SUMMER BRIDGE PROGRAMDR. HWAJUNG LEE

DR. ASHLEY PODHRADSKY

Computer Forensics

Objectives

Guide to Computer Forensics and Investigations

2

What is computer forensics?History of computer forensicsWhen is computer forensics used? Computer Forensics in the newsDescribe how to prepare for computer

investigations Computer Forensics Example- AccessData

FTK Imager

Understanding Computer Forensics

3

Computer forensics Involves obtaining and analyzing digital information Investigates data that can be retrieved from a computer’s hard

disk or other storage media. Task of recovering data that users have hidden or deleted and using it as evidence. Evidence can be inculpatory (“incriminating”) or exculpatory

Related Fields Network forensics

Yields information about how a perpetrator or an attacker gained access to a network

Data recovery Recovering information that was deleted by mistake or intentionally Typically you know what you’re looking for

Disaster recovery Uses computer forensics techniques to retrieve information their clients have

lost due to natural or man made disaster

A Brief History of Computer Forensics4

1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know enough about computers to

ask the right questions Or to preserve evidence for trial Fraction of a penny crime (Office Space anyone??)

1980s Norton DiskEdit soon followed

And became the best tool for finding deleted file Apple produced the Mac SE

A Macintosh with an external EasyDrive hard disk with 60 MB of storage

1990s Tools for computer forensics were available International Association of Computer Investigative Specialists

(IACIS) Training on software for forensics investigations

ExpertWitness for the Macintosh First commercial GUI software for computer forensics Created by ASR Data

Understanding Case Law5

Technology is evolving at an exponential pace Existing laws and statutes can’t keep up change

Case law used when statutes or regulations don’t exist

Case law allows legal counsel to use previous cases similar to the current one Because the laws don’t yet exist

Each case is evaluated on its own merit and issues

Preparing for Computer Investigations6

Computer investigations and forensics falls into two distinct categories Public investigations Private or corporate investigations

Public investigations Involve government agencies responsible for

criminal investigations and prosecution Organizations must observe legal guidelines

Law of search and seizure Protects rights of all people, including suspects

Preparing for Computer Investigations7

Private or corporate investigations Deal with private companies, non-law-enforcement

government agencies, and lawyers Aren’t governed directly by criminal law or Fourth

Amendment issues Governed by internal policies that define expected

employee behavior and conduct in the workplace

Private corporate investigations also involve litigation disputes

Investigations are usually conducted in civil cases

Understanding Corporate Investigations

8

Private or corporate investigations Involve private companies and lawyers who address

company policy violations and litigation disputes

Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage

Understanding Corporate Investigations

9

Establishing company policies One way to avoid litigation is to publish and maintain

policies that employees find easy to read and follow Published company policies provide a line of

authority For a business to conduct internal investigations

Well-defined policies Give computer investigators and forensic examiners the

authority to conduct an investigation

Displaying Warning Banners Another way to avoid litigation

Maintaining Professional Conduct10

Professional conduct Determines your credibility Includes ethics, morals, and standards of behavior

Maintaining objectivity means you must form and sustain unbiased opinions of your cases

Maintain an investigation’s credibility by keeping the case confidential In the corporate environment, confidentiality is critical

In rare instances, your corporate case might become a criminal case as serious as murder

Preparing a Computer Investigation 11

Role of computer forensics professional is to gather evidence Forensic Investigators are not police officers, it is

our duty to show what happened, not prove guilt or innocence.

Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Preserve the evidence on a different computer

Chain of custody Route the evidence takes from the time you find it

until the case is closed or goes to court

Taking a Systematic Approach12

Steps for problem solving Make an initial assessment about the type of case

you are investigating Determine the resources you need Obtain and copy an evidence disk drive Identify the risks- Mitigate or minimize the risks Analyze and recover the digital evidence Investigate the data you recover Complete the case report Critique the case

Planning Your Investigation13

A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of

custody Secure evidence in an approved secure container Prepare a forensics workstation Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer

forensics tools

Securing Your Evidence14

Use evidence bags to secure and catalog the evidence

Use computer safe products Antistatic bags Antistatic pads

Use well padded containersUse evidence tape to seal all openingsPower supply electrical cord. Write your initials on tape to prove that

evidence has not been tampered withConsider computer specific temperature

and humidity ranges

Understanding Data Recovery Workstations and Software

15

Investigations are conducted on a computer forensics lab (or data-recovery lab)

Computer forensics and data-recovery are related but different

Computer forensics workstation Specially configured personal computer Loaded with additional bays and forensics software

To avoid altering the evidence use: Forensics boot disk, Write-blockers devices,

Network interface card (NIC), Extra USB ports, FireWire 400/800 ports, SCSI card, Disk editor tool, Text editor tool, Graphics viewer program, Other specialized viewing tools

Digital Forensic Cases

BTK Killer http://precisioncomputerinvestigations.wordpress.com

/2010/04/14/how-computer-forensics-solved-the-btk-killer-case/

Michael Jackson http://www.dfinews.com/news/michael-jackson-death-t

rial-showcases-iphone-forensics

Caylee Anthony http://www.christianpost.com/news/casey-anthony-

trial-computer-expert-unearths-chloroform-internet-searches-50980/

Guide to Computer Forensics and Investigations

16

Understanding Bit-Stream Copies17

Bit-stream copy Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy

Backup software only copy known files Backup software cannot copy deleted files, e-

mail messages or recover file fragments Bit-stream image

File containing the bit-stream copy of all data on a disk or partition

Also known as forensic copy

Acquiring an Image of Evidence Media

18

First rule of computer forensics Preserve the original evidence

Conduct your analysis only on a copy of the data

Use FTK Imager to create a forensic image www.accessdata.com/support/downloads

Your job is to recover data from: Deleted files File fragments Complete file