Chapter 13 computer and network forensics
1 / 16

Chapter 13: Computer and Network Forensics - PowerPoint PPT Presentation

  • Updated On :

Chapter 13: Computer and Network Forensics Computer Network Security Computer Forensics Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

Related searches for Chapter 13: Computer and Network Forensics

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Chapter 13: Computer and Network Forensics' - Mia_John

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Computer forensics l.jpg
Computer Forensics

  • Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

  • Arose as a result of the growing problem of computer crimes.

  • Computer crimes fall into two categories:

    • Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes.

      • Investigation into these crimes often involves searching computers suspected to be involved.

    • Computer itself is a victim of a crime – this commonly referred to as incident response.

      • It refers to the examination of systems that have been remotely attacked.

  • Forensics experts follow clear, well-defined mythologies and procedures

Kizza - Computer Network Security

Slide3 l.jpg

  • History Of Computer Forensics

    • Computer forensics started a few years ago- when it was simple to collect evidence from a computer.

    • While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists.

Kizza - Computer Network Security

Slide4 l.jpg

  • Basic forensic methodology consists of:

    • Acquire the evidence without altering or damaging the original

      • Look for evidence

      • Recover evidence

      • Handle evidence with care

      • Preserve evidence

    • Authenticate that your recovered evidence is the same as the originally seized data

    • Analyze the data without modifying it.

Kizza - Computer Network Security

Acquire the evidence l.jpg
Acquire the Evidence

  • Keep in mind that every case is different

  • Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system.

  • Consider the following issues:

    • Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised.

    • Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to:

      • Who collected it

      • How and where

      • Who took possession of it

      • how was it stored and protected in storage

      • Who took it out of storage and why?

Kizza - Computer Network Security

Storage media l.jpg
Storage Media

  • Hard Drives

    • Make an image copy and then restore the image to a freshly wiped hard drive for analysis

    • Remount the copy and start to analyze it.

    • Before opening it get information on its configuration

    • Use tools to generate a report of lists of the disk’s contents ( PartitionMagic)

    • View operating system logs.

Kizza - Computer Network Security

Handle evidence with care l.jpg
Handle Evidence With Care

  • Collection

    • You want the evidence to be so pure that it supports your case.

  • Identification

    • Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled.

  • Transportation

    • Evidence is not supposed to be moved so when you move it be extremely careful.

  • Storage

    • Keep the evidence in a cool, dry, and appropriate place for electronic evidence.

  • Documenting the investigation

    • Most difficult for computer professionals because technical people are not good at writing down details of the procedures.

Kizza - Computer Network Security

Authenticating evidence l.jpg
Authenticating evidence

  • Authenticating evidence is difficult because:

    • Crime scenes change

    • Evidence is routinely damaged by environmental conditions

    • Computer devices slowly deteriorate

  • Keep proof of integrity and timestamp the evidence through encryption of files of data

    • Two algorithms (MD5 and SHA-1) are in common use today

Kizza - Computer Network Security

Analysis l.jpg

  • Use any well known analysis tools.

  • Make two backups

Kizza - Computer Network Security

Data hiding l.jpg
Data Hiding

  • There are several techniques that intruders may hide data.

    • Obfuscating data through encryption and compression.

    • Hiding through codes, steganoraphy, deleted files, slack space, and bad sectors.

    • Blinding investigators through changing behavior of system commands and modifying operating systems.

  • Use commonly known tools to overcome

Kizza - Computer Network Security

Network forensics l.jpg
Network Forensics

  • Unlike computer forensics that retrieves information from the computer’s disks, network forensics, in addition retrieves information on which network ports were used to access the network.

  • There are several differences that separate the two including the following:

    • Unlike computer forensics where the investigator and the person being investigated, in many cases the criminal, are on two different levels with the investigator supposedly on a higher level of knowledge of the system, the network investigator and the adversary are at the same skills level.

    • In many cases, the investigator and the adversary use the same tools: one to cause the incident, the other to investigate the incident. In fact many of the network security tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used to gain information on the network configurations, can be used by both the investigator and the criminal.

    • While computer forensics, deals with the extraction, preservation, identification, documentation, and analysis, and it still follows well-defined procedures springing from law enforcement for acquiring, providing chain-of-custody, authenticating, and interpretation, network forensics on the other hand has nothing to investigate unless steps were in place ( like packet filters, firewalls, and intrusion detection systems) prior to the incident.

Kizza - Computer Network Security

Network forensics intrusion analysis l.jpg
Network Forensics Intrusion Analysis

  • Network intrusions can be difficult to detect let alone analyze. A port scan can take place without a quick detection, and more seriously a stealthy attack to a crucial system resource may be hidden by a simple innocent port scan.

  • So the purpose of intrusion analysis is to seek answers to the following questions:

    • Who gained entry?

    • Where did they go?

    • How did they do it?

Kizza - Computer Network Security

Damage analysis l.jpg
Damage Analysis

  • It is difficult to effectively assess damage caused by system attacks.

  • It provides a trove of badly needed information showing how widespread the damage was, who was affected and to what extent.

Kizza - Computer Network Security

Slide14 l.jpg

  • To achieve a detailed report of an intrusion detection, the investigator must carry out a post mortem of the system by analyzing and examining the following:

    • System registry, memory, and caches. To achieve this, the investogator can use dd for Linux and Unx sytems.

    • Network state to access computer networks accesses and connections. Here Netstat can be used.

    • Current running processes to access the number of active processes. Use ps for both Unix and Linux.

    • Data acquisition of all unencrypted data. This can be done using MD5 and SHA-1 on all files and directories. Then store this data in a secure place.

Kizza - Computer Network Security

Forensic electronic toolkit l.jpg
Forensic Electronic Toolkit investigator must carry out a post mortem of the system by analyzing and examining the following:

  • Computer and network forensics involves and requires:

    • Identification

    • Extraction

    • Preservation

    • Documentation

  • A lot of tools are needed for a thorough work

  • The “forensically sound “ method is never to conduct any examination on the original media.

  • Before you use any forensic software, make sure you know how to use it, and also that it works.

  • Tools:

    • Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic)

    • File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)

Kizza - Computer Network Security

More tools cont l.jpg
More tools (cont.) investigator must carry out a post mortem of the system by analyzing and examining the following:

  • Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins.

  • CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics

  • Text – because text data can be huge, use fast scans tools like dtSearch.

  • Other kits:

    • Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems

    • Coroner toolkit - to investigate a hacked Unix host.

    • ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux.

    • New Technologies Incorporated (NTI)

    • EnCase

    • Hardware-

Kizza - Computer Network Security