computer forensics principles and practices n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Forensics Principles and Practices PowerPoint Presentation
Download Presentation
Computer Forensics Principles and Practices

Loading in 2 Seconds...

play fullscreen
1 / 27

Computer Forensics Principles and Practices - PowerPoint PPT Presentation


  • 196 Views
  • Uploaded on

Computer Forensics Principles and Practices. by Volonino, Anzaldua, and Godwin. Chapter 5: Data, PDA, and Cell Phone Forensics. Objectives. Recognize and identify types of drives and media storage devices Describe PDA and cellular phone technologies

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Forensics Principles and Practices' - virgo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer forensics principles and practices

Computer ForensicsPrinciples and Practices

by Volonino, Anzaldua, and Godwin

Chapter 5: Data, PDA, and Cell Phone Forensics

objectives
Objectives
  • Recognize and identify types of drives and media storage devices
  • Describe PDA and cellular phone technologies
  • Explain techniques for acquiring and analyzing data from hard drives and other storage media

© Pearson Education Computer Forensics: Principles and Practices

objectives cont
Objectives (Cont.)
  • Describe techniques for acquiring and analyzing data from PDAs and cellular phones
  • List and describe tools that can be used to analyze disk images, PDA data, and cellular phone data

© Pearson Education Computer Forensics: Principles and Practices

introduction
Introduction

It is important to understand how the technology works in order to properly gather evidence from the different media devices. This chapter gives you the requisite understanding and then the tools to help in gathering the evidence from those devices.

© Pearson Education Computer Forensics: Principles and Practices

basic hard drive technology
Basic Hard Drive Technology
  • Composition of hard drives
    • Platters
    • Heads
    • Cylinders
    • Sectors
  • Locating hard drive geometry information
    • Information on label on hard drivecontains drive geometry

© Pearson Education Computer Forensics: Principles and Practices

basic hard drive technology cont
Basic Hard Drive Technology(Cont.)
  • Hard drive standards
    • ATA (advanced technology attachment)
    • ATAPI (advanced technology attachment programmable interface)
    • E IDE
    • IDE (integrated drive electronics)
    • PIO (programmable input/output)
    • UDMA (ultra direct memory access)
    • ATA speed rating
    • SATA (serial advanced technology attachment)

© Pearson Education Computer Forensics: Principles and Practices

other storage technologies
Other Storage Technologies
  • Floppy disks
  • Tape drive technologies
    • QIC, DAT, DLT
  • ZIP and other high-capacity drives
    • Optical media structures
    • Single session vs. multisession CDs
    • DVDs
  • USB Flash drives

© Pearson Education Computer Forensics: Principles and Practices

personal digital assistant devices pdas
Personal Digital Assistant Devices (PDAs)
  • Five major PDA operating systems:
    • BlackBerry
    • Open Embedded (Linux)
    • PalmSource (Palm OS)
    • Symbian (Psion)
    • Windows Mobile (Pocket PC)

© Pearson Education Computer Forensics: Principles and Practices

cellular phones
PDA functionality

Text messaging

SMS, EMS, MMS, IM

Single photo and/or movie video capable

Phonebook

Call logs

Subscriber identity module

Global positioning systems

Video streaming

Audio players

Cellular Phones
  • New phones are low-end computers with the following capabilities:

© Pearson Education Computer Forensics: Principles and Practices

drive and media analysis
Drive and Media Analysis
  • Acquiring data from hard drives
    • Bit-stream transfer
    • Disk-to-disk imaging

© Pearson Education Computer Forensics: Principles and Practices

drive and media analysis cont
Drive and Media Analysis(Cont.)
  • Acquiring data from removable media
    • Document the scene
    • Use static-proof container and label container with
      • Type of media
      • Where media was found
      • Type of reader required for the media
    • Transport directly to lab
    • Do not leave any media in a hot vehicle or environment
    • Store media in a secure and organized area

© Pearson Education Computer Forensics: Principles and Practices

drive and media analysis cont1
Drive and Media Analysis(Cont.)
  • Acquiring data from removable media (cont.)
    • Once at the lab, make a working copy of the drive
      • Make sure the media is write-protected
      • Make a hash of the original drive and the duplicate
      • Make a copy of the duplicate to work from
      • Store the original media in a secure location

© Pearson Education Computer Forensics: Principles and Practices

drive and media analysis cont2
Drive and Media Analysis(Cont.)
  • Acquiring data from USB flash drives
    • Write protect the drive
    • Software may be needed to write protect
    • Essentially recognized much like a regular hard drive by the operating system

© Pearson Education Computer Forensics: Principles and Practices

in practice pda configured ipod reveals employee theft
In Practice: PDA-Configured iPod Reveals Employee Theft
  • Review of bank fees revealed that Joe had been skimming money
  • Suspicion fell on iPod that Joe had on his desk every day
  • iPod had been partitioned to hold both data and music

© Pearson Education Computer Forensics: Principles and Practices

pda analysis
PDA Analysis
  • Guidelines for seizing PDAs:
    • If already off, do not turn it on
    • Seal in an envelope before putting it in an evidence bag to restrict access
    • Attach the power adapter through the evidence bag to maintain the charge
    • Keep active state if PDA is on when found

© Pearson Education Computer Forensics: Principles and Practices

pda analysis cont
PDA Analysis (Cont.)
  • Guidelines for seizing PDAs (cont.):
    • Search should be conducted for associated memory devices
    • Any power leads, cables, or cradles relating to the PDA should also be seized, as well as manuals
    • Anyone handling PDAs before their examination should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings

© Pearson Education Computer Forensics: Principles and Practices

pda chain of custody
PDA Chain of Custody
  • Documentation of the chain of custody should answer the following:
    • Who collected the device, media, and associated peripherals?
    • How was the e-evidence collected and where was it located?
    • Who took possession of it?
    • How was it stored and protected while in storage?
    • Who took it out of storage and why?

© Pearson Education Computer Forensics: Principles and Practices

secured pda device
Secured PDA Device
  • Ask the suspect what the password is
  • Contact the manufacturer for backdoors or other useful information
  • Search the Internet for known exploits for either a password crack or an exploit that goes around the password
  • Call in PDA professional who specializes in data recovery

© Pearson Education Computer Forensics: Principles and Practices

cellular phone analysis
Cellular Phone Analysis
  • Determine which forensic software package will work with the suspect cellular phone
  • Ascertain the connection method
  • Some devices need to have certain protocols in place before acquisition begins
  • Physically connect the cellular phone and the forensic workstation using the appropriate interface

© Pearson Education Computer Forensics: Principles and Practices

cellular phone analysis cont
Cellular Phone Analysis (Cont.)
  • Before proceeding, make sure all equipment and basic data are in place
  • Most software packages are GUI based and provide a wizard
  • Once connected, follow the procedures to obtain a bit-stream copy
  • Search for evidence and generate reports detailing findings

© Pearson Education Computer Forensics: Principles and Practices

disk image forensic tools
Disk Image Forensic Tools
  • Guidance software
  • Paraben® software
  • FTK™
  • Logicube

© Pearson Education Computer Forensics: Principles and Practices

pda cellular phone forensic software
PDA/Cellular Phone Forensic Software
  • Tools for examining PDAs
    • EnCase and Palm OS software
    • PDA Seizure
    • Palm dd (pdd)
    • POSE (Palm OS Emulator)
    • PDA memory cards

© Pearson Education Computer Forensics: Principles and Practices

pda cellular phone forensic software cont
PDA/Cellular Phone Forensic Software (Cont.)
  • Tools for examining cellular phones
    • Bit PM
    • Cell Seizure
    • Oxygen PM
    • Pilot-link
    • Forensic SIM
    • SIMCon
    • SIMIS

© Pearson Education Computer Forensics: Principles and Practices

pda cellular phone forensic software cont1
PDA/Cellular Phone Forensic Software (Cont.)
  • Tools for examining both PDAs and cellular phones
    • Paraben software
    • Logicube

© Pearson Education Computer Forensics: Principles and Practices

summary
Summary
  • You are most likely to encounter media devices such as:
    • Hard drives
    • Optical media (CDs)
    • USB drives
    • PDAs
    • Cellular phones

© Pearson Education Computer Forensics: Principles and Practices

summary cont
Summary (Cont.)
  • You learned how data is stored on these devices and methods for acquiring the data
  • General guidelines for data acquisition are the same for most devices
  • There are also specific guidelines depending on the type of device

© Pearson Education Computer Forensics: Principles and Practices

summary cont1
Summary (Cont.)
  • Guidance, Paraben, AccessData, and Logicube are suppliers of forensic software
    • Some software is specific to PDAs
    • Some can be used for several different types of data

© Pearson Education Computer Forensics: Principles and Practices