1 / 10

Computer Data Forensics Principle and Procedure – Lab 1 Concept

Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU. Computer Data Forensics Principle and Procedure – Lab 1 Concept. Computer Forensics Defined.

derron
Download Presentation

Computer Data Forensics Principle and Procedure – Lab 1 Concept

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU Computer Data ForensicsPrinciple and Procedure – Lab 1 Concept

  2. Computer Forensics Defined • Computer Forensics deals with the preservation, identification, extraction and documentation of computer evidence. (1991 IACIS) • application of law to a science • autopsy of a computer hard disk drive • specialized software tools and techniques are required to analyze • Stipulates procedures which must be followed

  3. Computer Forensics Procedures • The Procedures • Guarantee the preservation of evidence (no ‘contamination’) • Ensure the accuracy of the results found from computer evidence processing • Chosen to be reliable, time-tested and approved • Cross-validated by using multiple tools (flaws in one tool may be overcome)

  4. What investigators need to do • Determine whether certain computers are suspect • Seize legally • Preserve the evidence • Perform detective analysis of the data using contextual knowledge of possible criminal activity • Exploit tools available • Find evidence and journal it writing up the procedures used • Present it convincingly in court

  5. Seizing legally • If you are performing work for a company on the company’s premises, you need the company’s authorization only • Company’s duty to advise employees that they cannot claim privacy to any files on their computers at work • If universities have a different policy, they should state it clearly to the employees when they join • Company bears the onus of seizing.

  6. Seizing legally • If you are working for law enforcement, then they must have the necessary warrants issued by a judge • You need not as an investigator even be present when the computers are seized. • Good to have procedures though • Powering off – I advise normal power down. • Vain to think you need see what the employee was doing at the moment. The evidence will be on disk.

  7. How to preserve computer evidence • Obtain the disks and do a ‘bitstream’ copy and generate a hash. • Then you can return the computer and disks to law enforcement – if they want to dust for fingerprints, let them. The digital fingerprints are on the disk copy. • Keep the disks carefully, indeed make another copy and keep them in a distant place under lock and key, with control.

  8. Forensic Process – 4 Phases 1. Collection phase • Search, recognition, collection, and documentation of electronic evidence • Real-time and stored information may be lost without precautions 2. Examination phase • Makes the evidence visible and explain its origin and significance • Document the content, and state of the evidence in its totality • Separate the significant stuff from the mass of data 3. Analysis • Takes the results of the examination and considers what it can prove or disprove

  9. Forensic Process – 4 Phases 4. Reporting phase • Step by step outline of Collection and Examination • Seizure, examination, storage, and transfer of electronic evidence • Notes preserved • Validity of procedure carefully argued • Qualifications of examiner stated

  10. Reference • http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm • http://www.ustreas.gov/usss/electronic_evidence.shtml

More Related