20-09-2013, 02:21 PM
Computer Forensics and Investigations
Forensics and Investigations.ppt (Size: 740.5 KB / Downloads: 130)
Learning Objectives
At the end of this chapter, you will be able to:
Understand the concept of computer forensics
Describe how to prepare for computer investigations
Explain the difference between law enforcement (public) agency and corporate (private) investigations
Explain the importance of maintaining professional conduct
Introduction to Computer
Computer combined with Internet has become an important part of everyday life of the general public.
Nowadays, more and more people are using computers and devices with computing capability.
The combination of the growth in the number of computerization of business processes and Internet users has created new opportunities for criminal.
According to the EC-Council:
85% of business and government agencies detected security breaches
FBI estimates that the United States loses up to $10 billion a year to cyber crime.
Forensics Science
Forensics science has been around since the dawn of justice.
Francis Galton (1822–1911) made the first recorded study of fingerprints,
Leone Lattes (1887–1954) discovered blood groupings (A, B,AB, and 0),
Calvin Goddard(1891–1955) allowed firearms and bullet comparison for solving many pending court cases,
Albert Osborn (1858–1946) developed essential features of document examination,
Hans Gross(1847–1915) made use of scientific study to head criminal investigations.
FBI(1932) set up a lab to provide forensic services to all field agents and other law authorities across the country
Evolution Computer Forensics
1984 - FBI Computer Analysis and Response Team (CART) emerged
1991 - International Law Enforcement meeting was conducted to discuss computer forensics & the need for standardized approach
1994 – Department of Justice (DOJ) - Federal Guidelines for Searching & Seizing Computers
1997 - FBI- Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards in computer forensics.
2001 - USAF - Digital Forensics Research Workshop was held,
2003 - Academic - International Journal of Digital Forensics & Incident Response, Elsevier
Definition of Forensics Science
Forensic science is “the Application of physical sciences to law in the search for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done to any member of society” (Source: Handbook of Forensic Pathology College of American Pathologists 1990)
Forensic science is “the application of scientific techniques and principles to provide evidence to legal or related investigations and determinations” (Forensic science : an encyclopedia of history, methods, and techniques, 2006)
Aim:
determining the evidential value of crime scene and related evidence
Computer Forensics Versus Other Related Disiplines
Computer forensics versus network forensics
Computer forensics involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court. (DIBS USA, Inc. – a corporation specializing n computer forensics)
Computer forensics investigates data that can be retrieved from a computer’s hard disk or other storage media.
Investigating computers includes collecting computer data securely, examining suspect data to determine details such as origin and content, presenting computer-based information to courts, and applying laws to computer practice.
Need for Computer Forensics
Need for computer forensics arises from:
Presence of a majority of electronic documents nowadays. According to a University of California study, during 1999:
93% of information was generated in digital form, on computers
7% of information originated in other media, such as paper
Search and identify data in a computer
Increasing trail of activities by perpetrators left on computers.
Digital Evidence is delicate in nature; therefore they must be recorded as early as possible to avoid loss of valuable evidence
Electronic information can be easily planted, created and stored
Digital Evidence
What is Digital Evidence?
Information of probative value stored or transmitted in digital form
Probative Value - evidence which is sufficiently useful to prove something important in a trial
Type of Digital Evidence – What to seize?
Storage Media (i.e.. floppies, CD’s, thumb drives)
Computer (CPU)
Laptops (always seize power supply)
External Drives & Media
Corresponding Devices
i.e. tape/tape drive, jaz disk/jaz drive
Unique software and operating manuals
(might need to load software on forensic computer to view files)
Reason for cyber attacks
Motivation for cyber attacks
Experimentation and a desire for script kiddies to learn
Psychological needs – to leave a mark
Misguided trust in other individuals
Revenge and malicious reasons – disgruntled employee
Desire to embarrass the target
Espionage - corporate and governmental
Paid to gain information
Rules of Computer Forensics
A good forensic investigator should always follow these rules:
Minimize the option of examining the original evidence
Instead, examine the duplicate evidence
Obey rules of evidence and do not tamper with the evidence
Always prepare a chain of custody, and handle evidence with care
Never exceed the knowledge base of the forensic investigation
Document any changes in evidence
Summary
The need for computer forensics has grown to a large extent due to the presence of a majority of digital documents
Differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective
A computer can be used as a tool for investigation or as evidence
Minimize the option of examining the original evidence
3A’s of Computer forensics methodologies are – Acquire, Authenticate, and Analyze
A computer forensic investigator must be aware of the steps involved in the investigative process