ch 2 - computer forensic methodology and process
DESCRIPTION
Computer ForensicTRANSCRIPT
-
Computer Forensic Methodology
and Process
2.1 Internet Fundamental
2.2 Application Address
2.3 Dial-up Session
Tracing Email and New Postings
-
2.1 Internet Fundamental
2.2 Application Address
-
Why is Application Evidence
important?
In the legal world, Evidence is
EVERYTHING.
Evidence is used to establish facts.
The Forensic Examiner is not biased.
-
Who are the Victims in
Application Address?
Private Business
Government
Private Individuals
-
Types of Forensic Requests
Intrusion Analysis
Damage Assement
Suspect Examination
Tool Analysis
Log File Analysis
Evidence Search
-
A Dial-Up Session
Now that you have an understanding of some Internetworking basics, let's take a look at how a typical Internet dial-up session works. When you dial to an ISP with a modem, you might use a layer 3 protocol called Point to Point Protocol (PPP), layer 3 is the network layer, and in the case of a dial-up connection, PPP replaces IP.
Connectivity is not automatic, though. A dial-up session must first be authenticated, and then an IP address is assigned. The modem at the ISP's
Point of
-
2.4 Tracing Email and Netw
Posting File Recovery
Deleted Files
Hidden Files
Slack Space
Bad Blocks
Steganography
X-Drives
NTFS Streams
-
Evidence Search
Image Files
Software applications
Deleted Files
Hidden Files
Encrypted Files
Hidden partitions
Keyword Search
Known Remote Access Tools
-
Forensics Process
Preparation
Protection
Imaging
Examination
Documentation
-
Preparation Confirm the authority to conduct analysis/search
of media.
Verify the purpose of the analysis and the clearly
defined desired results.
Ensure that sterile media is available and utilized
for imaging. (ie..Free of virus, Non-essential files,
and verified before use.)
Ensure that all software tools utilized for the
analysis are tested and widely accepted for use in
the forensics community.
-
Legal Overview
Employer Searches in Private-Sector Workplaces
Warrantless workplace searches by private
employers rarely violate the Fourth Amendment. So long
as the employer is not acting as an instrument or agent of
the Government at the time of the search, the search is a
private search and the Fourth Amendment does not
apply. See Skinner v. Railway Labor Executives Assn,
489 U.S. 602, 614 (1989).
Consult with your Legal Counsel
-
Protection
Protect the integrity of the evidence.
Maintain control until final disposition.
Prior to Booting target computer,
DISCONNECT HDD and verify CMOS.
When Booting a machine for Analysis,
utilize HD Lock software.
-
Typical CBD Files
-
Imaging
Utilize disk imaging software to make an
exact image of the target media. Verify the
image.
When conducting an analysis of target
media, utilize the restored image of the
target media; never utilize the actual target
media.
-
Imaging Software
-
Examination
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
-
Examination Continued
Deleted/Hidden Files/NTFS Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
-
Off-Site Storage
FTP Links
FTP Logs
Shares on internal networks
-
Documentation
Document EVERYTHING
Reason for Examination
The Scene
Utilize Screen Capture/Copy Suspected
files
All apps for Analysis/apps on Examined
system.
-
Closing
Forensic Techniques are based on the File
System of the media to be examined.