chapter 3 cmp forensic
DESCRIPTION
TRANSCRIPT
Computer Forensics
Computer Forensics
Computer Forensics
A process of applying scientific and analytical
techniques to computer Operating Systems
and File Structures to determining the
potential Legal Evidence.
Computer Forensics
It is the practice of lawfully establishing evidence and facts.
This is science involving legal evidence that is found in digital storage mediums and in computers.
Subdivisions: -Disk forensicsNetwork forensicsMobile forensics
Role of Computer forensic investigator
Evidence Collection and Chain of Custody
Who Who handled the evidence? What What procedures were performed on
the evidence? When When was the evidence collected
and/or transferred to another party? Where Where was the evidence collected
and stored? How How was the evidence collected and
stored? Why For what purpose was the evidence
collected?
Acquire data to be examined
Photographs
Make an image
Review of logical file structure
Review of unallocated space and file slack
Recover deleted data (If any)
Report
Expert testimony
Forensics process
Importance of Evidence
"Evidence" is anything the judge allows a jury to
consider in reaching a verdict.
This can include the testimony of witnesses,
photographs of the scene and "demonstrative evidence"
such as charts or sample equipment.
Source of Evidence
Slack, Free, Swap, Recycle Bin
Event Logs
Registry
Application files, temp files
Browser history and cache
Live Forensics Non - Live Forensics
Post Acquisition Analysis Technologies
Types of Forensics
Live Forensics •Recovery of volatile data•Gathering system information•Gathering USB device history•System Explorer•Imaging and Cloning
Non - Live Forensics•Imaging •Cloning
Post Acquisition Analysis
•Mathematical authentication of data (Hash)•Virtualization•Malware analysis•Detection of obscene content•Image ballistics •Use of spyware (keyloggers) in investigations•Digital Evidence Analysis
Forensic Imaging & Cloning
Select source medium
Select source medium
Select destination for the image file
Post Acquisition Analysis
Mathematical Authentication of Data
Mathematical Authentication of Data
Select the algorithm
•The Information Technology (Certifying Authorities) Amendment Rules, 2009 amended Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000
•It is advised that mathematical authentication of digital evidence must be done using either SHA-1 or SHA-2.
•MD5 must not be used as such evidence may be unacceptable in a court of law.
Mathematical authentication of digital evidence achieved by using SHA-2.
Mathematical authentication of data
Input SHA1 Hash Digest
Apple 476432a3e85a0aa21c23f5abd2975a89b6820d63
apple d0be2dc421be4fcd0172e5afceea3970e2f3d940
Apple 476432a3e85a0aa21c23f5abd2975a89b6820d63
a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
Mathematical Authentication of Data
www.crypo.com
Virtualization
Life Cycle of Computer Evidence
Destroy
Create Capture Preserve Collect Process Review Produce
Evidence Life Cycle Management
Electronic Discovery ServicesDocument Management
Enterprise Repositori
es
Evidence Repository
Document Creation Preservation Obligation Document Production Request
Evidence Rule
Admissible
Reliable
Authentic
Complete (no tunnel vision)
Believable
Types of Evidence
Direct Evidence
Real Evidence
Documentary Evidence
Demonstrative Evidence
Computer Evidence Processing Guidelines
Pull the Plug
Document the Hardware Configuration of the
System
Transport the Computer System to a Secure
Location (Forensics lab)
Make Bit Stream Backups of Hard Disks and
Floppy Disks
Mathematically Authenticate Data on
all storage devices (Hash)
Document the System Date and Time
Make a List of Key Search Words
Evaluate the Windows Swap File
Evaluate File Slack
Computer Evidence Processing Guidelines
Evaluate Unallocated Space (Erased
Files)
Search Files, File Slack and
Unallocated Space for Key Words
Document File Names, Dates and
Times
Identify File, Program and Storage
Anomalies
Computer Evidence Processing Guidelines
Evaluate Program
Functionality
Document Your Findings
Retain Copies of Software
Used
Computer Evidence Processing Guidelines
Incidence Response
Computer security Incident
Confirms or dispels whether an incident occurred
Promotes accumulation of accurate information
Establishes controls for proper retrieval and handling
of evidence
Protects privacy rights established by law and policy
Minimizes disruption to business and network
operations
Why forensics?
Why forensics?
Allows for criminal or civil action against perpetrators
Provides accurate reports and useful recommendations
Provides rapid detection and containment
Minimizes exposure and compromise of proprietary data
Why forensics?
Protects your organization’s reputation and assets
Educates senior management
Promotes rapid detection and/or prevention of such incidents in the future (via lessons learned, policy changes, and so on)
Cyber Crime Investigation Lifecycle
Incident Awareness Consultation
Preliminary Analysis
ImageAcquisition/
Recovery
Detailed Analysis
Preliminary/Final Report
Containment
Expert WitnessTestimony
Deposition/Affidavit
Presentation
PreventionTechnologies
Improved ProcessesNew Security Policies
Improved Configurations