Computer/Digital Forensics

● Lynn Ackler– Office – CSC 222– Office Hours

– MR 9 – 10– Any time you find me

– Course– CCJ 346 – CRN 2037– TR 10:00 – 12:00

20/04/23 2

Course

●2-3 hours of lecture per week●1-2 hours of lab per week●Attendance

– Your responsibility●Labs

– Must be done on Wednesdays, 3 - 4

20/04/23 3

Course Requirements

● Lab Reports – A bunch● Web History● MD5 Hash and Disk Clone● Evidence Recovery● Seizure● Phishing

● 1 mid-term exam● 1 Final – comprehensive

20/04/23 4

Course Description● Surveys the technologies, techniques, and responsibilities of a criminal or

civil investigation involving computers, digital devices, networks, network service providers and electronic evidence.

● Examines rules of evidence and proof and emphasizes maintaining an evidentiary trail through computer data and network activity.

● Reviews the responsibilities of the computer forensics investigator.

● Discusses the fragility of computer evidence and the techniques used to protect evidence.

SOU Course Catalog

20/04/23 5

Course Objectives

● Find evidence of individual behavior on a computer.

● Seize digital devices.

● Search, preserve and document digital evidence.

● Discuss the many ways that a digital device may be involved criminal or illegal activities.

● Discuss the legal and ethical aspects of computer forensics.

● Describe the many vulnerabilities to your personal and professional life that computers and computer networks pose.

20/04/23 6

Acceptable Use

If you violate ethical or legal standards regarding computer/network usage you

are subject to dismissal and/or legal prosecution.

See 30/03/08ww.sou.edu/usage.html

Computer Forensics

● As in all endeavors:

“Blame always falls some where.”

● Rule:

“Let it not be in your lap.”

Computer Forensics

● Discovery and recovery of digital evidence

– Usually post facto– Sometimes real time

● Types of forensic investigations– Liturgical

● Going to court● Crimes, etc.

– Non-Liturgical● Administrative adjudication● Industry

Purpose

● Prove or disprove criminal activity● Prove or disprove policy violation● Prove or disprove malicious behavior to or

by the computer/user

If the evidence is there, the case is yours to lose with very little effort.

20/04/23 10

Legal and Ethical Issues

● Computer Forensic Exams are Illegal.● Without the cover of Law● 4th Amendment

● You will learn dual use technology.– All tools can be used to commit crime– All procedures can be used to hide crime

● It is unethical to breach some ones expectation of privacy.

Responsibilities

● Evidence– All of it– Emphasis on exculpatory

● Respect for suspects privacy and rights● Beware of collateral damage● Be very very careful if you demonstrate

what you can do.

Business Issues

● No interruption of business● Know the policies of the business● Sensitive to the business costs during an

investigation

Privacy Issues

● Rights of the suspect● Liabilities of the investigator● Public versus private storage of

information● Expectation of privacy

20/04/23 14

Course Outline

Forensics IntroWeb Behavior

Digital Devices and NetworksComputer Laws

“Computer” Seizure“Computer” SearchCase Development

Internet

20/04/23 15

The Forensics Experience

CT/CSI

Counter Terrorism / Crime Scene Investigation

2006

20/04/23 16

Evidence

● Forensics is all about evidence.● Something that tends to prove or

disprove the existence of an alleged fact.● 03/30/08 Federal Rules of Evidence

govern proceedings in the courts of the United States.

20/04/23 17

Evidence

● Admissible– must be legally obtained and relevant

● Reliable– has not been tainted (changed) since acquisition

● Authentic– the real thing, not a replica

● Complete– includes any exculpatory evidence

● Believable– lawyers, judge & jury can understand it

Evidence

● Admissible● Search Warrant, Wire Tap, NSL

● Reliable● Chain of custody, protected, properly handled● Not tainted, not changed, MD5

● Authentic● Computer data is different

● Complete● Must search entire hard disk

● Believable● Impossible for geeks

20/04/23 19

Definition of Forensics

● Discipline of digital evidence discovery, protection and presentation.

● Technologies, techniques, and responsibilities of a criminal or civil investigation involving computers, networks, network service providers and electronic evidence.

20/04/23 20

Types of Forensic Exams

● Legal or Liturgical

– Will go to trial● Civil

– Similar to liturgical probably for negotiation or extortion

● Business

– Termination or reprimand an employee● Disaster Recovery

– What happened, how to prevent● Illegal/Surveillance

20/04/23 21

Read Your Employee’s Handbook

● What can your employer do to you?

● What can they see?

● What can you do?

● What can’t you do?

20/04/23 22

Areas of Forensics

● Physical● Digital● Chemical● Accounting● Etc.

20/04/23 23

Physical

● Ballistics● Fingerprints● Artifacts

● etc.

20/04/23 24

Digital ForensicsComputer Forensics

● Evidence contained in computers● Evidence contained in digital devices

● Phones● Cameras● Memory sticks● Smart cards

● Evidence contained in networks

20/04/23 25

Chemical

● Blood● DNA● Explosives● Drugs● Fiber analysis● Etc.

20/04/23 26

Accounting

● Fraud● Multiple sets of books● Stock manipulation● Insider trading

20/04/23 27

Digital DevicesBe careful, be very careful

● Computers, Laptops● Palm pilots● Cell phones● iPods● Cameras● Camcorders● etc.

20/04/23 28

Digital Evidence

● Records and Logs● Results of activities● Statement of intent● Contraband● Indication of time line

20/04/23 29

Skills and Knowledge

● Be aware of the many types of digital devices and their components and potential contents

● Develop a Web behavior profile

● Learn how to seize a computer and other devices

● Proper handling of digital evidence

● How to search a computer for evidence

● Analyze a phishing scam

● Become more knowledgeable about the digital/information world

20/04/23 30

Conviction

Must Prove:

Actus Reaus - The criminal act

Mens Rea - The criminal intent