Computer Forensics BACS 371 - University of Northern Colorado
Download
Report
Transcript Computer Forensics BACS 371 - University of Northern Colorado
Computer Forensics
BACS 371
Phases of Computer Forensics
Phases of Computer Forensics
The purpose of this slide-set is to provide
an overview and introduction to the steps
taken in a full forensic investigation.
Later material will go into detail
concerning specific components of this
process.
Phases of Computer Forensics
Collection Phase
Examination Phase
Makes evidence visible
Explains origin and significance
Develop initial hypothesis
Analysis Phase
Get physical access to computer and related items
Authentication & Preservation
Document initial state of evidence
Make a forensic image copy of all digital information
Follow trail of clues
Build evidence set
Revise hypothesis
Reporting Phase
Outline/Review examination process
Discuss pertinent data recovered
Document the validity of procedure
Collection Phase
“Collection” in a forensic investigation is a series of
steps related to electronic evidence. It is the
Search
for…
Recognition of…
Documentation of…
Collection and Preservation of…
Packaging and Transportation of…
Electronic evidence.
Methodology for Investigating Computer Crime
Search and Seizure (also involves 4th Amendment issues)
Formulate a plan
Approach and Secure Crime Scene
Document Crime Scene Layout
Search for Evidence
Retrieve Evidence
Log & Secure Evidence
This is followed by…
Information Discovery
Formulate Plan
Search for Evidence
Process Evidence
All this while maintaining Chain of Custody
Digital Evidence Collection Toolkit1
Documentation Tools
Cable tags
Indelible felt tip markers
Stick-on labels
Disassembly and Removal Tools
Flat-blade and Philips-type screwdrivers
Hex-nut drivers
Needle-nose pliers
Secure-bit drivers
Small tweezers
Specialized screwdrivers
Standard pliers
Star-type nut drivers
Wire cutters
Package and Transport Supplies
Other Items
1Electronic
Antistatic bags
Antistatic bubble wrap
Cable ties
Evidence bags
Evidence tape
Packing materials
Packing tape
Sturdy boxes of various sizes
Gloves
Hand truck
Large rubber bands
List of contact telephone numbers for
assistance
Magnifying glass
Printer paper
Seizure disk
Small flashlight
Wiped flash drives
Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Document the
1Electronic
1
Scene
Observe and document scene – photos and sketches
Take copious notes
Document condition of computers
Identify related, but not collected, electronics
Make note of unusual computer literature
Photograph scene
Photograph computer (prior to seizure)
Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Evidence Collection
While on the crime scene, you need to collect the
evidence. This can include…
Non-electronic evidence (papers, photos, …)
Stand-alone/Laptop computers
Removable data storage (flash, disk, CD, DVD,…)
Computers attached via a network
Network servers
Other electronic devices
Collecting Digital Evidence
Examination Phase
In the examination phase you are primarily
concerned with finding out what evidence is
available and determining how useful it will be in
your investigation.
Prior to examination, you must make forensic images
of the evidence.
This allows you to safely process the evidence
without the danger of accidentally modifying it.
Places to Look for Information
There are a number of common places to look for
evidence in the imaged data.
Deleted
Files and Slack Space
Recycle Bin
System and Registry Files
Unallocated Disk (Free) Space
Unused Disk Space
Erased Information
Ways of Hiding Information
There are many ways to hide information. Some
are more sophisticated than others.
Rename
the File
Rename the File extension
Make the Information Invisible
Use Windows to Hide Files
Protect the File with a Password
Encrypt the File
Use Steganography
Compress the File
Hide the Hardware
Analysis Phase
Once the key information has been uncovered, it is
time to put together a “picture” of what happened.
Basically, you are building a hypothesis based on
the initial evidence that was uncovered.
This is helpful because it indicates what you need to
look for next.
This type of analysis should use the “scientific
method.”
Brief Outline of the Scientific Method
Successful forensic examinations generally follow
the scientific method.
1.
2.
3.
4.
5.
Identify and research a problem
Formulate a hypothesis
Conceptually and empirically test the hypothesis
Evaluate the hypothesis with regards to test results
If hypothesis is acceptable, evaluate its impact. If
not, reevaluate the hypothesis
Computer Forensics Analysis Process
1.
Intelligence
2.
Hypothesis Formulation
3.
Supporting and non-supporting
Testing
5.
Formulated with regard to “5 Ws”
Evidence Recovery
4.
Basic understanding of issues surrounding incident
Support or refute hypothesis
Conclusion
Analysis Tools
Analysis of evidence normally involves utilization of
a number of forensic tools.
These tools help the analyst uncover and understand
the evidence.
It is best to use tools that are recognized by the
court.
It is imperative that the analyst document all steps
taken so that the evidence collected and findings
reached can be defended in court.
Common Analysis Tools
Commercial Tools
EnCase
Forensic
Tool Kit (FTK)
e-fence Helix3
X-Ways Forensics
Open Source Tools
The
Sleuthkit
Autopsy browser
DFF
ProDiscovery Basic
Reporting Phase
The deliverable for the entire forensic investigative
process is the report.
This details the investigation including:
Collection
details
Evidence characteristics
Forensic procedures
Analysis techniques
Findings
It should be written with an eye towards accuracy,
conciseness, and professionalism.
Expert Witness Testimony
In addition to a formal written report, the forensic
analyst is often required to testify in court as an
expert witness.
This is one situation where hearsay evidence is
admissible.
The role of the expert witness is to report, as
objectively as possible, the findings of the analysis.
Your professional credibility is at stake, so your
testimony should be accurate, free from bias, and
understandable.