0% found this document useful (0 votes)
28 views35 pages

6.3 Cyberforensics

Uploaded by

gtavdown
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
28 views35 pages

6.3 Cyberforensics

Uploaded by

gtavdown
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Cyber Forensics

1
Introduction

2
Computer Forensics

3
Digital Forensic Science
• Digital Forensic Science (DFS):

“The use of scientifically derived and proven methods toward


the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital
evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to
be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.”

Source: (2001). Digital Forensic Research Workshop (DFRWS)

4
Communities
There at least 3 distinct communities within
Digital Forensics
Law Enforcement
Military
Business & Industry
Possibly a 4th – Academia
5
Digital Forensic Science

6
Community Objectives

7
Cyber Forensics

• Includes:
• Networks (Network Forensics)
• Small Scale Digital Devices
• Storage Media (Computer forensics)
• Code Analysis

8
Cyber Forensics

The scientific examination and analysis of


digital evidence in such a way that the
information can be used as evidence in a court
of law.

9
Cyber Forensic Activities
Cyber forensics activities commonly include:
the secure collection of computer data
the identification of suspect data
the examination of suspect data to determine
details such as origin and content
the presentation of computer-based information
to courts of law
the application of a country's laws to computer
practice.
10
The 3 As

The basic methodology consists of the 3


As:
–Acquire the evidence without altering or
damaging the original
–Authenticate the image
–Analyze the data without modifying it
11
Context of Cyber Forensics
•Homeland Security
•Information Security
•Corporate Espionage

Digital
•White Collar Crime
•Child Pornography
Forensics
•Traditional Crime Cyber Forensics
•Incident Response
•Employee Monitoring
•Privacy Issues
•????

12
Cyber Crime
Legislation

1970’s
LE Investigative
Units

1980’s

International LE
Meeting
1990’s

1st International
Conference on CE

IOCE Formed

IOCE & SWGDE


A Brief Timeline

RCFL in USA
2000

COE Convention
on Cyber Crime
2001

DFRWS

ASCLD/LAB-DE
USA
2003

ISO 17025
Journals
Conferences

AAFS
Subsection?
2008
Crime Scenes
Physical Crime Scenes vs. Cyber/Digital Crime
Scenes
Overlapping principals
The basics of criminalistics are constant across
both physical and cyber/digital
Locard’s Principle applies
• “When a person commits a crime something is always left
at the scene of the crime that was not present when the
person arrived”

14
Digital Crime Scene
Digital Evidence
• Digital data that establish that a crime has been
committed, can provide a link between a crime and its
victim, or can provide a link between a crime and the
perpetrator (Carrier & Spafford, 2003)

Digital Crime Scene


• The electronic environment where digital evidence can
potentially exist (Rogers, 2005)
• Primary & Secondary Digital Scene(s) as well

15
Forensic Principles
Digital/ Electronic evidence is extremely volatile!
Once the evidence is contaminated it cannot be de-
contaminated!
The courts acceptance is based on the best evidence
principle
• With computer data, printouts or other output readable by
sight, and bit stream copies adhere to this principle.
Chain of Custody is crucial

16
Cyber Forensic Principles
• The 6 Principles are:
1. When dealing with digital evidence, all of the general forensic and procedural
principles must be applied.
2. Upon seizing digital evidence, actions taken should not change that evidence.
3. When it is necessary for a person to access original digital evidence, that
person should be trained for the purpose.
4. All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for review.
5. An Individual is responsible for all actions taken with respect to digital
evidence whilst the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing, storing or transferring
digital evidence is responsible for compliance with these principles.

17
Process/Phases
Identification
Collection
Bag & Tag
Preservation
Examination
Analysis
Presentation/Report
18
Identification

The first step is identifying evidence


and potential containers of evidence
More difficult than it sounds
Small scale devices
Non-traditional storage media
Multiple possible crime scenes

19
Devices Identification

20
Identification

Context of the investigation is very


important
Do not operate in a vacuum!
Do not overlook non-electronic
sources of evidence
Manuals, papers, printouts, etc.

21
Collection
Care must be taken to minimize
contamination
Collect or seize the system(s)
Create forensic image
Live or Static?
Do you own the system
What does your policy say?
22
23
Collection: Documentation

24
Collection: Documentation
• Take detailed photos and notes of the computer / monitor
• If the computer is “on”, take photos of what is displayed on the monitor – DO NOT
ALTER THE SCENE

25
Collection: Documentation
Make sure to take photos and notes of all
connections to the computer/other devices

26
Collection: Imaging
• Rule of Thumb: make 2 copies and don’t work
from the original (if possible)
• A file copy does not recover all data areas of the
device for examination
• Working from a duplicate image
• Preserves the original evidence
• Prevents inadvertent alteration of original evidence
during examination
• Allows recreation of the duplicate image if necessary
27
Collection: Imaging
•Digital evidence can be duplicated with no
degradation from copy to copy
• This is not the case with most other forms of evidence

28
Collection: Imaging
Write blockers
Software
Hardware

Hardware write blockers are becoming the industry


standard
USB, SATA, IDE, SCSI, SIM, Memory Cards
Not BIOS dependent
But still verify prior to usage!

29
Collection: Imaging
Forensic Copies (Bitstream)
Bit for Bit copying captures all the data on the copied media
including hidden and residual data (e.g., slack space, swap,
residue, unused space, deleted files etc.)

Often the “smoking gun” is found in the residual data.


Imaging from a disk (drive) to a file is becoming the norm
Multiple cases stored on same media

No risk of data leakage from underlying media

Remember avoid working for original


Use a write blocker even when examining a copy!
30
Imaging: Authenticity & Integrity
•How do we demonstrate that the image is a true unaltered copy of the
original?
-Hashing (MD5, SHA 256)
•A mathematical algorithm that produces a unique value (128 Bit, 512
Bit)
• Can be performed on various types of data (files, partitions, physical drive)

•The value can be used to demonstrate the integrity of your data


• Changes made to data will result in a different value

•The same process can be used to demonstrate the image has not
changed from time-1 to time-n

31
Examination
Higher level look at the file system representation of the data on
the media

Verify integrity of image


• MD5, SHA1 etc.

Recover deleted files & folders

Determine keyword list


• What are you searching for

Determine time lines


• What is the timezone setting of the suspect system

• What time frame is of importance

• Graphical representation is very useful


32
Examination
Search for relevant
Examine directory evidence types
tree • Hash sets can be useful
• What looks out of place • Graphics
• Stego tools installed • Spreadsheets
• Evidence Scrubbers • Hacking tools

Perform keyword • Etc.


searches
Look for the obvious
• Indexed first

• Slack & unallocated space When is enough


enough??

33
Issues
lack of certification for tools
Lack of standards
lack of certification for professionals
lack of understanding by Judiciary
lack of curriculum accreditation
Rapid changes in technology!
Immature Scientific Discipline
34
Summary

Cyber Forensics is a maturing forensic


Science
AAFS new section Feb 2008
Excellent career opportunities
Proper education & training is paramount!

35

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy