Computer in Forensics
Content
Computer In Forensics
Definition
• What is Computer Forensics??
– Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for evidentiary and/or
root cause analysis.
– Evidence might be required for a wide range of
computer crimes and misuses
– Multiple methods of
•
•
•
•
Discovering data on computer system
Recovering deleted, encrypted, or damaged file information
Monitoring live activity
Detecting violations of corporate policy
– Information collected assists in arrests, prosecution,
termination of employment, and preventing future illegal
activity
• What Constitutes Digital Evidence?
– Any information being subject to human intervention or
not, that can be extracted from a computer.
– Must be in human-readable format or capable of being
interpreted by a person with expertise in the subject.
• Computer Forensics Examples
– Recovering thousands of deleted emails
– Performing investigation post employment
termination
– Recovering evidence post formatting hard
drive
– Performing investigation after multiple
users had taken over the system
Digital Forensic Science
4
•
•
•
•
•
•
•
•
•
Content
Comparison again known data
Transaction sequencing
Extraction of data
Recovering deleted data files
Format conversion
Keyword searching
Decrypting passwords
Analyzing and comparing limited source
code
Wide range of computer crimes and misuses
•
•
•
•
•
•
Theft of trade secrets
Fraud
Virus/Trojan distribution
Intellectual property breaches
Unauthorized use of personal information
Forgery
process
• According to many professionals, Computer Forensics is a four
(4) step process
– Acquisition
• Physically or remotely obtaining possession of the computer, all network
mappings from the system, and external physical storage devices
– Identification
• This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic tools and
software
suites
– Evaluation
• Evaluating the information/data recovered to
determine if and how it could be used again the
suspect for employment termination or prosecution
in court
– Presentation
• This step involves the presentation of evidence discovered in a manner
which is understood by lawyers, non-technically staff/management, and
suitable as evidence as determined
Information and data being sought after and
collected in the investigation must be properly
handled
Volatile Information
Network Information
Communication between system and the network
Active Processes
Programs and daemons currently active on the
system
Logged-on Users
Users/employees currently using system
Open Files
Libraries in use; hidden files; Trojans (rootkit) loaded
in system
• Hard Drive/File System manipulation cont…
– Hidden drive space is non-partitioned space inbetween partitions
• The File Allocation Table (FAT) is modified to remove any reference to the nonpartitioned space
• The address of the sectors must be known in order to read/write information to
them
– Bad sectors occur when the OS attempts to read info
from a sector unsuccessfully. After a (specified) # of
unsuccessful tries, it copies (if possible) the
information to another sector and marks (flags) the
sector as bad so it is not read from/written to again
• users can control the flagging of bad sectors
• Flagged sectors can be read to /written from with direct reads and writes using
a hex editor
Computer Forensics
Fundamentals
Computer Forensics
Military
Law Enforcement
Private Sector
Standards & Guidelines
Investigation
Acquisition
Analysis
Examination
Report
10
Rules of Evidence
Criminal
FRYE
FRE 702
Daubert/Kumho
Civil
Federal Rules of Civil Procedure
Sedona
Rowe
Presentation
Expert Witness
Friend of the Court
Technical Expert
Informal definition of an algorithm
used in a computer
Three constructs
Flowcharts for three constructs
Selection sort
Example of selection sort
Example of selection sort
Selection sort
algorithm
All math functions can be determined using these 3
primary Boolean logic operators: AND, OR, and NOT.
AND narrows your search,
OR broadens your search, and
NOT is used to exclude concepts.
Nesting
•
When more than one element is in parentheses, the
sequence is left to right. This is called "nesting."
– (foxes OR rabbits) AND pest control
– foxes OR rabbits AND pest control
– (animal pests OR pest animals) NOT rabbits
•
should be used to group terms joined by OR when there is
any other operator in the search.
Let’s use Boolean logic to examine
class.
• Please stand up if you are:
– girl
– AND black hair
– AND left handed
• Please stand up if you are:
– girl
– OR black hair
– OR left handed
• And NOT
• How has the group changed depending on the
logical operator used.
Module:
Unit of code that performs one small task
Called a subroutine, procedure, function, or method
Modularization: breaking a large program into modules
Forensic Analysis of Database Tampering
• Audit log tampering technique provides exactly one
bit of information: has the audit log been tampered?
• Authors introduce a schematic representation termed
a “corruption diagram” for analyzing an intrusion.
• They then consider how additional validation steps
provide a sequence of bits that can dramatically
narrow down the “when” and “where.”
• They examine the corruption diagram for this initial
approach; this diagram is central in all of our further
analyses. We characterize the “forensic strength” of
this algorithm, defined as the reduction in area of the
uncertainty region in the corruption diagram.
Common Computer Forensic Software
•
•
•
•
•
•
•
•
•
•
•
ArcSight Logger
Netwitness Investigator
Quest Change Auditor
Cellebrite
Physical Analyzer
Lantern
Access Data’s Forensic Toolkit (FTK)
EnCase Cybersecurity
EnCase eDiscovery
EnCase Portable
EnCase Forensic*
• Audit log tampering technique provides exactly one
bit of information: has the audit log been tampered?
• Authors introduce a schematic representation termed
a “corruption diagram” for analyzing an intrusion.
• They then consider how additional validation steps
provide a sequence of bits that can dramatically
narrow down the “when” and “where.”
• They examine the corruption diagram for this initial
approach; this diagram is central in all of our further
analyses. We characterize the “forensic strength” of
this algorithm, defined as the reduction in area of the
uncertainty region in the corruption diagram
• Authors look at the more complex case in which the
timestamp of the data item is corrupted, along with the
data.
• Such an action by the intruder turns out to greatly
decrease the forensic strength. Along the way, we
identify some configurations that turn out not to
improve the forensic strength, thus helping to cull the
most appropriate alternatives.
• They then consider computing and notarizing additional
sequence
of hash values. For each successively more powerful
forensic analysis algorithm, we provide a
formal/diagrammatic analysis of its forensic strength.
Definition
• What is Computer Forensics??
– Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for evidentiary and/or
root cause analysis.
– Evidence might be required for a wide range of
computer crimes and misuses
– Multiple methods of
•
•
•
•
Discovering data on computer system
Recovering deleted, encrypted, or damaged file information
Monitoring live activity
Detecting violations of corporate policy
– Information collected assists in arrests, prosecution,
termination of employment, and preventing future illegal
activity
• What Constitutes Digital Evidence?
– Any information being subject to human intervention or
not, that can be extracted from a computer.
– Must be in human-readable format or capable of being
interpreted by a person with expertise in the subject.
• Computer Forensics Examples
– Recovering thousands of deleted emails
– Performing investigation post employment
termination
– Recovering evidence post formatting hard
drive
– Performing investigation after multiple
users had taken over the system
Digital Forensic Science
4
•
•
•
•
•
•
•
•
•
Content
Comparison again known data
Transaction sequencing
Extraction of data
Recovering deleted data files
Format conversion
Keyword searching
Decrypting passwords
Analyzing and comparing limited source
code
Wide range of computer crimes and misuses
•
•
•
•
•
•
Theft of trade secrets
Fraud
Virus/Trojan distribution
Intellectual property breaches
Unauthorized use of personal information
Forgery
process
• According to many professionals, Computer Forensics is a four
(4) step process
– Acquisition
• Physically or remotely obtaining possession of the computer, all network
mappings from the system, and external physical storage devices
– Identification
• This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic tools and
software
suites
– Evaluation
• Evaluating the information/data recovered to
determine if and how it could be used again the
suspect for employment termination or prosecution
in court
– Presentation
• This step involves the presentation of evidence discovered in a manner
which is understood by lawyers, non-technically staff/management, and
suitable as evidence as determined
Information and data being sought after and
collected in the investigation must be properly
handled
Volatile Information
Network Information
Communication between system and the network
Active Processes
Programs and daemons currently active on the
system
Logged-on Users
Users/employees currently using system
Open Files
Libraries in use; hidden files; Trojans (rootkit) loaded
in system
• Hard Drive/File System manipulation cont…
– Hidden drive space is non-partitioned space inbetween partitions
• The File Allocation Table (FAT) is modified to remove any reference to the nonpartitioned space
• The address of the sectors must be known in order to read/write information to
them
– Bad sectors occur when the OS attempts to read info
from a sector unsuccessfully. After a (specified) # of
unsuccessful tries, it copies (if possible) the
information to another sector and marks (flags) the
sector as bad so it is not read from/written to again
• users can control the flagging of bad sectors
• Flagged sectors can be read to /written from with direct reads and writes using
a hex editor
Computer Forensics
Fundamentals
Computer Forensics
Military
Law Enforcement
Private Sector
Standards & Guidelines
Investigation
Acquisition
Analysis
Examination
Report
10
Rules of Evidence
Criminal
FRYE
FRE 702
Daubert/Kumho
Civil
Federal Rules of Civil Procedure
Sedona
Rowe
Presentation
Expert Witness
Friend of the Court
Technical Expert
Informal definition of an algorithm
used in a computer
Three constructs
Flowcharts for three constructs
Selection sort
Example of selection sort
Example of selection sort
Selection sort
algorithm
All math functions can be determined using these 3
primary Boolean logic operators: AND, OR, and NOT.
AND narrows your search,
OR broadens your search, and
NOT is used to exclude concepts.
Nesting
•
When more than one element is in parentheses, the
sequence is left to right. This is called "nesting."
– (foxes OR rabbits) AND pest control
– foxes OR rabbits AND pest control
– (animal pests OR pest animals) NOT rabbits
•
should be used to group terms joined by OR when there is
any other operator in the search.
Let’s use Boolean logic to examine
class.
• Please stand up if you are:
– girl
– AND black hair
– AND left handed
• Please stand up if you are:
– girl
– OR black hair
– OR left handed
• And NOT
• How has the group changed depending on the
logical operator used.
Module:
Unit of code that performs one small task
Called a subroutine, procedure, function, or method
Modularization: breaking a large program into modules
Forensic Analysis of Database Tampering
• Audit log tampering technique provides exactly one
bit of information: has the audit log been tampered?
• Authors introduce a schematic representation termed
a “corruption diagram” for analyzing an intrusion.
• They then consider how additional validation steps
provide a sequence of bits that can dramatically
narrow down the “when” and “where.”
• They examine the corruption diagram for this initial
approach; this diagram is central in all of our further
analyses. We characterize the “forensic strength” of
this algorithm, defined as the reduction in area of the
uncertainty region in the corruption diagram.
Common Computer Forensic Software
•
•
•
•
•
•
•
•
•
•
•
ArcSight Logger
Netwitness Investigator
Quest Change Auditor
Cellebrite
Physical Analyzer
Lantern
Access Data’s Forensic Toolkit (FTK)
EnCase Cybersecurity
EnCase eDiscovery
EnCase Portable
EnCase Forensic*
• Audit log tampering technique provides exactly one
bit of information: has the audit log been tampered?
• Authors introduce a schematic representation termed
a “corruption diagram” for analyzing an intrusion.
• They then consider how additional validation steps
provide a sequence of bits that can dramatically
narrow down the “when” and “where.”
• They examine the corruption diagram for this initial
approach; this diagram is central in all of our further
analyses. We characterize the “forensic strength” of
this algorithm, defined as the reduction in area of the
uncertainty region in the corruption diagram
• Authors look at the more complex case in which the
timestamp of the data item is corrupted, along with the
data.
• Such an action by the intruder turns out to greatly
decrease the forensic strength. Along the way, we
identify some configurations that turn out not to
improve the forensic strength, thus helping to cull the
most appropriate alternatives.
• They then consider computing and notarizing additional
sequence
of hash values. For each successively more powerful
forensic analysis algorithm, we provide a
formal/diagrammatic analysis of its forensic strength.
