coen 252 computer forensics introduction to computer forensics thomas schwarz, s.j. 2009 w/ t....
TRANSCRIPT
COEN 252 Computer Forensics
Introduction to Computer Forensics
Thomas Schwarz, S.J. 2009 w/ T. Scocca
Computer Forensics
Digital Investigation Focuses on a digital device
Computer Router Switch Cell-phone SIM-card …
Computer Forensics Digital Investigation
Focuses on a digital device involved in an incident or crime
Computer intrusion Generic criminal activity
Perpetrator uses internet to gather information used in the perpetration of a crime.
Digital device is an instrument of a crime Perpetrator uses cell-phone to set-off a bomb.
Details are sensitive to national security. If you get clearance, I can tell you who to ask.
Email scams Internet auction fraud Computer is used for intrusion of another system.
Computer Forensics Digital Investigation
Has different goals Prevention of further intrusions.
Goal is to reconstruct modus operandi of intruder to prevent further intrusions.
Assessment of damage. Goal is to certify system for safe use.
Reconstruction of an incident. For criminal proceedings. For organization-internal proceedings.
Computer Forensics
Digital Investigation Process where we develop and test
hypotheses that answer questions about digital events.
We can use an adaptation of the scientific method where we establish hypotheses based on findings and then (if possible) test our hypotheses against findings resulting from additional investigations.
Computer Forensics Evidence
Procedural notion That on what our findings are based.
Legal notion Defined by the “rules of evidence”
Differ by legislation “Hear-say” is procedurally evidence,
but excluded (under many circumstances) as legal evidence.
Computer Forensics
Forensics Used in the “forum”, especially for
judicial proceedings. Definition: legal
Computer Forensics
Digital Crime Scene Investigation Process System Preservation Phase Evidence Searching Phase Event Reconstruction Phase
Note: These phases are different activities that
intermingle.
Computer Forensics Who should know about Computer
Forensics Those involved in legal proceedings that
might use digital evidence Judges, Prosecutors, Attorneys, Law Enforcement,
Expert Witnesses Those involved in Systems Administration
Systems Administrators, Network Administrators, Information Security Officers
Those writing procedures Managers
Computer Forensics Computer Forensics presupposes skills in
Ethics Law, especially rules of evidence System and network administration
Digital data presentation Number and character representation
Systems OS, especially file systems. Hardware, especially disk drives, memory systems,
computer architecture, … Networking
Network protocols, Intrusion detection, … Information Systems Management
Computer Forensics Swiss Army Knife for Investigations
Useful in the following areas: HR Policy Violations Insider Trading Allegations Compliance Audits / Validation Network Misuse Workplace Harassment Intellectual Property Protection IT Check & Balance Ombudsman’s Office Whistleblower Allegations Internal Fraud eDiscovery
COEN 252Prerequisites Required:
Good moral character. Ability and willingness to respect ethical boundaries.
Familiarity with at least one type of operating system. (Windows, Unix/Linux, DOS experience preferred.)
Some programming. Access to a computer with Hex editor.
Desired: Familiarity with OS Theory. Familiarity with Networking. Some Knowledge of U.S. Legal System.
COEN 252Text Books
COHEN, F. Digital Forensic Evidence Examination. 2nd edition. Fred Cohen & Associates, 2010.
(Optional)
COEN 252Text Books - Optional
NELSON, B., PHILLIPS, A., STEUART, C. Guide to Computer Forensics And Investigations. 2nd edition. Course Technology, 2010.
COEN 252Text Books – Of Interest
Carrier, Brian: File System Forensic Analysis. Addison-Wesley Professional. 2005.
Computer Forensics Software Commercial
FTK – Forensic Toolkit http://www.accessdata.com/ WinHexhttp://www.winhex.com/ EnCase http://www.guidancesoftware.com/ Paraben http://www.paraben.com/ NTI http://www.forensics-intl.com/tools.html Maresware http://www.dmares.com/ Digital Intelligence http://www.digitalintel.com/
Open Source Coroner’s Toolkit
http://www.porcupine.org/forensics/tct.html Knoppix http://www.knoppix.com/ The Sleuth Kit http://www.sleuthkit.org/sleuthkit/index.php Penguin Sleuth Kit http://www.linux-forensics.com/ BackTrack http://www.remote-exploit.org/backtrack.html