SlideShare a Scribd company logo

Digital Forensics

Download as PPT, PDF
Nicholas Davis
Nicholas Davis
1 of 37
Information Systems 365/765 Lecture 8 Digital Forensics
Digital Forensics • Also known as Computer Forensics • A system in your enterprise has been compromised • You want to track down suspicious activity • Where do you begin?
Digital Forensics • Defined: Pertains to legal evidence found in computers and digital storage mediums. • Goal: To explain the current state of a “digital artifact.” • A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.
Digital Forensics • Can be as simple as retrieving a single piece of data • Can be as complex as piecing together a trail of many digital artifacts
Why Use Digital Forensics? • In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
Why Use Digital Forensics? • To recover data in the event of a hardware or software failure. • To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
Why Use Digital Forensics? • To gather evidence against an employee that an organization wishes to terminate. • To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
Chain of Custody • “Chain of Custody” is a fancy way of saying “The ability to demonstrate who has had access to the digital information being used as evidence” • Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law.
Chain of Custody • One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court.
5 Steps in Performing Digital Forensics • Preparation (of the investigator, not the data) • Collection (the data) • Examination • Analysis • Reporting
Preparation • The investigator must be properly trained to perform the specific kind of investigation that is at hand. • Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
Collecting Digital Evidence • Digital evidence can be collected from many obvious sources, such as: • Computers • Cell phones • Digital cameras • Hard drives • CD-ROM • USB storage flash drives
Can You Think of Non-Obvious Sources? • Non-obvious sources could include: • Settings of digital thermometers • Black boxes inside automobiles • RFID tags • Web pages (which must be preserved as they are subject to change).
!!BE CAREFUL!! • Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.
Create Proof of Non-Alteration • For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
Important Data Handling Practices • Handle the original evidence as little as possible to avoid changing the data. • Establish and maintain the chain of custody. • Documenting everything that has been done. • Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
The Personal Interview • Some of the most valuable information obtained in the course of a forensic examination will come from the computer user: • System configuration • Applications • Encryption keys
Who Performs the Analysis • Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. • One should not examine digital information unless one has the legal authority to do so.
Live vs. Dead Analysis • Traditionally computer forensic investigations were performed on data at rest--- for example, the content of hard drives. This can be thought of as a dead analysis.
Live vs. Dead Analysis • Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
Live vs. Dead Analysis • In recent years there has increasingly been an emphasis on performing analysis on live systems • Why? -- Some attacks leave no trace on the hard drive • Why? -- Cryptographic storage, with keys only stored in memory!
Live Analysis -- Imaging Electronic Media • The process of creating an exact duplicate of the original evidenciary media is often called Imaging • Standalone hard-drive duplicator or software imaging tools ensure the entire hard drive is completely duplicated.
Live Analysis -- Imaging Electronic Media • During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
Collecting Volatile Data • If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. • If information stored solely in RAM is not recovered before powering down it may be lost.
A Great Tool Which YOU Can Impress People With • Knoppix • An OS which runs directly from a CD • Will not alter data on hard disk • Great for grabbing copies of files from a hard disk! • Can be loaded from a USB flash drive
Knoppix • Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
Knoppix
Encase
Freezing Memory • RAM can be analyzed for prior content after power loss • Freezing the memory to -60 degrees Celsius helps maintain the memory’s charge (state) • How practical is this?
Analysis • All digital evidence must be analyzed to determine the type of information that is stored upon it • FTK • Encase • Sleuth Kit
Analysis of Data • Comprised of: • Manual review of material on the media • Reviewing the Windows registry for suspect information • Discovering and cracking passwords • Keyword searches for topics related to the crime • Extracting e-mail and images for review.
Reporting • Written • Oral Testimony • Both • Subject matter area specialists
Examples of Digital Forensics Cases • Chandra Levy • Washington D.C. Intern for Representative Gary Condit • Vanished April 30, 2001
Examples of Digital Forensics Cases • She had used the web and e-mail to make travel arrangements and communicate with her parents. • Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.
Examples of Digital Forensics Cases • BTK Killer • Convicted of a string of serial killings that occurred over a period of sixteen years • Towards the end of this period, the killer sent letters to the police on a floppy dsk.
Examples of Digital Forensics Cases • Metadata is defined as “data about data” • Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church" • This evidence helped lead to Dennis Rader's arrest.

Recommended

Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 

Recommended

Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics KakshaPatel3
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 

More Related Content

What's hot

Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics KakshaPatel3
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 

What's hot (20)

Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptx
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 

Similar to Digital Forensics

Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONAmina Baha
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime sceneSKMohamedKasim
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsN.Jagadish Kumar
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologySam Bowne
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 

Similar to Digital Forensics (20)

Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime scene
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
 
CF.ppt
CF.pptCF.ppt
CF.ppt
 
File000117
File000117File000117
File000117
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data Exfiltration
 

More from Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 

More from Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Digital Forensics

  • 1. Information Systems 365/765 Lecture 8 Digital Forensics
  • 2. Digital Forensics • Also known as Computer Forensics • A system in your enterprise has been compromised • You want to track down suspicious activity • Where do you begin?
  • 3. Digital Forensics • Defined: Pertains to legal evidence found in computers and digital storage mediums. • Goal: To explain the current state of a “digital artifact.” • A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.
  • 4. Digital Forensics • Can be as simple as retrieving a single piece of data • Can be as complex as piecing together a trail of many digital artifacts
  • 5. Why Use Digital Forensics? • In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
  • 6. Why Use Digital Forensics? • To recover data in the event of a hardware or software failure. • To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
  • 7. Why Use Digital Forensics? • To gather evidence against an employee that an organization wishes to terminate. • To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
  • 8. Chain of Custody • “Chain of Custody” is a fancy way of saying “The ability to demonstrate who has had access to the digital information being used as evidence” • Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law.
  • 9. Chain of Custody • One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court.
  • 10. 5 Steps in Performing Digital Forensics • Preparation (of the investigator, not the data) • Collection (the data) • Examination • Analysis • Reporting
  • 11.
  • 12. Preparation • The investigator must be properly trained to perform the specific kind of investigation that is at hand. • Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
  • 13. Collecting Digital Evidence • Digital evidence can be collected from many obvious sources, such as: • Computers • Cell phones • Digital cameras • Hard drives • CD-ROM • USB storage flash drives
  • 14. Can You Think of Non-Obvious Sources? • Non-obvious sources could include: • Settings of digital thermometers • Black boxes inside automobiles • RFID tags • Web pages (which must be preserved as they are subject to change).
  • 15. !!BE CAREFUL!! • Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.
  • 16. Create Proof of Non-Alteration • For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
  • 17. Important Data Handling Practices • Handle the original evidence as little as possible to avoid changing the data. • Establish and maintain the chain of custody. • Documenting everything that has been done. • Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
  • 18. The Personal Interview • Some of the most valuable information obtained in the course of a forensic examination will come from the computer user: • System configuration • Applications • Encryption keys
  • 19. Who Performs the Analysis • Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. • One should not examine digital information unless one has the legal authority to do so.
  • 20. Live vs. Dead Analysis • Traditionally computer forensic investigations were performed on data at rest--- for example, the content of hard drives. This can be thought of as a dead analysis.
  • 21. Live vs. Dead Analysis • Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
  • 22. Live vs. Dead Analysis • In recent years there has increasingly been an emphasis on performing analysis on live systems • Why? -- Some attacks leave no trace on the hard drive • Why? -- Cryptographic storage, with keys only stored in memory!
  • 23. Live Analysis -- Imaging Electronic Media • The process of creating an exact duplicate of the original evidenciary media is often called Imaging • Standalone hard-drive duplicator or software imaging tools ensure the entire hard drive is completely duplicated.
  • 24. Live Analysis -- Imaging Electronic Media • During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
  • 25. Collecting Volatile Data • If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. • If information stored solely in RAM is not recovered before powering down it may be lost.
  • 26. A Great Tool Which YOU Can Impress People With • Knoppix • An OS which runs directly from a CD • Will not alter data on hard disk • Great for grabbing copies of files from a hard disk! • Can be loaded from a USB flash drive
  • 27. Knoppix • Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
  • 30. Freezing Memory • RAM can be analyzed for prior content after power loss • Freezing the memory to -60 degrees Celsius helps maintain the memory’s charge (state) • How practical is this?
  • 31. Analysis • All digital evidence must be analyzed to determine the type of information that is stored upon it • FTK • Encase • Sleuth Kit
  • 32. Analysis of Data • Comprised of: • Manual review of material on the media • Reviewing the Windows registry for suspect information • Discovering and cracking passwords • Keyword searches for topics related to the crime • Extracting e-mail and images for review.
  • 33. Reporting • Written • Oral Testimony • Both • Subject matter area specialists
  • 34. Examples of Digital Forensics Cases • Chandra Levy • Washington D.C. Intern for Representative Gary Condit • Vanished April 30, 2001
  • 35. Examples of Digital Forensics Cases • She had used the web and e-mail to make travel arrangements and communicate with her parents. • Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.
  • 36. Examples of Digital Forensics Cases • BTK Killer • Convicted of a string of serial killings that occurred over a period of sixteen years • Towards the end of this period, the killer sent letters to the police on a floppy dsk.
  • 37. Examples of Digital Forensics Cases • Metadata is defined as “data about data” • Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church" • This evidence helped lead to Dennis Rader's arrest.