Computer Security Professionals and IT

Personnel
 Computer Security Professionals and IT
Personnel
• Network traffic
• Compromised networks
• Insider threats
• Disloyal employees
• Malware
• Breach of contracts
• E-mail Fraud/Spam
• Theft of company documents
Important Factors
• Legal procedures
• Not compromising evidence
• Treat every piece of evidence as it will be used in
court
• Documentation*
• Chain of Custody
• Write Blocks
• Imaging
• Bit by bit copy of a piece of electronic media (Hard drive)
 What Should be Avoided During an
Investigation?
• Changing data
• Changing time or date stamps
• Changing files
• Overwriting unallocated disk space
• This can happen when re-booting
• Verify Hash values from images
Computer Forensic Tools
• Parse through the created image
• Built in system parser
• Rebuilds both active and deleted files
• Open source
• Commercial sources
 Common Computer Forensic Software
• ArcSight Logger
• Netwitness Investigator
• Quest Change Auditor
• Cellebrite
• Physical Analyzer
• Lantern
• Access Data’s Forensic Toolkit (FTK)
• EnCase Cybersecurity
• EnCase eDiscovery
• EnCase Portable
• EnCase Forensic*
EnCase Forensic
• Acquisition
• Reporting
• EnScript :
• Scripting facility
• Various API's for interacting with evidence
• Collect, Analyze and examine data
• Deleted files
• Unallocated space
• File slack
• Duplicates of original data (Imaging)
• Accuracy can be verified by hash and Cyclic Redundancy Check values
EnCase Forensic
• Many operating systems
• Windows
• Linux
• Apple iOS
• Sun/Oracle Solaris
• Supported smartphones
• Recommended to run on Window 7 (64 bit) operating
system
EnCase Forensic
File Signatures
EnCase Gallery
EnCase Gallery
EnCase Document View
Perform a Search
• Raw Search
• A search based on keywords that search the entire drive for
a match
• Slow process on larger drives
• Indexed Search
• A search that requires the drive to be indexed
• Indexing can take a long time
• Searches are instantaneous
Bookmark Specific Evidence
• Bookmark Findings
• Raw Text Bookmarks
• Data Structure Bookmarks
• Notable File Bookmarks
• Multiple Notable File Bookmarks
• Note Bookmarks
• Table Bookmarks
• Transcript Bookmarks
Indexed Search
Bookmark Screen
Deleted Files
How to get Started
• Step 1: Obtain a degree
• Today a bachelors degree is favored
• FBI prefers a different scholarly degree over computer forensics
• Step 2: Get Certified
• EnCase Certified Examiner (EnCE)
• Computer Forensics Examiner (CCFE)
• Certified Computer Examiner (CCE)
• Some states require a Private Investigator License
• Step 3: Find a Job
• Law Enforcement (Local, State, Federal)
• Homeland Security offices, the NSA and the FBI have a growing need for examiners
• Military
• Private Firms
• IT/Security Professions
Conclusion
• Computer Forensics helps determine the WHO, WHAT,
WHEN, and WHERE related to a computer-based
crime or violation.
• Who uses Computer Forensics
• Situations to use Computer Forensics
• Computer Forensic Software
• Do and Don’ts of practicing Computer Forensics
• How to get involved in Computer Forensics