computer forensics l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
COMPUTER FORENSICS PowerPoint Presentation
Download Presentation
COMPUTER FORENSICS

Loading in 2 Seconds...

play fullscreen
1 / 12

COMPUTER FORENSICS - PowerPoint PPT Presentation


  • 388 Views
  • Uploaded on

COMPUTER FORENSICS. Aug. 11, 2000 for. tan@atstake.com. Cambridge, Massachusetts. COMPUTER FORENSICS CAN BE MANY THINGS. Child Pornography Fraud Espionage & Treason Corporate or University Policy Violation Honey-pots. Corporate or University internal investigation

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'COMPUTER FORENSICS' - shelly


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer forensics
COMPUTER FORENSICS

Aug. 11, 2000 for

tan@atstake.com

Cambridge, Massachusetts

computer forensics can be many things
COMPUTER FORENSICS CAN BE MANY THINGS
  • Child Pornography
  • Fraud
  • Espionage & Treason
  • Corporate or University Policy Violation
  • Honey-pots
  • Corporate or University internal investigation
  • FBI or (unlikely) Sheriff investigation
  • Computer Security Research
  • Post Mortem or Damage Assessment

Computer Forensics ultimately support or refute a case someone cares to make.

forensics is a four step process
FORENSICS IS A FOUR STEP PROCESS
  • Acquisition
  • Identification
  • Evaluation
  • Presentation

RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)

presentation starting at the end
PRESENTATION – Starting at the End
  • Many findings will not be evaluated to be worthy of presentation as evidence.
  • Many findings will need to withstand rigorous examination by another expert witness.
  • The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.
  • The Chain of Custody may be challenged.
evaluation what the lawyers do
EVALUATION – What the Lawyers Do
  • This is what lawyers (or those concerned with the case) do. Basically, determine relevance.
  • Presentation of findings is key in this phase.
  • Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems.
identification technical analysis
IDENTIFICATION – Technical Analysis
  • Physical Context
  • Logical Context
  • Presentation/Use Context
  • Opinion to support relevance of findings
  • Handling and labeling of objects submitted for forensic analysis is key.
  • Following a documented procedure is key.
fbi list of computer forensic services
FBI List of Computer Forensic Services
  • Content (what type of data)
  • Comparison (against known data)
  • Transaction (sequence)
  • Extraction (of data)
  • Deleted Data Files (recovery)
  • Format Conversion
  • Keyword Searching
  • Password (decryption)
  • Limited Source Code (analysis or compare)
  • Storage Media (many types)
the evidence locker
THE EVIDENCE LOCKER
  • Restricted Access and Low Traffic, Camera Monitored Storage.
  • Video Surveillance & Long Play Video Recorders
  • Baggies for screws and label everything!
  • Sign In/Out for Chain of Custody
acquisition what are the goals
ACQUISITION – What Are the Goals?
  • Track or Observe a Live Intruder?
  • Assess Extent of Live Intrusion?
  • Preserve “Evidence” for Court?
  • Close the Holes and Evict the Unwanted Guest?
  • Support for Sheriff, State Police or FBI Arrest?
  • Support for Court Ordered Subpoena?
ground zero what to do
GROUND ZERO – WHAT TO DO
  • do not start looking through files
  • start a journal with the date and time, keep detailed notes
  • unplug the system from the network if possible
  • do not back the system up with dump or other backup utilities
  • if possible without rebooting, make two byte by byte copies of the physical disk
  • capture network info
  • capture process listings and open files
  • capture configuration information to disk and notes
  • collate mail, DNS and other network service logs to support host data
  • capture exhaustive external TCP and UDP port scans of the host
  • contact security department or CERT/management/police or FBI
  • if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented
  • short-term storage
  • packaging/labeling
  • shipping
additional resources
ADDITIONAL RESOURCES
  • RCMP Article on the Forensic Process. http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm
  • Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html
  • Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/
  • The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm
  • Long Play Video Recorders. http://www.pimall.com/nais/vrec.html
  • FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm
  • Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
  • Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/security-improvement/implementations/i003.01.html
thank you

Thank you …

… very much, MIT!