cos 413 l.
Skip this Video
Loading SlideShow in 5 Seconds..
COS 413 PowerPoint Presentation
Download Presentation
COS 413

Loading in 2 Seconds...

play fullscreen
1 / 70

COS 413 - PowerPoint PPT Presentation

  • Uploaded on

COS 413 . DAY 2. Agenda. Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding Computer Investigations Tomorrow Lab will be in OMS Room 120 Pick a lab partner (PSA/COS teams) You will need 4 1.44 floppies

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COS 413' - JasminFlorian

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Questions?
  • Assignment 1 due next class
  • Finish Discussion on Preparing for Computing Investigations
  • Begin Discussion on Understanding Computer Investigations
  • Tomorrow Lab will be in OMS Room 120
    • Pick a lab partner (PSA/COS teams)
    • You will need 4 1.44 floppies
    • Hands-on Projects (page 66) Projects 2-1 and 2-2
    • Lab write-up due in before next lab (One grade per team)
public service announcement
Public Service Announcement
  • From Steve Worona [sworona@EDUCAUSE.EDU]
    • From 1-2pm Eastern Time this Thursday, September 15, I'll have the pleasure of hosting David Post on EDUCAUSE Live! David has been an ICPL participant since we began the program in 1996, speaking on the general topic of Internet governance. On Thursday, his topic will be "Whose Law? The Problem of 'Jurisdiction' on the Internet". Here's the abstract:
      • The question "What law am I obligated to obey?" is a fundamental one in any legal system and one that every lawyer should be able to answer for his or her client. It is, though, deceptively complex-even in the non-Internet context. David Post will try to make some sense of this question as applied to activity on the Internet, both by presenting a very general framework for thinking about "jurisdictional" questions and by analyzing a number of recent cases raising specific jurisdictional issues.
    • There's no charge for the Webcast, but registration is required at <>.
    • EDUCAUSE Live! is open to all; feel free to pass the word. All EDUCAUSE Live! events are archived for future access.
understanding enforcement agency investigations
Understanding Enforcement Agency Investigations
  • Understand:
    • Local city, county, state or province, and federal laws on computer-related crimes
    • Legal processes and how to build a criminal case
understanding enforcement agency investigations continued
Understanding Enforcement Agency Investigations (continued)
  • States have added specific language to their criminal codes to define crimes that involve computers
  • Until 1993, laws defining computer crimes did not exist
following the legal process
Following the Legal Process
  • A criminal case follows three stages:
    • Complaint
      • Someone files a complaint
    • Investigation
      • A specialist investigates the complaint
    • Prosecution
      • Prosecutor collects evidence and builds a case
following the legal process continued9
Following the Legal Process (continued)
  • Levels of law enforcement expertise:
    • Level 1 (street police officer)
      • Acquiring and seizing digital evidence
    • Level 2 (detective)
      • Managing high-tech investigations
      • Teaching the investigator what to ask for
      • Understanding computer terminology
      • What can and cannot be retrieved from digital evidence
    • Level 3: (computer forensics expert)
      • Specialist training in retrieving digital evidence
understanding corporate investigations
Understanding Corporate Investigations
  • Business must continue with minimal interruption from your investigation
  • Corporate computer crimes:
    • E-mail harassment
    • Falsification of data
    • Gender and age discrimination
    • Embezzlement
    • Sabotage
    • Industrial espionage
establishing company policies
Establishing Company Policies
  • Company policies avoid litigation
  • Policies provide:
    • Rules for using company computers and networks
    • Line of authorityfor internal investigations
      • Who has the legal right to initiate an investigation
      • Who can take possession of evidence
      • Who can have access to evidence
displaying warning banners
Displaying Warning Banners
  • Avoid litigation displaying a warning banner on computer screens
  • A banner:
    • Informs user that the organization can inspect computer systems and network traffic at will
    • Voids right of privacy
    • Establishes authority to conduct an investigation
displaying warning banners continued15
Displaying Warning Banners (continued)
  • Types of warning banners:
    • For internal employee access (intranet Web page access)
    • External visitor accesses (Internet Web page access)
displaying warning banners continued16
Displaying Warning Banners (continued)
  • Examples of warning banners:
    • Access to this system and network is restricted
    • Use of this system and network is for official business only
    • Systems and networks are subject to monitoring at any time by the owner
    • Using this system implies consent to monitoring by the owner
    • Unauthorized or illegal users of this system or network will be subject to discipline or prosecution
displaying warning banners continued17
Displaying Warning Banners (continued)
  • A for-profit organization banner
    • This system is the property of Company X
    • This system is for authorized use only
    • Unauthorized access is a violation of law and violators will be prosecuted
    • All activity, software, network traffic, and communications are subject to monitoring
designating an authorized requester
Designating an Authorized Requester
  • Establish a line of authority
  • Specify anauthorized requesterwho has the power to conduct investigations
  • Groups who can request investigations:
    • Corporate Security Investigations
    • Corporate Ethics Office
    • Corporate Equal Employment Opportunity Office
    • Internal Auditing
    • The general counsel or legal department
conducting security investigations
Conducting Security Investigations
  • Public investigations search for evidence to support criminal allegations
  • Private investigations search for evidence to support allegations of abuse of a company’s assets and criminal complaints
conducting security investigations continued
Conducting Security Investigations (continued)
  • Situations in the enterprise environment:
    • Abuse or misuse of corporate assets
    • E-mail abuse
    • Internet abuse
conducting security investigations continued22
Conducting Security Investigations (continued)
  • Employee abuse of computer privileges
    • Employee company startup
    • Porn site
    • Malicious e-mail
distinguishing personal and company property
Distinguishing Personal and Company Property
  • PDAs and personal notebook computers
  • Employee hooks up his PDA device to his company computer
  • Company gives PDA to employee as bonus
maintaining professional conduct
Maintaining Professional Conduct
  • Professional conductdetermines credibility
    • Ethics
    • Morals
    • Standards of behavior
    • Maintain objectivity and confidentiality
    • Enrich technical knowledge
    • Conduct with integrity
maintaining professional conduct continued
Maintaining Professional Conduct (continued)
  • Maintaining objectivity
    • Sustain unbiased opinions of your cases
  • Avoid making conclusions about the findings until all reasonable leads have been exhausted
  • Considered all the available facts
  • Ignore external biases to maintain the integrity of the fact-finding in all investigations
  • Keep the case confidential
maintaining professional conduct continued26
Maintaining Professional Conduct (continued)
  • Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools
  • Learn about the latest investigation techniques that can be applied to the case
  • Record fact-finding methods in a journal
    • Include dates and important details that serve as memory triggers
    • Develop a routine of regularly reviewing the journal to keep past achievements fresh
maintaining professional conduct continued27
Maintaining Professional Conduct (continued)
  • Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers
  • Monitor the latest book releases and read as much as possible about computer investigations and forensics
  • Computer forensics: systematic accumulation of digital evidence in an investigation
  • Differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective
  • Laws relating to digital evidence were established in the late 1960s
  • To be successful, you must be familiar with more than one computing platform
summary continued
Summary (continued)
  • To supplement your knowledge, develop and maintain contact with computer, network, and investigative professionals
  • Public investigations typically require a search warrant before the digital evidence is seized
  • The Fourth Amendment applies to governmental searches and seizures
  • During public investigations, you search for evidence to support criminal allegations
summary continued30
Summary (continued)
  • During private investigations, search for evidence to support allegations of abuse of a company or person’s assets and, in some cases, criminal complaints
  • Silver-platter doctrine: handing the results of private investigations over to the authorities because of indications of criminal activity
  • Forensics investigators must maintain an impeccable reputation to protect credibility
summary continued31
Summary (continued)
  • Most information is stored on hard disks, floppy disks, and CD-ROMs in a nonvolatile manner
  • Peripheral components (video adapter cards, sound cards, mice, keyboards, NICs) attach to mainboard via an expansion slot or port
  • All peripherals must have a unique IRQ and I/O address to communicate with the processor
  • Hardware information can be gathered from computer manuals, BIOS, or other OSs
guide to computer forensics and investigations

Guide to Computer Forensics and Investigations

Chapter 2

Understanding Computer Investigation

  • Prepare a case
  • Begin an investigation
  • Understand computer forensics workstations and software
objectives continued
Objectives (continued)
  • Conduct an investigation
  • Complete a case
  • Critique a case
preparing a computer investigation
Preparing a Computer Investigation
  • Role of computer forensics professional: gather evidence to prove a suspect committed a crime or violated a company policy
  • Collect evidence that can be offered in court or at a corporate inquiry
    • Investigate the suspect’s computer
    • Preserve the evidence on a different computer
preparing a computer investigation continued
Preparing a Computer Investigation(continued)
  • Follow an accepted procedure to prepare a case
  • Chain of custody
    • Route the evidence takes from the time you find it until the case is closed or goes to court
examining a computer crime
Examining a Computer Crime
  • Computers can contain information that helps law enforcement determine:
    • Chain of events leading to a crime
    • Evidence that can lead to a conviction
  • Law enforcement officers should follow proper procedure when acquiring the evidence
    • Digital evidence can be easily altered by an overeager investigator
examining a company policy violation
Examining a Company Policy Violation
  • Employees misusing resources can cost companies millions of dollars
  • Misuse includes:
    • Surfing the Internet
    • Sending personal e-mails
    • Using company computers for personal tasks
taking a systematic approach
Taking a Systematic Approach
  • Steps for problem solving:
    • Make an initial assessment about the type of case you are investigating
    • Determine a preliminary design or approach to the case
    • Create a detailed design
    • Determine the resources you need
    • Obtain and copy an evidence disk drive
taking a systematic approach continued
Taking a Systematic Approach(continued)
  • Steps for problem solving (continued):
    • Identify the risks
    • Mitigate or minimize the risks
    • Test the design
    • Analyze and recover the digital evidence
    • Investigate the data you recovered
    • Complete the case report
    • Critique the case
assessing the case
Assessing the Case
  • Systematically outline the case details:
    • Situation
    • Nature of the case
    • Specifics about the case
    • Type of evidence
    • OS
    • Known disk format
    • Location of evidence
assessing the case continued
Assessing the Case (continued)
  • Based on case details, you can determine the case requirements:
    • Type of evidence
    • Computer forensics tools
    • Special OSs
planning your investigation
Planning your Investigation
  • A basic investigation plan should include the following activities:
    • Acquire the evidence
    • Complete an evidence form and establish a chain of custody
    • Transport evidence to a computer forensics lab
    • Secure evidence in an approved secure container
planning your investigation continued
Planning your Investigation(continued)
  • A basic investigation plan (continued):
    • Prepare a forensics workstation
    • Obtain the evidence from the secure container
    • Make a forensic copy of the evidence
    • Return the evidence to the secure container
    • Process the copied evidence with computer forensics tools
planning your investigation continued46
Planning your Investigation(continued)
  • An evidence custody formhelps you document what has been done with the original evidence and its forensics copies
  • There are two types:
    • Single-evidence form
    • Multi-evidence form
securing your evidence
Securing your Evidence
  • Use evidence bags to secure and catalog the evidence
  • Use computer safe products
    • Antistatic bags
    • Antistatic pads
  • Use well-padded containers
securing your evidence continued
Securing your Evidence (continued)
  • Use evidence tape to seal all openings
    • Floppy disk or CD drives
    • Power supply electrical cord
  • Write your initials on tape to prove that evidence has not been tampered
  • Consider computer-specific temperature and humidity ranges
understanding data recovery workstations and software
Understanding Data-Recovery Workstations and Software
  • Investigations are conducted on a computer forensics lab (or data-recovery lab)
  • Computer forensics and data-recovery are related but different
  • Computer forensics workstation
    • Specially configured personal computer
  • To avoid altering the evidence, use:
    • Forensics boot floppy disk
    • Write-blockers devices
setting up your workstation for computer forensics
Setting Up your Workstation for Computer Forensics
  • Set up Windows 98 workstation to boot into MS-DOS
    • Display a Startup menu
    • Modify Msdos.sys file using any text editor
  • Install a computer forensics tool
    • DriveSpy and Image
  • From start menu -> msconfig (ok) -> select advanced
conducting an investigation
Conducting an Investigation
  • Begin by copying the evidence using a variety of methods
    • Recall that no single method retrieves all data
    • The more methods you use, the better
gathering the evidence
Gathering the Evidence
  • Take all necessary measures to avoid damaging the evidence
    • Place the evidence in a secure container
  • Complete the evidence custody form
  • Transport the evidence to the computer forensics lab
  • Create forensics copies (if possible)
  • Secure evidence by locking the container
understanding bit stream copies
Understanding Bit-stream Copies
  • Bit-by-bit copy of the original storage medium
  • Exact copy of the original disk
  • Different from a simple backup copy
    • Backup software only copy known files
    • Backup software cannot copy deleted files or e-mail messages, or recover file fragments
understanding bit stream copies continued
Understanding Bit-stream Copies (continued)
  • A bit-stream image file contains the bit-stream copy of all data on a disk or partition
  • Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model
copying the evidence disk
Copying the Evidence Disk
  • A forensic copy is an exact duplicate of the original data
  • Create a forensic copy using:
    • MS-DOS
    • Specialized tool such as Digital Intelligence’s Image
      • First, create a bit-stream image
      • Then, copy the image to a target disk
copy using msdos
Copy Using MSDOS
  • Write protect original (move tab)
  • Boot to MSDOS mode
  • Insert original floppy in drive
  • Type “Diskcopy A: A: /v”
  • Insert new floppy when prompted
  • Label new floppy
  • Resecure oprignal floppy to secure evidence locker
coping using image
Coping using Image
  • Boot to MSDOS mode
  • Insert original floppy
  • Change to work folder
  • Acquire image from disk
    • Image a: c:\work\..\daImage.img
  • Remove original floppy
restoring an image
Restoring an image
  • Boot to MSDOS mode
  • Insert new floppy
  • Change to work folder
  • restore image from disk
    • Image daImage.img a:
  • Remove new floppy and label
analyzing the digital evidence
Analyzing the digital evidence
  • Using DriveSpy
    • Page 55-61 in text
completing the case
Completing the Case
  • You need to produce a final report
    • State what you did and what you found
  • You can even include logs from the forensic tools you used
  • If required, use a report template
  • The report should show conclusive evidence that the suspect did or did not commit a crime or violate a company policy
critiquing the case
Critiquing the Case
  • Ask yourself the following questions:
    • How could you improve your participation in the case?
    • Did you expect the results you found?
    • Did the case develop in ways you did not expect?
    • Was the documentation as thorough as it could have been?
critiquing the case continued
Critiquing the Case (continued)
  • Questions continued:
    • What feedback has been received from the requesting source?
    • Did you discover any new problems? What are they?
    • Did you use new techniques during the case or during research?
  • Use a systematic approach to investigations
  • Plan a case by taking into account:
    • Nature of the case
    • Case requirements
    • Gathering evidence techniques
  • Do not forget that every case can go to court
  • Apply standard problem-solving techniques
summary continued69
Summary (continued)
  • Keep track of the chain of custody of your evidence
  • Create bit-stream copies of the original data
  • Use the duplicates whenever possible
  • Some tools: DriveSpy and Image, FTK, MS-DOS commands
  • Produce a final report detailing what you did and found
summary continued70
Summary (continued)
  • Always critique your work as a way of improving it
  • Apply these lessons to future cases