1 / 10

IT-Forensic Investigations (in Sweden)

IT-Forensic Investigations (in Sweden). Computers Sebastian Leclerc 13.12.2011. During house searches. “The police force in Sweden only needs reasonable doubt for performing house searches, no warrant is needed.” One wants…

pules
Download Presentation

IT-Forensic Investigations (in Sweden)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT-Forensic Investigations (in Sweden) Computers Sebastian Leclerc 13.12.2011

  2. During house searches “The police force in Sweden only needs reasonable doubt for performing house searches, no warrant is needed.” One wants… • To be able to shut down systems without any risk of information loss, access protection or encryption • Find passwords in the environment where the confiscation took place • Photograph the environment and document how everything is connected.

  3. During the investigation One wants to be as sure as possible of… • That the data we are identifying holds its integrity • That we are able to reproduce the investigation and get the same results • That nobody can question our findings

  4. ”Please check if there is anything interesting on this disk”…. • ”Only look for everything that has something to do with the investigation”… • ”You can print out the contents of the hard drive”…

  5. During the investigation one normally looks for User activities • Browser history (ex. search terms such as ”how to hide a body?”) • Chat logs • Email Installed software • Encryption • File sharing programs (P2P, torrents etc., sometimes) Folders and files • Documents • Pictures Other: Network information, Process Information, Process-to-Port Mapping, Open files, Logged-on Users, Time, Clipboard, Shares, Volatile and nonvolatile information to name a few.

  6. Two main modes of operations • ”Live search”, which is done byte after byte. Takes a long time each time, but one can use more flexible searching methods other than indexed searching. For example using GREP for searching telephone numbers, credit card numbers etc. • ”Indexed search”, where one allows the computer to create a database over everything that isn’t junk symbols. Takes a very long time to create, however makes the searching much easier (But only finds what is indexed…).

  7. Problems • Trojan defense • Encryption • “Wipe-and-Reload”

  8. After an investigation 1 The documentation should contain… • The data/information one finds • The Systems date/time settings • System events with ties to data, file names and date/time • Users • Other concurrent system events of interest. After the investigation a academic report must be produced with… • Prelude, preface • Summary • Table of contents • Background information • Description of material • Observations and investigations • Investigation methods. • Compilation of investigations and results • Analysis and conclusion

  9. After an investigation 2 After investigation should speak for itself and contain… • On what grounds ones conclusions are made • How one has gotten to this conclusion • To have to testify should almost be seen as a failure!

  10. FIN

More Related