Introduction To Computer Forensics
Introduction To Computer Forensics
Michael Sonntag
Introduction to
Computer Forensics
Digital evidence is
Stored in computers: Disks, memory, …
» Not: Printouts, fingerprints on CD-ROMs etc.
Being transmitted between computers: (W)LAN, E-Mails, …
» Not: Voice telephone communication (but …!) etc.
Analogue evidence:
Fingerprints, fibres, body fluids, physically damaged disk, …
Evidence requires interpretation.
What does it mean that this Bit is “0”?
An E-Mail header exists: Who added it? What does it mean?
Requires a lot of tools: Are they working correctly?
How many steps of interpretation are necessary?
How reliable is the interpretation?
We will talk only about digital evidence in this course!
Michael Sonntag Introduction to Computer Forensics 8
Legal considerations
Identity theft
Personal information: Name, address, credit card, …
Communication: Especially copies of other person's,
obtaining/buying information online
Software: Generators (names, credit card numbers), imaging
(scanner, photo modification)
Images: Certificates, forms, signatures
Documents: Forms, letters, orders, …
Electronic signatures
Internet activity: Cache, logs, searches
Copyright
Software: P2P, CD/DVD-burning, encryption, recoding, key
generators, cracks
Documents: Serial numbers, authorization information
Internet activity: Cache, logs, searches, cookies
Images: Covers, license forms
Communication information: E-Mail, chat
Accounts: Web-Sites, FTP, shops
Date and time stamps
Methods of documentation
Pen & paper: For non-electronic actions
» Disk is duplicated, computer is unplugged, …
Other “analogue” documentation: Photos, audio commentary
» Might be digital today, but are not the action itself
Electronic log: If possible, e.g. protocol of all commands
issued during investigation
» Depends on the system/software used
Chain of custody: Important for the documentation too!
Pen & Paper: Number pages, don’t leave partly empty, sign
every page, separate signature for “end of document"
Digital documentation: Photos, audio logs, … should contain
metadata (e.g. time and serial number of camera) if possible
The “script” command (*nix) copies the in- and output to a file
Note: The commands should be only “normal” text commands
» E.g. “vi” will not be represented correctly!
End with Ctrl+D (or “exit”)
Example: “script –f log.txt”
Script started on Tue 05 Jul 2011 01:24:13 PM CEST
[root@mail backup]# date
Tue Jul 5 13:24:18 CEST 2011
[root@mail backup]# ls –al
total 36
drwxr-xr-x 3 root root 4096 Jul 5 13:24 .
drwxr-xr-x 25 root root 12288 May 17 21:49 ..
drwxr-xr-x 5 root root 4096 Jul 5 04:06 db
-rw-r--r-- 1 root root 0 Jul 5 13:24 log.txt
[root@mail backup]# exit
exit
Script done on Tue 05 Jul 2011 01:24:32 PM CEST
Don’t forget: Hash value, read-only, store on other disk, …!
Michael Sonntag Introduction to Computer Forensics 55
Documenting the time/time difference
?
?
© Michael Sonntag 2012
Literature