Puter Forensics

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 27

Application of

data mining to
computer
forensics
Definition
 What is Computer Forensics??
 Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for
evidentiary and/or root cause analysis.
 Evidence might be required for a wide range of
computer crimes and misuses
 Multiple methods of
 Discovering data on computer system
 Recovering deleted, encrypted, or damaged file
information
 Monitoring live activity
 Detecting violations of corporate policy
 Information collected assists in arrests,
prosecution, termination of employment, and
preventing future illegal activity
Definition (cont)
 What Constitutes Digital Evidence?
 Any information being subject to human
intervention or not, that can be extracted from a
computer.
 Must be in human-readable format or capable of
being interpreted by a person with expertise in
the subject.
 Computer Forensics Examples
 Recovering thousands of deleted emails
 Performing investigation post employment
termination
 Recovering evidence post formatting hard
drive
 Performing investigation after multiple
users had taken over the system
Reasons For Evidence
 Wide range of computer crimes and misuses
 Non-Business Environment: evidence collected by
Federal, State and local authorities for crimes
relating to:
 Theft of trade secrets
 Fraud
 Extortion
 Industrial espionage
 Position of pornography
 SPAM investigations
 Virus/Trojan distribution
 Homicide investigations
 Intellectual property breaches
 Unauthorized use of personal information
 Forgery
 Perjury
Reasons For Evidence (cont)
 Computer related crime and violations
include a range of activities including:
 Business Environment:
 Theft of or destruction of intellectual property
 Unauthorized activity
 Tracking internet browsing habits
 Reconstructing Events
 Inferring intentions
 Selling company bandwidth
 Wrongful dismissal claims
 Sexual harassment
 Software Piracy
Who Uses Computer
Forensics?
 Criminal Prosecutors
 Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
 Civil Litigations
 Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases
 Insurance Companies
 Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
 Private Corporations
 Obtained evidence from employee computers
can
be used as evidence in harassment, fraud, and
embezzlement cases
Who Uses Computer
Forensics?
 Law Enforcement(cont)
Officials
 Rely on computer forensics to backup search
warrants and post-seizure handling
 Individual/Private Citizens
 Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination
from employment
Handling Evidence
 Admissibility of Evidence
 Legal rules which determine whether potential
evidence can be considered by a court
 Must be obtained in a manner which ensures
the authenticity and validity and that no
tampering had taken place
 No possible evidence is damaged,
destroyed, or otherwise compromised by
the procedures used to search the
computer
 Preventing viruses from being introduced
to a computer during the analysis process
 Extracted / relevant evidence is properly
handled and protected from later
mechanical
or electromagnetic damage
Handling Evidence (cont)

 Establishing and maintaining a continuing


chain of custody
 Limiting the amount of time business
operations are affected
 Not divulging and respecting any ethically
[and legally] client-attorney information
that is inadvertently acquired during a
forensic exploration
Initiating An Investigation
 DO NOT begin by exploring files on system
randomly
 Establish evidence custodian - start a
detailed journal with the date and time and
date/information discovered
 If possible, designate suspected equipment
as “off-limits” to normal activity. This
includes back-ups, remotely or locally
scheduled
house-keeping, and configuration
changes
 Collect email, DNS, and other network
service logs
Initiating An Investigation (cont)

 Capture exhaustive external TCP and UDP


port scans of the host
 Could present a problem if TCP is wrapped
 Contact security personnel [CERT],
management, Federal and local
enforcement, as well as affected sites or
persons
Incidence Response
 Identify, designate, or become evidence
custodian
 Review any existing journal of what has
been done to system already and/or how
intrusion was detected
 Begin new or maintain existing journal
 Install monitoring tools (sniffers, port
detectors, etc.)
 Without rebooting or affecting running
processes, perform a copy of physical disk
 Capture network information
Incidence Response (cont)

 Capture processes and files in use (e.g.


dll, exe)
 Capture config information
 Receipt and signing of data
Handling Information
 Information and data being sought after
and collected in the investigation must be
properly handled
 Volatile Information
 Network Information
 Communication between system and the network
 Active Processes
 Programs and daemons currently active on the
system
 Logged-on Users
 Users/employees currently using system
 Open Files
 Libraries in use; hidden files; Trojans (rootkit)
loaded in system
Handling Information (cont)

 Non-Volatile Information
 This includes information, configuration
settings, system files and registry settings that
are available after reboot
 Accessed through drive mappings from system
 This information should investigated and
reviewed from a backup copy
Computer Forensic
Requirements
 Hardware
 Familiarity with all internal and external
devices/components of a computer
 Thorough understanding of hard drives and
settings
 Understanding motherboards and the various
chipsets used
 Power connections
 Memory
 BIOS
 Understanding how the BIOS works
 Familiarity with the various settings and
limitations of the BIOS
Computer Forensic
Requirements
 Operation Systems (cont)

 Windows 3.1/95/98/ME/NT/2000/2003/XP
 DOS
 UNIX
 LINUX
 VAX/VMS
 Software
 Familiarity with most popular software
packages
such as Office
 Forensic Tools
 Familiarity with computer forensic techniques
and the software packages that could be used
Anti-Forensics
 Software that limits and/or corrupts
evidence that could be collected by an
investigator
 Performs data hiding and distortion
 Exploits limitations of known and used
forensic tools
 Works both on Windows and LINUX based
systems
 In place prior to or post system acquisition
Evidence Processing
Guidelines
 New Technologies Inc. recommends
following 16 steps in processing evidence
 They offer training on properly handling
each step
 Step 1: Shut down the computer
 Considerations must be given to volatile information
 Prevents remote access to machine and destruction
of evidence (manual or ant-forensic software)
 Step 2: Document the Hardware Configuration
of The System
 Note everything about the computer configuration
prior to re-locating
Evidence Processing
Guidelines
 Step 3: Transport(cont)
the Computer System to A
Secure Location
 Do not leave the computer unattended unless it
is locked in a secure location
 Step 4: Make Bit Stream Backups of Hard Disks
and Floppy Disks
 Step 5: Mathematically Authenticate Data on All
Storage Devices
 Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
 Step 6: Document the System Date and Time
 Step 7: Make a List of Key Search Words
 Step 8: Evaluate the Windows Swap File
Evidence Processing
Guidelines (cont)
 Step 9: Evaluate File Slack
 File slack is a data storage area of which most
computer users are unaware; a source of
significant security leakage.
 Step 10: Evaluate Unallocated Space (Erased
Files)
 Step 11: Search Files, File Slack and Unallocated
Space for Key Words
 Step 12: Document File Names, Dates and Times
 Step 13: Identify File, Program and Storage
Anomalies
 Step 14: Evaluate Program Functionality
 Step 15: Document Your Findings
 Step 16: Retain Copies of Software Used
What is Digital Evidence

and How is it Different?
Information and data of investigative value
that is stored on or transmitted by an
electronic device

 Can transcend borders quickly via Internet

 Data in computer systems is highly


susceptible to alteration or destruction

 Caution must be exercised when


collecting, transporting, examining and
storing this type of evidence to avoid data
loss
How Fast the News Spreads Through Social Media
By Sheldon Levine - Monday, May 2nd, 2011 at 11:23 am
 Special training, skills, equipment, and
software are needed to retrieve evidence
stored within computers and computer
media to avoid alteration or destruction
Digital Evidence at the
Crime Scene -
Considerations
Search Warrant / Consent to Search
 Identifying Evidence to be Collected
 Documentation, Collection, Preservation of Evidence
 Transporting Evidence to the Laboratory
Search Warrant / Consent to Search
 DPS Crime Lab Policy is to have copy of the search warrant or
consent to search form before examination can begin

 Specific wording not only to seize the media but also to access
data stored within the media…there is a difference
 This requirement provides protection at the time of trial preventing the examiner
of the evidence from unlawful search of the data contained on the items
submitted. This is an example of how digital evidence differs from other types of
evidence that can be seen “in plain sight”. A search warrant to collect possible
evidence of a crime at the scene typically covers the evidence you can walk into
a room and see or touch. It is a more intrusive search to get into a laptop,
remove the hard drive and examine (search) for evidence of a crime.

 Go-bys are available from the DPS Lab

 A common misconception about the search warrant “return” to the


issuing Judge: officers often ask if we can begin examination
within that return time. When in fact, the evidence merely needs
to be submitted to the lab within that return deadline to the Judge.
Types of electronic devices or
MEDIA that may contain digital
evidence

 Personal computer, laptop  Personal Data Assistants


 (PDAs, iPods, Palm)
External hard drives (USB
connection)  Cellular phones
 DVD, CD, floppy disks  MP3 Players
 Flash drives (thumb, USB)  Smart Phones
 (Blackberry/iPhone/Android)
Memory sticks
 iPads, tablets
 Digital cameras
 Many unusual pieces of media
 SD Cards
Other Items of Evidence at Scene

 Computer media relevant to crime


 Documents surrounding computer
 Documents in the printer, scanner, trash
 Web camera (usually on top of monitor)
 PDA, cell phones with charger/data cable
 Related software
 Related cables / power cords / chargers
Reference

 http://www.cca.courts.state.tx.us/tcjiu/ppt/10-Lan
d.pptx

You might also like