Introduction to Digital Forensics Spring 2009 Lecture 4 Read Chapter 4 - PowerPoint PPT Presentation

Loading...

PPT – Introduction to Digital Forensics Spring 2009 Lecture 4 Read Chapter 4 PowerPoint presentation | free to view - id: 227b6-ODU3O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Introduction to Digital Forensics Spring 2009 Lecture 4 Read Chapter 4

Description:

Hidden files. System files. History files. Temporary files. 6/15/09 ... Digital Cameras. Images. Removable cartridges. Sound. Time and date stamp. Video. Memory Cards ... – PowerPoint PPT presentation

Number of Views:126
Avg rating:3.0/5.0
Slides: 31
Provided by: Sar62
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Introduction to Digital Forensics Spring 2009 Lecture 4 Read Chapter 4


1
Introduction to Digital Forensics Spring
2009 Lecture 4 Read Chapter 4
  • Sarah Mocas

2
Goal of an Investigation
  • Uncover the Truth
  • Communicate it to Others
  • Mistakes can have very serious consequences …
  • wrongly accused and/or convicted
  • may allow guilty to escape justice

3
Step1 Taking Notice of Suspicious Incidents
  • Circumstances that get the process started
  • Self-initiated incidents look for
    circumstances
  • Directed incidents respond to calls or alerts
  • What effect will this have on the evidence should
    this turn out to be something?

4
Step 2 Assessment
  • Has a crime occurred?
  • Look for elements of a specific crime
  • Triage limited investigative resources
  • Physical or serious financial injury?
  • Can problem be contained/eliminated quickly?
  • Extenuating circumstances?
  • Continue investigation or stop here?

5
Step 3a Incident/Crime Scene Protocols Secure
the Scene
  • Electronic evidence is fragile and easily changed
  • Keep scene from changing on purpose or
    accidentally
  • Technical Working Group for Electronic Crime
    Scene Investigation Guide for First Responders
    www.ncjrs.org/pdffiles1/nij/187736.pdf

6
Step 3b Incident/Crime Scene Protocols
Document the Scene
  • Retain and document the state of the scene need
    a standard, documented protocol

7
Electronic Evidence
  • Recognition and identification of the evidence.
  • Documentation of the crime scene.
  • Collection and preservation of the evidence.
  • Packaging and transportation of the evidence.

8
Recognizing Electronic Evidence User Created
Files
  • Internet bookmarks or favorites
  • Database files
  • Spreadsheet files
  • Documents or text files
  • Address books
  • E-mail files
  • Audio/video files
  • Image/graphics files
  • Calendars

9
Recognizing Electronic Evidence Computer
Created Files
  • Backup files
  • Log files
  • Configuration files
  • Printer spool files
  • Cookies
  • Swap files
  • Hidden files
  • System files
  • History files
  • Temporary files

10
Recognizing Electronic Evidence Other
Evidentiary Artifacts
  • Bad clusters
  • Computer date, time, and password
  • Deleted files
  • Free space
  • Hidden partitions
  • Lost clusters
  • Metadata
  • Other partitions
  • Reserved areas
  • Slack space
  • Software registration information
  • System areas
  • Unallocated space

11
Recognizing Electronic Evidence PDAs,
E-Organizers, Mobile Phones
  • Address book
  • Calendars
  • Appointment info
  • Documents
  • E-mail
  • Handwriting
  • Passwords
  • Phone book
  • Text messages
  • Voice messages

12
Recognizing Electronic Evidence Printers,
Scanners, FAXes and Copiers
  • tool marks
  • Buffers
  • Network Ids
  • Usage log
  • Proof of capability

13
Recognizing Electronic Evidence Components
  • Network cards
  • MAC address
  • CPU
  • CPU serial number on newer Intel chips
  • Cables and connectors
  • Missing device?

14
Recognizing Electronic Evidence Other Devices
to be Concerned With
  • Digital Cameras
  • Images
  • Removable cartridges
  • Sound
  • Time and date stamp
  • Video
  • Memory Cards
  • Smart Cards
  • Dongles
  • Answering Mach.
  • Caller ID info
  • Deleted Messages
  • Last number called
  • Phone numbers names
  • Tapes

15
Search for Evidence
  • Locard's Principle of Exchange - when any two
    objects come into contact, there is always
    transference of material from each object onto
    the other
  • What are you adding to the scene?

16
Step 4 Seizure and Identification
  • Cant seize everything make informed, reasoned
    decisions about what to seize normally guided
    by search warrant
  • Document everything
  • Chain of custody
  • Authenticity
  • Later identification

17
Seizure - 1
  • Identify and remove all persons from the area
    document their location at the time of entry do
    not let anyone touch anything!
  • Interview (if possible) owners/users of
    electronic devices try to get
  • passwords and user names
  • documentation
  • network topography
  • encryption keys
  • location of offsite storage

18
Seizure - 2
  • Formulate a systematic search plan
  • Document physical scene (power status, location
    of mouse, keyboard, monitor, etc.) look for
    stickies!
  • Photograph scene to create visual record
  • Photograph monitor screen may require
    videotaping
  • Note peripherals and devices can contain latent
    prints wear gloves!

19
Seizure - 3
  • Do not alter the condition of an electronic
    device if it is off, leave it off!
  • Identify cables (phone lines, network lines,
    printers, etc.) - document, label and disconnect
    each cable from the wall if possible
  • You need to make a decision about volatile data
    (RAM, cache, etc.)

20
Seizure - 4
  • Transport hardware to evidence storage facility
    or alternatively, do forensic analysis on site
  • Keep computer components away from magnetic items
    radio modem in the back of a patrol car
  • Remember batteries can fail make sure new ones
    are inserted as soon as practical

21
Step 5 Preservation
  • Create an exact duplicate of electronic storage
    devices and keep the original safely stored
  • Will have to provide copy of all exhibits to
    defense for examination
  • Work on duplicate in case your examination
    damages the contents
  • What does it mean to have an exact duplicate?

22
Step 6 Recovery
  • Extract deleted and encrypted files
  • Recover all unavailable data whether or not it is
    related to the case usually not done manually
  • Especially note what has been deleted and when

23
Step 7 Harvesting
  • Organize the contents of the storage device
  • Gather metadata
  • Catalog what you have
  • Applications, data, images, documents, etc.

24
Step 8 Reduction
  • Separate good from bad - Eliminate objects that
    are not related to the investigation
  • Commercial clipart, standard operating system
    DLLs, computer games, etc.
  • Smallest set of digital information with highest
    value for proving allegations
  • Beware of deleting exculpatory data!
  • NIST National Software Reference Library
    www.itl.nist.gov/div897/docs/nsrl.html
  • Overview The National Software Reference Library
    (NSRL) provides a repository of known software,
    file profiles, and file signatures for use by law
    enforcement and other organizations in computer
    forensics investigations - over 38 million file
    signatures

A typical desktop computer contains between
10,000 and 100,000 files
25
Step 9 Organization and Search
  • Physically organize the reduced set
  • Make sure every file is indexed so it can be
    found on the original hard drive
  • Inverted links are helpful

26
Step 10 Analysis
  • Review file contents within the context of the
    assertions to be proven
  • Try to refute the assertions as well look for
    exculpatory evidence
  • Validate your findings

27
Step 11 Reporting
  • what you found
  • how you found it
  • where it can be found on the original disk
  • significance of what you found

28
Step 12 Testifying
  • Present your findings to the triers-of-fact
  • Convey technical issues to laypeople in a clear
    manner

29
Chapter 4
  • 4 The Investigative Process
  • 4.1) The Role of Digital Evidence
  • 4.2) Investigative Methodology
  • 4.2.1) Accusation or Incident Alert
  • 4.2.2) Assessment of Worth
  • 4.2.3) Incident/Crime Scene Protocols
  • 4.2.4) Identification or Seizure
  • 4.2.5) Preservation
  • 4.2.6) Recovery
  • 4.2.7) Harvesting
  • 4.2.8) Reduction
  • 4.2.9) Organization and Search
  • 4.2.10) Analysis
  • 4.2.11) Reporting
  • 4.2.12) Persuasion and Testimony

30
Chapter 5
  • For now Skip Chapter 5, we will cover at the
    end, time permitting
  • Chapter 5 Investigative Reconstruction
  • 5.1) Equivocal Forensic Analysis
  • 5.1.1) Reconstruction
  • 5.1.2) Temporal Analysis
  • 5.1.3) Relational Analysis
  • 5.1.4) Functional Analysis
  • 5.2) Victimology
  • 5.2.1) Victimology
  • 5.3) Crime Scene Characteristics
  • 5.3.1) Method of Approach and Control
  • 5.3.2) Offender Action, Inaction and Reaction
  • 5.4) Evidence Dynamic and Introduction of Error
  • 5.5) Reporting
About PowerShow.com