effective discovery techniques in computer crime cases
TRANSCRIPT
Effective DiscoveryTechniques In Computer Crime Cases
Introduction
Storm’s Edge Technologies
IT Consulting Company servicing the Dallas/Fort worth area. Services
PC Support and Custom Built PCs Server Support and Custom Built Server Network Support Firewall Support Web Site Development/Hosting Custom Application Development Computer Forensics Disaster/Data Recovery Services
Contact Information
Daniel A. FitzGerald
P.O. Box 8995
Fort Worth, TX 76124
Email: [email protected]
Phone: 817.496.4956
Fax: 817.496.3435
Web: www.stormsedge.com
Forensic Process
Overview
Stage of the Forensic Process
Stage of the Forensic Process
Stage of the Forensic Process
Stage of the Forensic Process
Stage of the Forensic Process
Forensic Timeline
Computers or Spies?
What can we determine from a PC Users Passwords Web-Sites viewed Documents opened Pictures viewed Age of PC Last Reboot Time What files have been accessed,
deleted, modified, etc…
Computers or Spies?
What can we determine from a PC Who created the document When documents were printed What software created the document What devices where used Who has used the PC What software has recently be used When the OS was installed The possibilities too numerous to list!
Integrating the PC
Registry Files contain an abundant amount of information to include Usernames/Passwords for email,
websites, and programs Internet Sites visited along with
date/times Search Terms used on Google and
other search engines. Recent file activity/access List of software installed
Integrating the PC
Registry Files contain an abundant amount of information to include Screen Saver required Password User Logon Required or Not Date Windows was Installed Date each user last logged on. Etc…
Integrating the PC
PC Event Logs can provide some insight into the use of a PC Change in System Time Boot/Startup Times Problems with drivers & devices
Because the event logs generally cover a time period of several months they can provide a good history of activity.
Other Files
INI files are used by programs to store information/configuration. Plain Text Safe for Export
LNK (Short Cut) files will often provide insight to the users programs
Start Menu will give you a list of the common program they run/access.
Alibi with a PC
Establish who was using the PC UserID/Password Screen Saver w/Password User Specific knowledge like logging
into MySpace web-site.
Establish PC has the correct time Check BIOS date vs. windows date Check Event Log for time sync events
Alibi with a PC
Determine Activity and Time File Dates (Creation, Access, Modified) Web-Site Activity Email Activity Printer Activity
Classified/Sensitive Data
How to perform a Forensic Analysis when you can not possess the data. Identify who has secured the evidence Determine local policies in providing access Process the Forensic Image files Review any Sensitive Data on-site Generate Report
Extract non-sensitive files for processing in your own forensic lab.
Request a review and copy of the report to ensure no classified/sensitive data is exported.
Extracting Non-Sensitive Files
Files to Extract for later processing Registry Files Event Logs INI Files LNK Files Access Database of all files
FTK will create this as part of its normal processing of the Forensic Image Files.
EnCase will need to export a CSV file.
What is …
Slack Space – The area between the end of the file and the end of the cluster.
Free Space – The area available to store data including areas where files were stored but have been deleted.
Unallocated Space – The area of a device that is not covered by a partition. This would include any deleted partitions.
Swap File – File used to cache memory to the hard drive
Hibernation File – File used to store memory to the hard drive when hibernating
How Do I?
Prove a USB Key was used on a PC Prove an Image was viewed Recover Deleted Files Determine if a user has opened a file Prove a file was copied/moved Find out when a file was deleted Demonstrate a PC was used remotely Show who created a file Etc…..
Open Questions
Storm’s Edge Technologies
Daniel A. FitzGerald
P.O. Box 8995
Fort Worth, TX 76124
Email: [email protected]
Phone: 817.496.4956
Fax: 817.496.3435
Web: www.stormsedge.com