually in HTML format

  • Can be printed or on CD-ROM

  • Basis for Investigation Report, Affidavits, Deposition and Testimony.

  • CF Report often supplemented with other investigation methods (Online Databases, Email / Phone Interviews)


Live ftk demo l.jpg

Live FTK Demo

Demonstrate Steps of a Computer Forensics Examination


Case histories l.jpg

Case Histories


Case histories domestic relations l.jpg

Case HistoriesDomestic Relations


Case histories domestic relations19 l.jpg

Case HistoriesDomestic Relations

PornographyAdulteryFinancial Assets


Case histories wiretap e c p a l.jpg

Case HistoriesWiretap / E.C.P.A.


Case histories financial crimes l.jpg

Case HistoriesFinancial Crimes


  • Login