This preview shows page 1-2-23-24 out of 24 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Digital ForensicsOutlineDigital ForensicsRelationship to Intrusion Detection, Firewalls, HoneypotsComputer CrimeObjective and PriorityAccuracy vs SpeedThe Job of a Forensics SpecialistApplications: Law EnforcementApplications: Human ResourcesApplications: OtherServicesData ServicesData Services: Finding Hidden DataDocument and Media ServicesExpert Witness ServicesService OptionsOther ServicesBenefits of using Professional servicesUsing the Evidence: Criminal and Civil ProceedingsIssues and Problems that could occurLegal testsTraditional Forensics vs Computer ForensicsConclusionDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasNovember 18, 2009OutlineIntroductionApplications-Law enforcement, Human resources, OtherServicesBenefitsUsing the evidenceConclusionDigital ForensicsDigital forensics is about the investigation of crime including using digital/computer methodsMore formally: “Digital forensics, also known as computer forensics, involved the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John VaccaDigital evidence may be used to analyze cyber crime (e.g. Worms and virus), physical crime (e.g., homicide) or crime committed through the use of computers (e.g., child pornography)Relationship to Intrusion Detection, Firewalls, HoneypotsThey all work together with Digital forensics techniquesIntrusion detection-Techniques to detect network and host intrusionsFirewalls-Monitors traffic going to and from and organizationHoneypots-Set up to attract the hacker or enemy; TrapDigital forensics-Once the attack has occurred or crime committed need to decide who committed the crimeComputer CrimeComputers are attacked – Cyber crime-Computer VirusComputers are used to commit a crime-E.g., child predators, Embezzlement, FraudComputers are used to solve a crimeFBI’s workload: Recent survey-74% of their efforts on white collar crimes such as healthcare fraud, financial fraud etc.-Remaining 26% of efforts spread across all other areas such as murder and child pornography-Source: 2003 Computer Crime and Security Survey, FBIObjective and PriorityObjective of Computer Forensics-To recovery, analyze and present computer based material in such a way that is it usable as evidence in a court of law-Note that the definition is the following: “computer forensics, involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John VaccaPriority-Main priority is with forensics procedures, rules of evidence and legal processes; computers are secondary-Therefore accuracy is crucialAccuracy vs SpeedTradeoffs between accuracy and speed-E.g., Taking 4 courses in a semester vs. 2 courses; more likely to get Bs and not As-Writing a report in a hurry means likely less accurate Accuracy: Integrity and Security of the evidence is crucial-No shortcuts, need to maintain high standardsSpeed may have to be sacrificed for accuracy. -But try to do it as fast as you can provided you do not compromise accuracyThe Job of a Forensics SpecialistDetermine the systems from which evidence is collectedProtect the systems from which evidence is collectedDiscover the files and recover the dataGet the data ready for analysisCarry out an analysis of the dataProduce a reportProvide expert consultation and/or testimony?Applications: Law EnforcementImportant for the evidence to be handled by a forensic expert; else it may get taintedNeed to choose an expert carefully-What is his/her previous experience? Has he/she worked on prior cases? Has he/she testified in court? What is his/her training? Is he CISSP certified?Forensic expert will be scrutinized/cross examined by the defense lawyersDefense lawyers may have their own possibly highly paid experts?Applications: Human ResourcesTo help the employer-What web sites visited?-What files downloaded-Have attempts been made to conceal the evidence or fabricate the evidence-Emails sent/receivedTo help the employee-Emails sent by employer – harassment-Notes on discrimination-Deleted files by employerApplications: OtherSupporting criminals-Gangs using computer forensics to find out about members and subsequently determine their whereaboutsSupport rogue governments and terrorists-Terrorists using computer forensics to find out about what we (the good guys) are doingWe and the law enforcement have to be one step ahead of the bad guysUnderstand the mind of the criminalServicesData Services-Seizure, Duplication and preservation, recoveryDocument and Media-Document searched, Media conversionExpert witnessService optionsOther servicesData ServicesData Seizure-The expert should assist the law enforcement official in collecting the data.-Need to identify the disks that contain the data Data Duplication and Preservation-Data absolutely cannot be contaminated-Copy of the data has to be made and need to work with the copy and keep the original in a safe placeData Recovery-Once the device is seized (either local or remote) need to use appropriate tools to recover the dataData Services: Finding Hidden DataWhen files are deleted, usually they can be recoveredThe files are marked as deleted, but they are still residing in the disk until they are overwrittenFiles may also be hidden in different parts of the diskThe challenge is to piece the different part of the file together to recover the original fileThere is research on using statistical methods for file recoveryhttp://www.cramsession.com/articles/files/finding-hidden-data---how-9172003-1401.asphttp://www.devtarget.org/downloads/ca616-seufert-wolfgarten-assignment2.pdfDocument and Media ServicesDocument Searches-Efficient search of numerous documents-Check for keywords and correlationsMedia Conversion-Legacy devices may contain unreadable data. This data ahs to be converted using appropriate conversion tools-Should be placed in appropriate storage for analysisExpert Witness ServicesExpert should explain computer terms and complicated processes in an easy to understand manner to law enforcement, lawyers, judges and jury-Computer technologists and lawyers speak different languagesExpertise-Computer knowledge and expertise in computer systems, storage-Knowledge on interacting


View Full Document

UTD CS 6V81 - LECTURE NOTES

Documents in this Course
Botnets

Botnets

33 pages

Privacy

Privacy

27 pages

Privacy

Privacy

27 pages

Load more
Download LECTURE NOTES
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view LECTURE NOTES and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view LECTURE NOTES 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?