Digital ForensicsReview of LecturesAssignment #1OutlineIntroductionMilitary ForensicsLaw Enforcement ForensicsBusiness ForensicsForensics TechniquesFinding Hidden DataSpyware/AdwareEncryptionInternet/Web TracingWireless Technology ForensicsWireless Technology Forensics - 2Firewall ForensicsBiometrics Forensics: Richard Vorder BrueggeSlide 18Technologies: ConclusionTypes of Computer Forensics SystemsCyber CrimeCyber DetectiveRisk ManagementForensic ServicesInvestigative services examplesProcess Improvement: ToolsLinksDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #5Technology and ServicesSeptember 9, 2009Review of LecturesPart 1 of the Course-Reference: Part 1 of the Book + Links given in Lectures-Lecture 1: Introduction to Digital Forensics-Lecture 2: Background on Cyber Security-Lecture 3: Data Recovery and Evidence Collection-Lecture 4: Malicious Code Detection: How do you detect that the problem has occurred?-Lecture 5: Forensics Technologies and ServicesPart 2 of the Course-Part 2 of the Book-Lecture 6: Data Acquisition Details (September 14, 2009)Assignment #1Text Book-Hands-on Project 2.1-Hands-on Project 2.2-Chapter 2-Page 68-69-Due: Wednesday September 23, 2009OutlineForensics Technologies-Forensics TechnologyMilitary, Law Enforcement, Business Forensics -Forensics TechniquesFinding Hidden Data, Spyware, Encryption, Data Protection, Tracing, Data Mining-Security TechnologiesWireless, Firewalls, BiometricsServices-Cyber crime, Cyber detective, Risk Managemen, Investigative services, Process improvementIntroductionDigital forensics includes computer forensics and network forensicsComputer forencis -gathers evidence from computer media seized at crime scene-Issues involve imaging storage media, recovering deleted files, searching slack and free space, preserving the collected information for litigationNetwork forencis -Analysis of computer network intrusion evidenceMilitary ForensicsCFX-2000: Computer Forencis Experiment 2000-Information Directorate (AFRL) partnership with NIJ/NLECTC-Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework-Tools included commercial products and research prototypes-http://www.afrlhorizons.com/Briefs/June01/IF0016.html-http://rand.org/pubs/monograph_reports/MR1349/MR1349.appb.pdfLaw Enforcement ForensicsCommonly examined systems: Windows NT, Windows 2000, XP and 2003Preserving evidence-Mirror image backups: Safe Back technology from New Technologies Inc.Tools to handle-Trojan Horse programs / File slacks-Data Hiding TechniquesAnaDisk analyzes diskettesCOPYQM duplicates diskettes-E-Commerce investigation: Net Threat Analyzer-Text search: TextSearch Plus tool-Fuzzy logic/data mining tools to identify unknown textIntelligent Forensics FilterBusiness ForensicsRemote monitoring of target computers-Data Interception by Remote Transmission (DIRT) from Codex Data SystemsCreating trackable electronic documentsTheft recovery software for laptops and PCs-PC Phonehome tool-RFID technologyForensics TechniquesTechniques for finding, preserving and preparing evidenceFinding evidence is a complex process as the forensic expert has to determine where the evidence resides -Evidence may be in files, evidence may be in disks, evidence may be on paper. Need to track all types of evidencePreserving evidence includes ensuring that the evidence is not tampered with-Involves pre-incident planning and training in incident discovery procedures’ If the machine is turned on, leave it on; do not run programs on that particular computerPreparing evidence will include data recovery, documentation, etc.Finding Hidden DataWhen files are deleted, usually they can be recoveredThe files are marked as deleted, but they are still residing in the disk until they are overwrittenFiles may also be hidden in different parts of the diskThe challenge is to piece the different part of the file together to recover the original fileThere is research on using statistical methods for file recoveryhttp://www.cramsession.com/articles/files/finding-hidden-data---how-9172003-1401.asphttp://www.devtarget.org/downloads/ca616-seufert-wolfgarten-assignment2.pdfSpyware/AdwareSpyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. -http://en.wikipedia.org/wiki/SpywareSpyware is mostly advertising supported software (adware)Shareware authors place ads from media company and get a piece if the revenuePC surveillance tools that allow a user to nominate computer activity-Keystroke capture, snapshots, email logging, chats etc.Privacy concerns with spywareEncryptionPopular Encryption techniques-Public key/ Private KeyOwner of the data encrypts with the public key of the receiver; Receiver decrypts with his private keyIn some cases owner may encrypt with his private key for multiple receiver. Receiver will decrypt with the owner’s public keyMerkle Hash is a popular method to hash documents; one way hash functionChallenge is to generate unique keysIssues: Trusted authority to generate keys and credentialsInternet/Web TracingWhere has the email come from-Check IP address-Sender may use fake address by changing fields; sending server may not check this and so the mail is sentTracing web activityWho has logged into the system say from a public web site and modified accounts and grades?Web/email tracking tools-http://www.cryer.co.uk/resources/websitetracking.htm-http://www.visualware.com/resources/tutorials/email.htmlWireless Technology ForensicsForensic Examination of a RIM (BlackBerry) Wireless Device http://www.rh-law.com/ediscovery/Blackberry.pdf-“There are two types of RIM devices within each model class. The Exchange Edition is meant for use in a corporate environment while the Internet Edition works with standard POP email accounts. The Exchange Edition employs Triple-DES encryption to send and receive but the Internet Edition communicates in clear text. Neither employs an encrypted files system”Relevance of RIM forensics -“The RIM device shares the same evidentiary value as any other Personal Digital Assistant (PDA). As the investigator may suspect
View Full Document