1 / 19

Computer Forensics BACS 371

Computer Forensics BACS 371. Phases of Computer Forensics. Phases of Computer Forensics. The purpose of this slide-set is to provide an overview and introduction to the steps taken in a full forensic investigation.

milla
Download Presentation

Computer Forensics BACS 371

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer ForensicsBACS 371 Phases of Computer Forensics

  2. Phases of Computer Forensics • The purpose of this slide-set is to provide an overview and introduction to the steps taken in a full forensic investigation. • Later material will go into detail concerning specific components of this process.

  3. Phases of Computer Forensics • Collection Phase • Get physical access to computer and related items • Authentication & Preservation • Document initial state of evidence • Make a forensic image copy of all digital information • Examination Phase • Makes evidence visible • Explains origin and significance • Develop initial hypothesis • Analysis Phase • Follow trail of clues • Build evidence set • Revise hypothesis • Reporting Phase • Outline/Review examination process • Discuss pertinent data recovered • Document the validity of procedure

  4. Collection Phase “Collection” in a forensic investigation is a series of steps related to electronic evidence. It is the • Search for… • Recognition of… • Documentation of… • Collection and Preservation of… • Packaging and Transportation of… Electronic evidence.

  5. Methodology for Investigating Computer Crime • Search and Seizure(also involves 4th Amendment issues) • Formulate a plan • Approach and Secure Crime Scene • Document Crime Scene Layout • Search for Evidence • Retrieve Evidence • Log & Secure Evidence • This is followed by… • Information Discovery • Formulate Plan • Search for Evidence • Process Evidence • All this while maintaining Chain of Custody

  6. Digital Evidence Collection Toolkit1 • Documentation Tools • Cable tags • Indelible felt tip markers • Stick-on labels • Disassembly and Removal Tools • Flat-blade and Philips-type screwdrivers • Hex-nut drivers • Needle-nose pliers • Secure-bit drivers • Small tweezers • Specialized screwdrivers • Standard pliers • Star-type nut drivers • Wire cutters • Package and Transport Supplies • Antistatic bags • Antistatic bubble wrap • Cable ties • Evidence bags • Evidence tape • Packing materials • Packing tape • Sturdy boxes of various sizes • Other Items • Gloves • Hand truck • Large rubber bands • List of contact telephone numbers for assistance • Magnifying glass • Printer paper • Seizure disk • Small flashlight • Wiped flash drives 1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ

  7. Document the Scene1 • Observe and document scene – photos and sketches • Take copious notes • Document condition of computers • Identify related, but not collected, electronics • Make note of unusual computer literature • Photograph scene • Photograph computer (prior to seizure) 1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ

  8. Evidence Collection While on the crime scene, you need to collect the evidence. This can include… • Non-electronic evidence (papers, photos, …) • Stand-alone/Laptop computers • Removable data storage (flash, disk, CD, DVD,…) • Computers attached via a network • Network servers • Other electronic devices

  9. Collecting Digital Evidence

  10. Examination Phase • In the examination phase you are primarily concerned with finding out what evidence is available and determining how useful it will be in your investigation. • Prior to examination, you must make forensic images of the evidence. • This allows you to safely process the evidence without the danger of accidentally modifying it.

  11. Places to Look for Information There are a number of common places to look for evidence in the imaged data. • Deleted Files and Slack Space • Recycle Bin • System and Registry Files • Unallocated Disk (Free) Space • Unused Disk Space • Erased Information

  12. Ways of Hiding Information There are many ways to hide information. Some are more sophisticated than others. • Rename the File • Rename the File extension • Make the Information Invisible • Use Windows to Hide Files • Protect the File with a Password • Encrypt the File • Use Steganography • Compress the File • Hide the Hardware

  13. Analysis Phase • Once the key information has been uncovered, it is time to put together a “picture” of what happened. • Basically, you are building a hypothesis based on the initial evidence that was uncovered. • This is helpful because it indicates what you need to look for next. • This type of analysis should use the “scientific method.”

  14. Brief Outline of the Scientific Method Successful forensic examinations generally follow the scientific method. • Identify and research a problem • Formulate a hypothesis • Conceptually and empirically test the hypothesis • Evaluate the hypothesis with regards to test results • If hypothesis is acceptable, evaluate its impact. If not, reevaluate the hypothesis

  15. Computer Forensics Analysis Process • Intelligence • Basic understanding of issues surrounding incident • Hypothesis Formulation • Formulated with regard to “5 Ws” • Evidence Recovery • Supporting and non-supporting • Testing • Support or refute hypothesis • Conclusion

  16. Analysis Tools • Analysis of evidence normally involves utilization of a number of forensic tools. • These tools help the analyst uncover and understand the evidence. • It is best to use tools that are recognized by the court. • It is imperative that the analyst document all steps taken so that the evidence collected and findings reached can be defended in court.

  17. Common Analysis Tools • Commercial Tools • EnCase • Forensic Tool Kit (FTK) • e-fence Helix3 • X-Ways Forensics • Open Source Tools • The Sleuthkit • Autopsy browser • DFF • ProDiscovery Basic

  18. Reporting Phase • The deliverable for the entire forensic investigative process is the report. • This details the investigation including: • Collection details • Evidence characteristics • Forensic procedures • Analysis techniques • Findings • It should be written with an eye towards accuracy, conciseness, and professionalism.

  19. Expert Witness Testimony • In addition to a formal written report, the forensic analyst is often required to testify in court as an expert witness. • This is one situation where hearsay evidence is admissible. • The role of the expert witness is to report, as objectively as possible, the findings of the analysis. • Your professional credibility is at stake, so your testimony should be accurate, free from bias, and understandable.

More Related