computer forensics prsentation

8/8/2019 Computer Forensics Prsentation

http://slidepdf.com/reader/full/computer-forensics-prsentation 1/51

Digital Forensics

Larry Daniel



Introduction

• A recent research report from The Yankee

Group found that 67.6 percent of US householdsin 2002 contained at least one PC

• The investigators foresee three-quarters of all

US households containing PCs by 2007.



Introduction

• The UCLA study found that surprising numbers

of households have more than one PC.• In cases where more than one PC is present,

the home computers are often networked.

• As of December of 2005, 71.4% of UShouseholds have computers.



Some Famous Criminal Cases

• Scott Peterson

– Internet history showing searches for dump sites.

• Michelle Theer

– Email and other documents. (Over 20 thousand

documents)

• Michael Jackson

– Internet history and Email.

• BTK Killer – Used to trace letter back to church computer.



Different Sides – Different Roles

• Prosecution Side

– Sworn Law Enforcement Officer• Writes Search Warrants

• Receives Evidence Computers, etc.

• Acquires Images, Analyzes Data

• Presents findings to Prosecutors and Detectives

• May not be involved again until arrest is made or case goesto trial.



Different Sides – Different Roles

• Defense Side

– Private Expert• Receives Evidence from Law Enforcement Agency.

• Consults with Attorney on Relevant Facts

• Active Member of Defense Team

• May Review Other Evidence to Enhance Computer Analysis

• May Interview Defendant

• May Work with Other Experts.



Some Basics

The basic computer looks like these….



Common Misteaks

Calling these monitors, CPUs, Hard Drives, etc.



Monitors

• Newer LCD on Left

• Older Analog CRT on Right – Nothing is stored in these. They just make pretty pictures.



CPU• CPU – Central

Processing Unit

– Only performs calculations. – Stores nothing.

– The “brain” of thecomputer.



Inside The Computer

• The Hard Drive stores the evidence…



Inside The Computer

• Hard drives can hold thousands of

– Documents – Pictures

– Music files

– Movies

– Passwords – Emails



Inside The Computer

• RAM – Random Access

Memory – Only contains data while

the computer is turned on.

– Temporary processing

storage only used whileoperating the computer.

– Is cleared when thecomputer shuts down or re-starts.



Introduction

• A Digital, AKA Computer Forensics

investigation, involves four major areas: – Acquisition

• Obtaining the original evidence.

– Preservation• Protecting the original evidence.

– Analysis

• Finding relevant evidence.

– Presentation

• Presenting the evidence in court.



– Encase Forensics Software

• Used by NC SBI, FBI, Air Force OSI, Scotland Yard, USNavy, Fayetteville PD

• Most widely used forensics software in the world.

– Paraben Email Examiner

• Specially designed to recover email.

Forensics Tools



Acquisition

– First contact with the original evidence.

• Most critical time for protecting the originals.• Most likely time for police or others to damage or change

evidence.

• General rules MUST be followed to preserve and protect

evidence during this critical first response period.• First point in establishing chain of custody.



Digital Evidence

• Location not always obvious.

• Easy to conceal.

• Easy to miss.

• Easy to damage.



Digital Evidence

CD-ROM Floppy DiskHard Drive



Digital Evidence

iPodBlackberryPicture Phones



Digital Evidence

Smart MediaDigital CamerasUSB Drives



Acquisition

• First responders should be trained to handle this

type of evidence.• Digital evidence is fragile.

• Digital evidence is easily altered if not handled

properly.• Simply turning a computer on or operating the

computer changes and damages evidence.



Fragile Nature of Digital Evidence

• "The problem is the uninitiated police officer who will go inand turn on a computer to look to see if it's worthwhile tosend the computer in for examination," said Peter Plummer,assistant attorney general in Michigan's high-tech crime unit .

"When you boot up a computer, several hundred files getchanged, the date of access, and so on," Plummer said."Can you say that computer is still exactly as it was whenthe bad guy had it last?"

Source: AP Article from Computers Today www.technologysu.com – Email Section




• The nature of computer based evidence makes it

inherently fragile. Data can be erased or changedwithout a trace, impeding an investigator’s job to find thetruth.

• The efforts of first responders are critical to ensure that

the evidence is gathered and preserved in a simple,secure, and forensically sound manner.

Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations




• Fragile data are those things stored on the hard drive but

that can be easily altered, especially by a first respondertrying to determine if an incident has occurred.

• These could include access dates on files or temporaryfiles. Once these files have been altered by a first

responder, there is no way to recover the original data.





• The simple act of turning a computer on can destroy or

change critical evidence and render that evidenceuseless. – Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

• Even the normal operation of the computer can destroy

computer evidence that might be lurking in unallocatedspace, file slack, or in the Windows swap file. – Computer Forensics, Computer Crime Scene Investigation, 2 nd Ed. John R. Vacca




• The next 3 slides demonstrate what happens

when you operate a computer. – Evidence is modified.

– Evidence is destroyed.




Files In Original Condition



Files After Opening and Viewing

The last accessed date andtime changes any time a fileis opened and viewed while

the computer is inoperation.



Files After Saving

The last written date andtime changes any time a fileis saved or copied while the

computer is in operation.



Seizing Computer Evidence

General Guidelines



General Guidelines for Seizing Computers and Digital Evidence

• Seizing a Stand-Alone Home Computer in a

Residence• If the computer is “powered off”, DO NOT turn it

on.

• If the computer is “powered on”, do not allow thesuspect or any associate to touch it. Offers toshut the computer down may be a ruse to start a

destructive program that may destroy theevidence. This can be done with one keystroke.

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit




• Before touching the computer,place an unformatted or blank

floppy disk into the floppy diskdrive(s), document, videotapeand/or photograph thecomputer system, and write

detailed notes about what is onthe computer’s screen.





• Photograph the back ofthe computer andeverything that isconnected to it.

• Photograph and label the

back of any computercomponents with existingconnections to thecomputer.





• If you have a computer specialist on the scene,

he will have been trained to recognize theoperating system and will know the proper wayto shut down the computer system without

altering files or losing any evidence.





• If you do not have a computer specialist on

the scene, the safest way to turn off a Windows98/95/3.1/DOS computer, is to Pull the plug fromthe back of the computer. Pulling the plug couldseverely damage the system; disrupt legitimate

business, and create officer and departmentliability. It is especially important to have aspecialist available when dealing with businesscomputers, networked computers andcomputers based on Macintosh, Windows NT,and Unix/Linux operating systems.





• After shutting the computer down and powering

the computer off:• Disconnect all power sources; unplug the powercords from the wall and the back of thecomputer. Notebook computers may need to

have their battery removed.• Place evidence tape over each drive slot, the

power supply connector, and any other opening

into the computer. This should include sealingthe case itself





• Only specially trained and qualified Computer ForensicInvestigators working in a laboratory setting shouldanalyze computers and other forms of digital evidence.

• The simple act of turning a computer on can destroy orchange lritical evidence and render that evidence

useless.• The Maryland State Police Computer Forensics

Laboratory will not routinely accept digital evidence foranalysis if that evidence has been tainted thoughhandling by unqualified personnel.




Preservation• Once digital evidence is seized it must be

handled carefully to preserve and protect theevidence.

– Everything should be tagged.

– No one should operate or preview any evidence onwritable media without proper tools and training.

– Forensically sound copies of all original evidencemust be made before analysis.

– Records must be kept.



Analysis• Analysis involves recovering and analyzing

evidence for relevance to the case. – Accepted tools should be used.

– Search and analysis must be within the scope of thewarrant.

– Bench notes should be kept by the examiner.



What are you looking for?• E-Mail

• Pictures• Internet History

• Documents

• Spreadsheets

• Internet Chat Logs

• Financial Data

• PDF Files

• Suspiciously RenamedFiles

• Yahoo Messenger, AOLChat, MSN Messenger,

Internet Relay Chat• Many Others



Hiding The Evidence• Deleting Files

• Deleting Internet History• Formatting Drives

• Re-Partitioning Drives

• Physically DestroyingHard Drives and Floppies

• Passwords

• Using On-Line E-Mail

– Hotmail

– Yahoo Mail

• IPods and personalstorage devices that can

be overlooked.



Recovering The Evidence• Find Deleted Files

• Un-Format Drives• Rebuild Partitions

• Recover Passwords

• Find hidden files and folders.

• Re-construct web pages.

• Locate deleted Email



Analysis• Metadata

– Many types of files contain metadata.• Metadata is information embedded in the file itself thatcontains information about the file.

– Microsoft Office Documents

• Computer name

• Total Edit Time• Number of editing sessions.

• Where printed.

• Number of times saved.

– Digital camera pictures.• Make and model of camera

• Dates and times



Document Metadata



Picture Metadata

f C



Internet History – Before Clearing

Internet History After Clearing



Internet History – After Clearing



Presentation• Court presentation for a jury must be simple and

straightforward. – Timelines

– Emails

– Documents – Pictures



How Computer Evidence is Used – Verify Alibis

– Establish Relationships Between Defendant andVictim or Accomplices

– Establish Documentation of Events

– Establish Mitigating Circumstances

– Documents for use by Forensic Psychologists

– Document Time Lines



Discovery• Officer’s investigator’s notes

• Forensic investigator’s bench notes• Search warrant

• Forensically sound copies of all imaged media

• Forensics report



Questions?