Data and Applications Security Digital ForensicsOutlineDigital ForensicsRelationship to Intrusion Detection, Firewalls, HoneypotsComputer CrimeObjective and PriorityAccuracy vs SpeedThe Job of a Forensics SpecialistApplications: Law EnforcementApplications: Human ResourcesApplications: OtherServicesData ServicesData Services: Finding Hidden DataDocument and Media ServicesExpert Witness ServicesService OptionsOther ServicesBenefits of using Professional servicesUsing the Evidence: Criminal and Civil ProceedingsIssues and Problems that could occurLegal testsTraditional Forensics vs Computer ForensicsTypes of AcquisitionDigital Evidence Storage FormatsAcquisition MethodsCompression MethodsContingency PlanningStorage Area Network Security SystemsNetwork Disaster Recovery SystemsUsing Acquisition ToolsUsing Acquisition Tools - 2Validating Data AcquisitionSlide 34RAID Acquisition MethodsRemote Network Acquisition ToolsSome Forensics ToolsProcessing Crime and Incident Scenes: Chapter 5Securing EvidenceGathering EvidenceAnalyzing EvidenceUnderstanding the Rules of EvidencePrivate sector incident scenesLaw Enforcement crime ScenesSteps to processing crime and incident scenesCase Study (Chapter 5)Digital Forensics AnalysisDigital Evidence Examination and Analysis TechniquesSearch TechniquesSlide 50Slide 51Slide 52Slide 53Slide 54Event ReconstructionSlide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide 65What is Lazarus?Time AnalysisSlide 68Conclusion - 1Conclusion - 2Data and Applications SecurityDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasNovember 12, 2010OutlineIntroductionApplications-Law enforcement, Human resources, OtherServicesBenefitsUsing the evidenceConclusionDigital ForensicsDigital forensics is about the investigation of crime including using digital/computer methodsMore formally: “Digital forensics, also known as computer forensics, involved the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John VaccaDigital evidence may be used to analyze cyber crime (e.g. Worms and virus), physical crime (e.g., homicide) or crime committed through the use of computers (e.g., child pornography)Relationship to Intrusion Detection, Firewalls, HoneypotsThey all work together with Digital forensics techniquesIntrusion detection-Techniques to detect network and host intrusionsFirewalls-Monitors traffic going to and from and organizationHoneypots-Set up to attract the hacker or enemy; TrapDigital forensics-Once the attack has occurred or crime committed need to decide who committed the crimeComputer CrimeComputers are attacked – Cyber crime-Computer VirusComputers are used to commit a crime-E.g., child predators, Embezzlement, FraudComputers are used to solve a crimeFBI’s workload: Recent survey-74% of their efforts on white collar crimes such as healthcare fraud, financial fraud etc.-Remaining 26% of efforts spread across all other areas such as murder and child pornography-Source: 2003 Computer Crime and Security Survey, FBIObjective and PriorityObjective of Computer Forensics-To recovery, analyze and present computer based material in such a way that is it usable as evidence in a court of law-Note that the definition is the following: “computer forensics, involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John VaccaPriority-Main priority is with forensics procedures, rules of evidence and legal processes; computers are secondary-Therefore accuracy is crucialAccuracy vs SpeedTradeoffs between accuracy and speed-E.g., Taking 4 courses in a semester vs. 2 courses; more likely to get Bs and not As-Writing a report in a hurry means likely less accurate Accuracy: Integrity and Security of the evidence is crucial-No shortcuts, need to maintain high standardsSpeed may have to be sacrificed for accuracy. -But try to do it as fast as you can provided you do not compromise accuracyThe Job of a Forensics SpecialistDetermine the systems from which evidence is collectedProtect the systems from which evidence is collectedDiscover the files and recover the dataGet the data ready for analysisCarry out an analysis of the dataProduce a reportProvide expert consultation and/or testimony?Applications: Law EnforcementImportant for the evidence to be handled by a forensic expert; else it may get taintedNeed to choose an expert carefully-What is his/her previous experience? Has he/she worked on prior cases? Has he/she testified in court? What is his/her training? Is he CISSP certified?Forensic expert will be scrutinized/cross examined by the defense lawyersDefense lawyers may have their own possibly highly paid experts?Applications: Human ResourcesTo help the employer-What web sites visited?-What files downloaded-Have attempts been made to conceal the evidence or fabricate the evidence-Emails sent/receivedTo help the employee-Emails sent by employer – harassment-Notes on discrimination-Deleted files by employerApplications: OtherSupporting criminals-Gangs using computer forensics to find out about members and subsequently determine their whereaboutsSupport rogue governments and terrorists-Terrorists using computer forensics to find out about what we (the good guys) are doingWe and the law enforcement have to be one step ahead of the bad guysUnderstand the mind of the criminalServicesData Services-Seizure, Duplication and preservation, recoveryDocument and Media-Document searched, Media conversionExpert witnessService optionsOther servicesData ServicesData Seizure-The expert should assist the law enforcement official in collecting the data.-Need to identify the disks that contain the data Data Duplication and Preservation-Data absolutely cannot be contaminated-Copy of the data has to be made and need to work with the copy and keep the original in a safe placeData Recovery-Once the device is seized (either local or remote) need to use appropriate tools to recover the dataData Services: Finding Hidden DataWhen files are deleted, usually they can be recoveredThe files are marked as deleted, but they are still residing in the disk until they are overwrittenFiles may also be hidden in different parts of the diskThe
View Full Document