1 / 26

By: Ahlesa Stahl

Computer Forensics. By: Ahlesa Stahl. Topics . What is Computer forensics? Reasons for gathering evidence Who uses computer forensics Steps to computer forensics Handling evidence Anti-Forensics Evidence Processing guidelines. What is Computer forensics?.

easter
Download Presentation

By: Ahlesa Stahl

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Forensics By: Ahlesa Stahl

  2. Topics • What is Computer forensics? • Reasons for gathering evidence • Who uses computer forensics • Steps to computer forensics • Handling evidence • Anti-Forensics • Evidence Processing guidelines

  3. What is Computer forensics? • Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. • Evidence might be required for a wide range of computer misuses. • Methods • Discovering data on computer system • Recovering deleted and or damaged file information. • Monitoring live activity. • Detecting any computer violations • The information collected helps in arrests, prosecution, termination of employment, and preventing future illegal activity.

  4. Issues in Computer Forensics • Computer Forensics is a great aid to helping solve computer related issues but participants have to be mindful of their actions because of legal ratifications of their actions.

  5. Why Computer Forensics is Important • Computer Forensics is important to aid in investigations and if you don’t practice computer forensics there is a possiblity of damaging vital information or having the evidence inadmissible in court.

  6. Legal aspects of computer forensics • Before intiating an investigation on a computer system you must have legal authorization. • There are legal ratifications to using security monitoring tools.

  7. Reasons for Evidence • There are wide ranges of computer misuses and crimes. • Non business environment: Evidence is collected by Federal, State, and local authorities for crimes that are related to • Theft or trade secrets • Fraud • Extortion • SPAM Investigations

  8. Reasons for Evidence (continued) • Virus/trojandistrubution. • Homicide investigations. • Unauthorized use of personal information. • Forgery • Perjury.

  9. Who uses computer Forensics • Criminal Prosecutors • They rely on evidence obtained from a computer to gain suspects. • Insurance Companies • The evidence found on the computer can be used to find employee fraud, workers compensation, etc. • Private Corporations • Evidence gained from computers can be used as evidence in harassment, fraud etc.

  10. Steps to computer Forensics • Acquisition • Obtaining the computer physically such as network mappings from the system and storage devices. • Identification • Involves what information could be recovered by using running various computer forensic programs and tools. • Evaluation • Evaluating the information/data recovered to  determine if and how it could be used again the  suspect for employment termination or prosecution  in court

  11. Computer steps (continued) • Presentation • This step involves the presentation of the evidence discovered that can be understood by lawyers.

  12. Handling Evidence • Admissibility of evidence • Legal rules that determine if the potential evidence can be used in court. • Must be obtained in a way that assures the authenticity and that no tampering has been taken place. • No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer. • Preventing viruses from being shown during the analysis process • The evidence extracted is properly handled and protected from any damage.

  13. Handling Evidence (Continued) • Establishing and maintaining a continuing chain of custody • Limiting amount of time business operations are affected. • Not divulging and respecting any ethically [and legally] client-attorney information that is inadvertently acquired during a forensic exploration

  14. Starting an investigation • Do not start off by looking at files on a system randomly. • Start a journal with the date,time and date/ information discovered. • Collect email, DNS, and other service logs • Designate suspected equipment as “off limits” to normal activity. This also includes back ups and configuration changes.

  15. Starting Investigation (continued) • Capture exhaustive external TCP and UDP port scans of the host. • Contact security, Federal and local enforcement, as well as affected sites or people.

  16. Information that will be handeled • Network information • Communication between system and Network. • Active Processes • Programs active on system. • Logged on users • Users currently using system.

  17. Information that will be handeled (continued) • Non-Volatile information • Includes information ,configuration settings,system files and registry settings that are avaible after reboot. • Accessed through drive mappings. • Information should be investigated from a back up copy.

  18. Computer Forensic Requirments. • Hardware • Familiarity with all internal and external devices/ components of a computer • Understanding of hard drives and settings. • Understanding of motherboards • Power connections • Memory

  19. Computer Forensics Requirements(continued) • Bios • Understanding of how BIOs works • Familiarity of the various settings and limitations of BIOs

  20. Computer Forensic Requirements (continued) • Operation Sytems • Windows 3.1/95/98/ME/NT/2000/2003/XP • DOS • UNIX • LINUX • VAX/VMS • Software • Familiar with most popular software packages such as Microsoft Office • Forensic tools • Familiar with computer forensic techniques and software that could be used.M

  21. Anti Forensics • Software that limits/corrupts evidence that could be collected by investigators. • Performs data hiding and distortion. • Exploits limitations of known and used forensic tools. • Works on both Windows and LINUX systems. • In place post or prior to system acquistion.

  22. Guidelines to Evidence Processing • Step 1: Shut down computer • Prevents remote access to machine and destruction of evidence. • Step 2: Document Hardware Configuration of the system. • Note everything about the computer before relocating it.

  23. Guidelines to Evidence Processing (continued) • Step 3: Transport Computer System to A secure location. • Do not leave computer unattended unless locked up in a safe area. • Step 4: Make backups of hard disks and floppy disks • Authenticate the data on all storage devices. • Must prove that any evidence did not alter on computer after it came into your possesion.

  24. Guidelines to Evidence Processing(continued) • Step 6: Document System date and time • Step 7:Make a list of Key search words. • Step 8: Evaluate Windows swap file • Step 9: Evaluate File Slack • File slack is a data storage area of which most computer users are unaware ; a source of security leakage. • Step 10: Evaluate Erased Files.

  25. Guidelines to Evidence Processing (Continued) • Step 11: Search files • Step 12: Document File names, date and times • Step 13: Identify File, Program and storage anomalies. • Step 14:Evaluate how program functions • Step 15: Document any findings. • Step 16: Keep copies of Software used.

More Related