BACS 371 Computer Forensics - University of Northern Colorado

Download Report

Transcript BACS 371 Computer Forensics - University of Northern Colorado 

BACS 371 Computer Forensics
Jay M. Lightfoot, Ph.D., GCFA
Spring 2015
Welcome!
Welcome to BACS 371—Computer
Forensics. This course will likely be one of
the most challenging (and interesting)
courses of your degree program.
It is a mixture of law enforcement, technical
computer science, and psychology.
Computer Forensics…
… involves the preservation, identification,
extraction, documentation, and interpretation of
computer media for evidentiary and/or root
cause analysis.1
1Kruse
& Heiser, Computer Forensics: Incident Response Essentials, Lucent Technologies, 2002
Computer Crime in Pop Culture
Course Overview


Syllabus
Reading



Textbooks
Supplementary Articles
Grading






In-Class Assignments
Homework (papers, podcast write-ups, forensic problems, …)
Labs
Quizzes
Exams
Misc.
In-Class work




Periodically I will assign relatively small projects that
are intended to be done during class.
These will be due at the beginning of the next class
period.
Often, you won’t finish the project during class, so
despite the “in-class” name, you will sometimes need to
work on them out of class also.
To minimize this, I will partially “flip” the class so that
some lectures and software demonstrations are
recorded. You will need to watch these recordings
before class in order to get the full benefit of the
exercise.
Homework





Homework will periodically be assigned.
Homework problems are more elaborate than in-class
work and generally take more time.
You will generally not be given class-time to work on
homework.
It is due at the beginning of the period on the due
date.
Most homework are “individual assignments.”
Lab Projects








Lab projects are more elaborate than in-class work and normally
take several days to complete.
Most lab projects will be “group projects”.
A group consists of 2 people. One project is turned in for the
group and both members share the same grade.
It is up to you to make sure that each member understands the
project well enough to answer questions on the test.
Off-hour lab access can be arranged via your Bear Card.
Some special hardware may be assigned to your group. You are
responsible for keeping track of it and making sure that it is put
up after use.
You will each need to have a USB flash drive (8GB or more).
Optionally, you may also want to purchase a 2.5 inch external
drive (80 GB minimum).
Quizzes





Quizzes are short, unannounced “tests” that are
given over recently covered material.
They are normally given at the beginning of class.
If you arrive late, you do not have extra time to
complete them.
There are no make-up quizzes (but I do drop the
lowest quiz grade).
They are intended to help you know areas that you
need to study prior to the tests.
Examinations




There are 3 examinations in this course.
The first 2 are worth 15% of your grade and the
3rd (i.e., the “final”) is worth 25%.
The final is comprehensive. The first 2 examinations
only cover the new material (to the extent possible).
There are rules that allow you to make up one of
the first 2 examinations; but you cannot make up
the final. See syllabus for details.
Course Expectations



This is a new field – help me create content for the
semester!
Work hard, read all assignments, look for alternative
sources of information
Ask Questions!! Be Curious! Be sure you understand
as you go.
Fast pace!
 Somewhat obscure material! (but it’s also very interesting)



Learn from your classmates
When you learn new things, Teach the rest of us!
Create a Course Binder*






Reading


Supplementary Articles
Notes distributed during class



In-Class Activities
Labs
Homework Assignments



Chain of custody
Evidence gathering notes
etc.
Assignments
Presentation Slides
Class Notes
Document templates
Other References
* This is just a suggestion, it is not required
Internet Crime Complaint Center
2013 Internet Fraud Crime Report (latest available)




Internet Fraud Complaint Center (IFCC) began operation May 8, 2000
Partnership between National White Collar Crime Center (NW3C) and the Federal
Bureau of Investigation (FBI)
Vehicle to receive, develop, and refer criminal complaints in cyber crime
Renamed Internet Computer Crime Complaint Center (IC3) on December 1, 2003
http://www.ic3.gov

Data from January 1, 2012 – December 31, 2013
262,813 complaints received for $781,841,611 (48.8% $ increase over 2012)
 119,457 of these involved a monetary loss
 Average dollar loss: $6,245
Top 5 reported loss categories (as of 2011 report):
 FBI-Relates scams: 35,764
 Advanced fee fraud: 27,892
 Identity theft: 28,915
 Non-Auction, Non-delivery of merchandise: 22,404
 Overpayment fraud: 18,511

Annual IC3 Complaints
Annual IC3 Complaints
400000
350000
336,655
314,246
303,809
289,874
300000
275,284
250000
231,493
207,492
262,813
206,884
207,492
200000
Total IC3 Complaints
150000
124,449
100000
50000
75,064
50,412
0
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Yearly Dollar Loss Trend
Yearly Dollar Loss (in millions)
900
781.8
800
700
600
559.7
525.4
525
500
458.3
Total $ Loss
400
300
239.1
183.1
200
264.6
198.4
125.6
100
68.1
54
17.8
0
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
FBI Computer Forensics Lab in Colorado
http://www.rcfl.gov/
http://www.rmrcfl.org/
CENTENNIAL, COLO. (AP) _ A NEW FORENSIC LABORATORY WILL
OPEN NEXT MONTH TO HELP LAW ENFORCEMENT AUTHORITIES
IN COLORADO AND WYOMING INVESTIGATE CRIMES INVOLVING
TECHNOLOGY. ANALYSTS AT THE ROCKY MOUNTAIN REGIONAL
COMPUTER FORENSIC LABORATORY IN CENTENNIAL CAN WORK
WITH SEIZED COMPUTERS TO DREDGE UP DELETED FILES, SEE
WHAT WEB SITES HAVE BEEN DISPLAYED AND FIND E-MAIL
MESSAGES.
DENVER (AP) _ THE NUMBER OF INCIDENTS INVOLVING
NURSES AND OTHER MEDICAL PROFESSIONALS STEALING
DRUGS MEANT FOR PATIENTS IS GROWING -- DESPITE
TECHNOLOGY IN NARCOTICS DISPENSERS THAT MAKES THAT
INCREASINGLY DIFFICULT. STATE OFFICIALS SAYS THERE WERE
76 CASES OF ``DIVERTED DRUGS'' IN COLORADO'S HOSPITALS
THIS FISCAL YEAR -- ALMOST TRIPLE THE 26 reported in FISCAL
YEAR 2001.
16 Regional Forensic Labs
http://www.rcfl.gov/
http://www.rmrcfl.org/
RCFL Statistics - 2012
http://www.ic3.gov/default.aspx
Famous Cases with Forensic Links







Enron
BTK Serial Killer
Chandra Levy
Wikileaks
Times Square bomber
Dr. Conrad Murray (Michael Jackson’s physician)
...
Laws and Statues Coverage
Computer forensics deals with laws:
 Regarding
Computer Crime
 Regarding Collection of Digital Evidence
 Regarding Handling of Digital Evidence
 Regarding Disposition & Analysis of Digital
Evidence
 Regarding Privacy
And many of these laws are “dynamic”
Computer Basics

Hardware
 Hard
Drive
 Removable Drives (“thumb drives”)
 RAM
 Networking (minimal classroom coverage)

Software
 Operating
Systems (DOS/Windows/UNIX)
 File Systems (FAT32/NTFS/EXT3)
 Applications (MS Word, Adobe, Outlook, …)
Computer Forensic Methods

Active Data
 Data
intentionally remaining on the computer
 Data hidden in plain sight

Latent Data
 Data
unintentionally remaining on the computer
 Data recoverable by forensic methods

“Live” vs. “Dead” (aka “static”) analysis
Forensic Tools - WinHex
Forensic Tools – Directory Snoop
Forensic Tools – Shadow Explorer
Forensic Tools – Partition Manager
Forensic Tools – FTK Imager
BACS 371 Will Not Cover


Network Forensics
File Systems other than FAT/NTFS


Malware




E.g.: no Mac, Solaris, DVD, CD, …
E.g.: Viruses, Trojan Horses, Spyware, …
Mobile Devices
Prevention
Advanced Data Hiding



Breaking Password Protection
Encrypted Files
Steganography
Computer Forensics Certifications
Certification
Agency
Notes
Website
CCE
ISFCE – International
Pass online exam
and hands-on test
http://www.certifiedcomputer-
– Certified Computer
Examiner
Society of Forensic Computer
Examiners
CFCE
IACIS – International
GIAC -
SANS Institute
– Certified Forensic
Computer Examiner
Global
Information Assurance
Certification
Association of Computer
Investigation Specialists
examiner.com/
Must be sworn
law enforcement
officer or govt
employee
http://www.sans.org/
GCFA – GIAC Certified
Forensic Analyst
CCCI, CCFT –
HTCN
Tool Specific
Certifications
OSU
Certified Computer Crime
Investigator, Certified
Computer Forensic Technician
– High Tech Crime
http://www.htcn.org/
Network
– Oregon State
University
EnCase
As part of the NTI
Training Class
Careers in Computer Forensics







Law Enforcement
Criminal Investigation
Corporate Computer Security
DoD/Military/Government
Information Technology
Consulting Firms
Expert Witness
Computer Forensics Job Trends*
* As of January 2015
Computer Forensics Salary Average*
* As of January 2015
Characteristics of a Good Cyber Investigator1












1Scene
Excellent observation skills
Good memory
Organization skills
Documentation skills
Objectivity
Knowledge
Ability to think like a criminal
Intellectually controlled constructive imagination
Curiosity
Stamina
Patience
Love of learning
of the Cybercrime, Shinder & Tittel, p.136
1
Plus …






1Scene
A basic knowledge of computer science
An understanding of computer networking protocols
Knowledge of computer jargon
An understanding of hacker culture
Knowledge of computer and networking security
issues
Knowledge of computer file systems (FAT, FAT32,
NTFS, Ext2, etc)
of the Cybercrime, Shinder & Tittel, p.136
The Perfect Forensics Candidate1





Strong Computer Skills
Investigative Background
Understanding of state and federal statutes
relating to the collection and preservation of
evidentiary data
Understanding of criminal statues
High ethical and moral standards
1The Perfect Forensics Candidate, Computerworld, January 14, 2002,
http://www.computerworld/com/printthis/2002/0,4814,67228,00.html
BACS 371
SO, are you ready to get started!