volonino-computerforensics

27
07/02/22 PHIT 2005 1 Computer Forensics & Electronic Evidence Reconstructing what happened

Upload: ankita

Post on 18-Nov-2014

252 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Volonino-ComputerForensics

04/08/23 PHIT 2005 1

Computer Forensics & Electronic Evidence Reconstructing what happened

Page 2: Volonino-ComputerForensics

04/08/23 2

Issues to think about… What’s Electronic Evidence (e-evidence)

…& why is it important?

What’s Computer Forensics …& why is it growing so fast?

Where’s the crime scene?

What’s on your PC, PDA, cell, GPS, camera,

…& what could they reveal?

Page 3: Volonino-ComputerForensics

04/08/23 3

More issues to think about… Enrollment in comp sci, info systems, & IT

Demand for CF & network intrusion (NI) investigators

Gov’t, accounting, & IT sectors need CF & NI investigators (outsourcing to other countries—no)

Pren-Hall will be offering a full series of books to help launch & support your InfoSec/CF program

Steal back students from digital media program

Page 4: Volonino-ComputerForensics

04/08/23 4

What’s Electronic Evidence …& why is it important?

Page 5: Volonino-ComputerForensics

04/08/23 5

1st Why is Evidence important? In the legal world,

evidence is everything & the only thing Evidence is used to establish facts Evidence must be admissible in court or

legal action To be admissible, the investigator must

follow proper procedure

Page 6: Volonino-ComputerForensics

04/08/23 6

E-evidence: Today's fingerprint & smoking gun

Zacarias Moussaoui 20th hijacker in the 9/11 terrorist attacks

against the U.S. his laptop, 4 computers, and several email

accounts ([email protected]) were searched for e-evidence http://www.cnn.com/2002/LAW/09/04/moussaoui.computer/index.html

FBI discovered that the 19 hijackers used Kinko's computers in various cities to gain access to the Internet to plan 9/11.

Zacarias Moussaoui passing through a London airport. [BBC]

Page 7: Volonino-ComputerForensics

04/08/23 7

11-digit computer code cracks the case It was neither a fingerprint nor physical evidence that led authorities to

the woman suspected of strangling a mother-to-be & fetus-kidnapping. It was IP address 65.150.168.223

Within hours of the killing of Bobbie Jo Stinnett at her home, investigators searched her PC to find her killer.

Police zeroed in on Lisa Montgomery by searching computer records, examining online message boards and by tracing an IP address to a computer at her home.

The IP address in & of itself led the FBI to her home.

By analyzing e-evidence on the victim’s PC, authorities cracked the case in a matter of hours & rescued the premature baby.

http://www.cnn.com/2004/US/12/18/fetus.found.alive/ http://www.eventhelix.com/RealtimeMantra/Networking/ip_routing.htm

Page 8: Volonino-ComputerForensics

04/08/23 8

Crime Investigations

Crime investigations are searches for evidence—

& e-evidence—to trace & reconstruct what happened.

Digital profiling of crime suspects to trace who

did what when.

Data stored on or created by hard-drives, email

systems, cellular and handheld devices, or even

TiVo reveal a lot about a person and tell a lot

about that person’s friends, family, co-workers…

Page 9: Volonino-ComputerForensics

04/08/23 9

What is CyberCrime?

A crime that involves computers, digital devices, or the Internet. A computer is:

• the target of an attack• the tool used in an attack• used to communicate or store data related to

criminal activity

Page 10: Volonino-ComputerForensics

04/08/23 10

Computer Crime

Easy to commit—too many

vulnerable systems & gullible people

Crime without punishment—too often

Lots of media sensationalism &

public apathy

Leaves digital trails

Page 11: Volonino-ComputerForensics

04/08/23 11

Types of Cyber Crime

Unauthorized Access Denial of Service Extortion Theft Sabotage Espionage Computer Fraud Embezzlement Copyright Violation Cyber terrorism

Forgery and Counterfeiting Internet Fraud Spoofing or “Imposter Sites” SEC Fraud and Stock

Manipulation Child Pornography Stalking & Harassment Credit Card Fraud & Skimming Identity theft Tsunami fraud

Page 12: Volonino-ComputerForensics

04/08/23 12

Technological progress is like an axe in the hands of a pathological criminal.

Page 13: Volonino-ComputerForensics

04/08/23 13

Issues to think about…

What’s Computer Forensics …& why is it growing so fast?

Page 14: Volonino-ComputerForensics

04/08/23 14

What is Computer Forensics?

A process of applying scientific & analytical techniques to computers, networks, digital devices, & files to discover or recover admissible evidence.

Page 15: Volonino-ComputerForensics

04/08/23 15

Who needs Computer Forensics? The Victim! Businesses and government Financial sector Law Enforcement Those involved in marital or employment

disputes Anti-terrorist & National Security agencies Insurance Carriers Those in need of Data & Disaster Recovery

Page 16: Volonino-ComputerForensics

04/08/23 16

Issues to think about…

Where’s the crime scene?

Page 17: Volonino-ComputerForensics

04/08/23 17

Crime scene is where the evidence is

Information: 95% of information created &

worked on is only in electronic form.

Communication: Erosion of traditional

paper-based communication.

Access: Explosion of mobile, multi-purpose

devices with web access.

Page 18: Volonino-ComputerForensics

04/08/23 18

Disk (data) Forensics Network Forensics Email Forensics Internet Forensics Portable Device Forensics (flash cards,

PDAs, Blackberries, email, pagers, cell phones, IM devices, etc.)

Types of Computer Forensics

Page 19: Volonino-ComputerForensics

04/08/23 19

Disk Forensics

Disk forensics is the process of acquiring and analyzing the data stored on some form of physical storage media. Includes the recovery of hidden and

deleted data.

Page 20: Volonino-ComputerForensics

04/08/23 20

Network Forensics

Network forensics is the process of examining network traffic. After-the-fact analysis of transaction logs Real-time analysis via network monitoring

• Sniffers• Real-time tracing

Page 21: Volonino-ComputerForensics

04/08/23 21

Email Forensics Email forensics is the study of source and content of

electronic mail as evidence. identifying the actual sender and recipient of a

message, date/time it was sent. Often email is very incriminating.

Page 22: Volonino-ComputerForensics

04/08/23 22

Tracking down Email Evidence

Reading Email Headers http://www.stopspam.org/email/headers.html

How to Interpret Email Headers http://help.mindspring.com/docs/006/emailheaders/

How do I get my email program to reveal the full, unmodified email? http://www.spamcop.net/fom-serve/cache/19.html

Page 23: Volonino-ComputerForensics

04/08/23 23

Internet Forensics

Internet or Web forensics is the process of piecing together where and when a user has been on the Internet. E.g., Scott Peterson,

Michael Jackson

Page 24: Volonino-ComputerForensics

04/08/23 24

Source Code Forensics

To determine software ownership or software liability issues. Review of actual source code. Examination of the entire development

process, e.g., development procedures, documentation review, and review of source code revisions.

Page 25: Volonino-ComputerForensics

04/08/23 25

Issues to think about…

What’s on your PC, PDA, cell, GPS, camera,

…& what could they reveal?

Page 26: Volonino-ComputerForensics

04/08/23 26

Self-EvaluationSelf-Evaluation

If your email, cellular devices, voice-mail, digital camera, faxes, or files were subject to search & discovery, do you think there’d be any incriminating evidence that you broke a law?

Page 27: Volonino-ComputerForensics

04/08/23 27

The Future of Computer Forensics

Computer forensics is now part of criminal investigations.

Crimes & methods to hide crimes are becoming more sophisticated.

Computer forensics will be in demand for as long as there are criminals and misbehaving people.

Will attract students and law professionals who need to update their skills.