1 / 44

Computer Forensics

Computer Forensics. Discovery and recovery of digital evidence Usually post facto Sometimes real time Types of forensic investigations Liturgical Going to court Crimes, etc. Non-Liturgical Administrative adjudication Industry. Skills and Knowledge.

prue
Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics • Discovery and recovery of digital evidence • Usually post facto • Sometimes real time • Types of forensic investigations • Liturgical • Going to court • Crimes, etc. • Non-Liturgical • Administrative adjudication • Industry

  2. Skills and Knowledge • Be aware of the many types of digital devices and their components and potential contents • Develop a Web behavior profile • Learn how to seize a computer and other devices • Proper handling of digital evidence • How to search a computer for evidence • Analyze a phishing scam • Become more knowledgeable about the digital/information world

  3. Purpose • Prove or disprove criminal activity • Prove or disprove policy violation • Prove or disprove malicious behavior to or by the computer/user • If the evidence is there, the case is yours to lose with very little effort.

  4. Legal and Ethical Issues • Computer Forensic Exams are Illegal. • Without the cover of Law • 4th Amendment • You will learn dual use technology. • All tools can be used to commit crime • All procedures can be used to hide crime • It is unethical to breach some ones expectation of privacy.

  5. Responsibilities • Evidence • All of it • Emphasis on exculpatory • Respect for suspects privacy and rights • Beware of collateral damage • Be very very careful if you demonstrate what you can do.

  6. Privacy Issues • Rights of the suspect • Liabilities of the investigator • Public versus private storage of information • Expectation of privacy

  7. Evidence • Forensics is all about evidence. • Something that tends to prove or disprove the existence of an alleged fact. • Federal Rules of Evidence govern proceedings in the courts of the United States.

  8. Evidence • Admissible • must be legally obtained and relevant • Reliable • has not been tainted (changed) since acquisition • Authentic • the real thing, not a replica • Complete • includes any exculpatory evidence • Believable • lawyers, judge & jury can understand it

  9. Evidence • Admissible • Search Warrant, Wire Tap, NSL • Reliable • Chain of custody, protected, properly handled • Not tainted, not changed, MD5 • Authentic • Computer data is different • Complete • Must search entire hard disk • Believable • Impossible for geeks

  10. Must Prove: Actus Reaus - The criminal act Mens Rea - The criminal intent Conviction

  11. Intro to WinHex • WinHex – A hexadecimal editor for Windows • A general purpose forensic analysis tool we will use for this course. • Excellent professional grade tool. • You can download a trial version. • It has limited capability • But you can do a lot with it. • Then complete your assignments in the lab. • The license is good for a limited time.

  12. WinHex Main Screen

  13. Open a File

  14. Navigate to the Desired File

  15. Select and Open What have we done?

  16. WinHex Display of file • WinHex displays the entire contents of the file. • Extreme left is the offset (position) relative to the beginning of the file. In this display the position is in hexadecimal. We will change this in a little bit. • The central panel is the data display in hexadecimal. • The far right panel is an attempt to display the file contents in characters, i.e. ASCII characters.

  17. Offset Change Select General Options from the Options menu.

  18. General Options We are interested in offsets. Unselect Hexadecimal offsets.

  19. Magic

  20. View as Text Only

  21. Text

  22. Open an Image File • Find an image somewhere • Maybe an image from a camera or cell phone • Open in WinHex • To close right click on tab • Choose Close - all gone

  23. Open an Image

  24. Actual Image Data

  25. MAC Information • All files carry information about the file itself • Metadata • This info is contained in the file or in the directory • MAC • Create time • Modify time • Access time • This information is very important to case development.

  26. MAC & Evidence • The MAC time info is changed when the file is opened, viewed or changed. • Consequently, when a drive is opened it is changed. • Be very careful when handling digital evidence.

  27. MAC Data

  28. More Metadata • Pictures from cameras have it • Called EXIF data

  29. Exif Data

  30. Exif Cont’d

  31. Search File for Text Offset in decimal, go find the text.

  32. Find Text Position  Go To Offset Type in desired offset. Select OK

  33. JPEG Found JPEG

  34. Physical Media vs. Logical Drives • Physical Media • Raw memory • No structure • No contents – only a stream of data • Logical Drives • Structured • File system • Files

  35. Tools Menu

  36. Physical OpenedNot Terribly Useful

  37. Opening whatever is on the Drive

  38. Closer Check the Windows Explorer box.

  39. Now We can See Stuff

  40. Double Click on a File Beginning of file.

  41. Cruising Through Deleted Files - Dimmed Interesting $$$

  42. A Closer Look Maybe we have a business!

  43. Computer Forensics • Be careful • You are Law Enforcement • Protect all parties • Evidence must be • Admissable • Reliable • Authentic • Complete • Believable

  44. Lab • Play with WinHex • Open a device • Open a file • Open an image • Explore • Like this presentation

More Related