COS/PSA 413COS/PSA 413

Day 5

Agenda• Questions?• Assignment 2 Redo

– Due September 26 @ 3:35 PM

• Assignment 3 posted– Due September 26 @ 3:35 PM

• Quiz 1 on September 30– Chaps 1-5, Open book, Open notes

– 20 M/C and 5 essays

• Lab 1 corrected– 2 B’s, 6 C’s and 1 F– RTDQ!

• Lab 2 write-ups due• Finish Discussion Processing Crime and incident Scenes• Lab 3 in N105

– Hands-on project 5-4 and 5-5– Follow instructions in

Lab 1• 2-1

– File listing , contents & memo– Just the facts>>no bias and no conclusions

• 2-2 – Memo – 25 clusters hits

• 2-3– Memo

• 4 files, 30 clusters for BOOK• 1 image files name and where found

• 2-4 – File listing

• 2-5 – Prodiscover resport with “deleted and file type”

• 2-6– Prodiscover report with proper comments– 3 files with the 3 words (one file each)

Guide to Computer Forensics and Investigations 3

Guide to Computer Forensics and Investigations 4

Reviewing Background Information for a Case

• Company called Superior Bicycles– Specializes in creating new and inventive modes of

human-driven transportation

• Two employees, Chris Murphy and Nau Tjeriko, have been missing for several days

• A USB thumb drive has been recovered from Chris’s office with evidence that he had been conducting a side business using company computers

Guide to Computer Forensics and Investigations 5

Identifying the Case Requirements

• Identify requirements such as:– Nature of the case– Suspect’s name– Suspect’s activity– Suspect’s hardware and software specifications

Guide to Computer Forensics and Investigations 6

Planning Your Investigation

• List what you can assume or know– Several incidents may or may not be related– Suspect’s computer can contain information about

the case– If someone else has used suspect’s computer

• Make an image of suspect’s computer disk drive

• Analyze forensics copy

• \\Wallagrass\Software for N105 lab\COS413 Software\Chap05\InChap05

Guide to Computer Forensics and Investigations 7

Conducting the Investigation: Acquiring Evidence with AccessData

FTK• Functions

– Extract the image from a bit-stream image file– Analyze the image

Guide to Computer Forensics and Investigations 8

Guide to Computer Forensics and Investigations 9

Conducting the Investigation: Acquiring Evidence with AccessData

FTK (continued)

Guide to Computer Forensics and Investigations 10

Guide to Computer Forensics and Investigations 11

Guide to Computer Forensics and Investigations 12

Conducting the Investigation: Acquiring Evidence with AccessData

FTK (continued)

Guide to Computer Forensics and Investigations 13

Guide to Computer Forensics and Investigations 14

Conducting the Investigation: Acquiring Evidence with AccessData

FTK (continued)

Guide to Computer Forensics and Investigations 15

Summary

• Digital evidence is anything stored or transmitted on electronic or optical media

• Private sector– Contained and controlled area

• Publish right to inspect computer assets policy

• Private and public sectors follow same computing investigation rules

• Criminal cases– Require warrants

Guide to Computer Forensics and Investigations 16

Summary (continued)

• Protect your safety and health as well as the integrity of the evidence

• Follow guidelines when processing an incident or crime scene– Security perimeter– Video recording

• As you collect digital evidence, guard against physically destroying or contaminating it

• Forensic hash values verify that data or storage media have not been altered

Guide to Computer Forensics and Investigations 17

Summary (continued)

• To analyze computer forensics data, learn to use more than one vendor tool

• You must handle all evidence the same way every time you handle it

• After you determine that an incident scene has digital evidence, identify the digital information or artifacts that can be used as evidence