Lecture 5: ETHICS privacy

and Computer Forensics

SWE 477
Dr. Sarah Almoaiqel

From: Chap 8 Computer

Basics For Digital
Investigators
The Basics
Central Processing Unit (CPU)
 Processing instruction for every computer
Basic Input and Output System (BIOS)
 Handles basic movement of data in a computer
 Programs use it to communicate with CPU
Power on Self Test (POST)
 A small program that tests basic components of a computer
 Verifies integrity of CPU and Program itself
 Then it checks all others: drives, monitor, RAM and keyboard
 Before POST is complete and after BIOS is activated, some
computers allow you to edit the configuration using Complementary
Metal Oxide Silicon (CMOS)
 Result of POST are checked against CMOS settings
Disk Boot
• An operating system extends the function of the BIOS
and interfaces with the outside world
• Boot sequence looks for location of OS and loads
• The ability to boot up from a disk is important when the
hard disk may contain evidence
Representation of data
• Digital data is a sequence of “0” and “1” called
bits
• Bit Representation
• little-endian Intel based
• Big-endian Sun and Mac based
• Common data representation is Hexadecimal
• Another one is ASCII (table 8.1)
• We need to use tools that display data in
hexadecimal and ASCII
Storage Media
• Hard disks, floppy disk, thumb drives etc.
• Hard disks are the richest in digital evidence
• Integrated Disk Electronics (IDE) or Advanced
Technology Attachment (ATA)
• Higher performance SCSI drives
• Fireware is an adaptation of SCSI standards that
provides high speed access to a chain of devices
• All hard drives contain platters made of light,
righid material such aluminum, ceramic or glass
More on Hard Drives
• Platters have a magnetic coating on both sides and spin
between a pair of read/write heads
• These heads move like a needle on top of the old LP
records but on a cushion of air created by the disk
above the surface
• The heads can align particles of magnetic media called
writing, and can detect how the magnetic particles are
assigned – called reading
• Particles aligned one way are considered “0” and
aligned another way “1”
Storage
Cylinders are the data tracks that the data is
being recorded on
Each track/cylinder is divided into sectors that
contain 512 bytes of information
512*8 bits of information
Location of data can be determined by which
cylinder they are on which head can access them
and which sector contains them or CHS
addressing
Capacity of a hard drive # of C*H*S*512
Limitations
Event Discovery Analysis Decision Investigate

• When the investigation reveals evidence that the

activity falls within reportable crimes;

O
• When the investigation reveals that the trail of

rn
ot
evidence extends beyond the boundaries of your
enterprise network; and
• When you know you’re over your head.
File System Locations
• SKIP SECTION 8.5 for now
Very Brief Intro to Encryption
• Encryption is a process that translated plaintext/digital
object into unreadable format or digital object
• Encryption uses the concept of a key which is a type of
data that when applied using a specific algorithm will
result in unreadable data
• Symmetric Encryption – decryption is simply a
reverse of the encryption (using the same key)
• Asymmetric Encryption – decryption process is
different from encryption and usually done with
different keys
Digital Signatures
• Electronic method to ensure:
• Data is from who it says it is from
• Data has NOT been altered
• Important for e-commerce transactions
• Works whether or not the document itself is encrypted
Digital Signatures
• Sender builds the signature using a private key
• Recipient decodes the signature using the
sender’s public key
• To ensure no changes to data, messages can be
hashed
• Hashing (somewhat akin to CRC) calculates a
unique value for the document
• Receiver re-calculates the hash and compares to
the received hash
The digital signature process.
Ethics
Very hard to define
Certified professionals are held to a high standards
Should be part of an organizational behavior and culture
Generate guidelines for ethics and Net-ethics
(ISC)2 Code of Ethics
Conduct in accordance with highest moral standards
Not be a party of any unlawful or unethical act
Report any unlawful acts
Support and be active in promoting best information
security practices
Provide competent services to their clients, employees &
community
Be professional
Do not misuse information they have access to
CEI 10 Cs of Computer Ethics - Thou
Shall
I. Not use a computer to harm other people
II. Not interfere with other people’s work
III. Not snoop around in other people’s computer files
IV. Use a computer to steal
V. Use a computer to bear false witness
Computer Ethics Institute 10 Cs of
Computer Ethics - Thou Shall
VI. Not copy or use proprietary software for which you
have not paid
VII. Not use other people’s computer resources without
authorization or the proper compensation
VIII. Not appropriate other people’s intellectual output
IX. Think about the social consequences of the program
you are writing for the system you are designing
X. Use a computer in ways that ensure consideration
and respect for your fellow human
Good Internet Conduct
• Unacceptable and unethical activities:
• Seeks to gain unauthorized access to resources of the
internet
• Destroys integrity of computer based information
• Disrupts the use of the internet
• Wastes resources such as people, capacity and
computers via these actions
• Compromises privacy of users
• Involves negligence in the conduct of internet wide
experiments
References (General)
 http://www.dcfl.gov/home.asp
 http://www.porcupine.org/forensics/
 http://www.cftt.nist.gov/
 http://www.computerworld.com/news/special/pages/0,10911,1705,00.html
 http://www.itl.nist.gov/div897/docs/computer_forensics_tools_verification.html
 http://seattletimes.nwsource.com/html/businesstechnology/
134531230_forensics08.html
 http://www.cio.com/archive/030101/autopsy.html
 http://www.csoonline.com/read/030103/machine.html
 http://www.sans.org/rr/incident/
 http://www.saic.com/infosec/computer-incident-management.html
 http://www.ey.com/global/download.nsf/International/Computer_Forensics/$file/
computerforensics.pdf
 http://www.crazytrain.com/
 http://www.htcia.org/
 http://www.cops.org/
 http://www.securityfocus.com/incidents
Class Work
• Research the following tools. Provide at least 5 of each
• Network vulnerability scanning
• OS vulnerability scanning
• Application vulnerability scanning
• Digital Forensics
• Pretty Good Privacy (PGP) software
• For each tool indicate in a table
• Cost, Available for download and evaluation
• Coverage and what are the requirement to be installed
• Description of the tool and why you like it or not like it
• OS flavor it works on
Class Work
• In not more than ½ page or two slides and
describe the ethical questions concerning
handling of digital evidence
• Based on what you have read so far, how can
you improve on the digital evidence process
• List the types of possible sources of digital
evidence and a description of what they may
have that is relevant
• List at least 10 web sites with digital forensics
services and describe their methodology. Not
more than ½ page or one slide