computer forensics l.
Skip this Video
Loading SlideShow in 5 Seconds..
COMPUTER FORENSICS PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 12

COMPUTER FORENSICS - PowerPoint PPT Presentation

  • Uploaded on

COMPUTER FORENSICS. Aug. 11, 2000 for. Cambridge, Massachusetts. COMPUTER FORENSICS CAN BE MANY THINGS. Child Pornography Fraud Espionage & Treason Corporate or University Policy Violation Honey-pots. Corporate or University internal investigation

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer forensics

Aug. 11, 2000 for

Cambridge, Massachusetts

computer forensics can be many things
  • Child Pornography
  • Fraud
  • Espionage & Treason
  • Corporate or University Policy Violation
  • Honey-pots
  • Corporate or University internal investigation
  • FBI or (unlikely) Sheriff investigation
  • Computer Security Research
  • Post Mortem or Damage Assessment

Computer Forensics ultimately support or refute a case someone cares to make.

forensics is a four step process
  • Acquisition
  • Identification
  • Evaluation
  • Presentation

RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) , by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)

presentation starting at the end
PRESENTATION – Starting at the End
  • Many findings will not be evaluated to be worthy of presentation as evidence.
  • Many findings will need to withstand rigorous examination by another expert witness.
  • The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.
  • The Chain of Custody may be challenged.
evaluation what the lawyers do
EVALUATION – What the Lawyers Do
  • This is what lawyers (or those concerned with the case) do. Basically, determine relevance.
  • Presentation of findings is key in this phase.
  • Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems.
identification technical analysis
IDENTIFICATION – Technical Analysis
  • Physical Context
  • Logical Context
  • Presentation/Use Context
  • Opinion to support relevance of findings
  • Handling and labeling of objects submitted for forensic analysis is key.
  • Following a documented procedure is key.
fbi list of computer forensic services
FBI List of Computer Forensic Services
  • Content (what type of data)
  • Comparison (against known data)
  • Transaction (sequence)
  • Extraction (of data)
  • Deleted Data Files (recovery)
  • Format Conversion
  • Keyword Searching
  • Password (decryption)
  • Limited Source Code (analysis or compare)
  • Storage Media (many types)
the evidence locker
  • Restricted Access and Low Traffic, Camera Monitored Storage.
  • Video Surveillance & Long Play Video Recorders
  • Baggies for screws and label everything!
  • Sign In/Out for Chain of Custody
acquisition what are the goals
ACQUISITION – What Are the Goals?
  • Track or Observe a Live Intruder?
  • Assess Extent of Live Intrusion?
  • Preserve “Evidence” for Court?
  • Close the Holes and Evict the Unwanted Guest?
  • Support for Sheriff, State Police or FBI Arrest?
  • Support for Court Ordered Subpoena?
ground zero what to do
  • do not start looking through files
  • start a journal with the date and time, keep detailed notes
  • unplug the system from the network if possible
  • do not back the system up with dump or other backup utilities
  • if possible without rebooting, make two byte by byte copies of the physical disk
  • capture network info
  • capture process listings and open files
  • capture configuration information to disk and notes
  • collate mail, DNS and other network service logs to support host data
  • capture exhaustive external TCP and UDP port scans of the host
  • contact security department or CERT/management/police or FBI
  • if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented
  • short-term storage
  • packaging/labeling
  • shipping
additional resources
  • RCMP Article on the Forensic Process.
  • Lance Spitzner’s Page: Forensic Analysis, Building Honeypots
  • Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts.
  • The Forensic Toolkit (NT).
  • Long Play Video Recorders.
  • FBI Handbook of Forensic Services.
  • Solaris Fingerprint Database for cryptographic comparison of system binaries.
  • Inspecting Your Solaris System and Network Logs for Evidence of Intrusion.
thank you

Thank you …

… very much, MIT!