10-04-2014, 01:45 PM
Digital Forensic
Digital Forensic.pptx (Size: 456.23 KB / Downloads: 15)
Course Objective
Computer crime is here to stay. Computer Forensics Specialists are responsible to determine the root cause of a hacker attack, collect evidence legally admissible in court, and protect corporate assets and reputation.
Assure business continuity
Disaster recovery
Cyber crime investigation
Data recovery
File system analysis
Different OS analysis
Forensic science
Application of physical sciences to law in the search for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done to any member of society.
Digital Forensics
Digital forensics is the preserving, collecting, confirming, identifying, analyzing, recording, and presenting digital evidence extracted from digital sources in a forensically valid way (i.e., acceptable by a court of law)
Digital Forensics Investigation
What’s possible?
Recovery of deleted data
Discovery of when files were modified, created, deleted, organized
Can determine which storage devices were attached to a specific computer
Which applications were installed, even if they were uninstalled by the user
Which web sites a user visited…
Examples of Evidence
Use/abuse of internet
Production of false documents and accounts
Encrypted/password protected materials
Abuse of system
Email contact between suspects/conspirators
Theft of commercial secrets
Unauthorized transmission of information
Malicious attack on computer system themselves
Need for Computer Forensics
The presence of a majority of electronics documents
Search and indentify data in a computer
Digital evidence can be easily destroyed, if not handled properly
For recovering: deleted, encrypted and corrupted files
Windows Forensics
Locating evidence on windows systems
Hidden files
Assessing file attributes to find file signature
The registry
File
Slack space
Unallocated clusters
Unused partitions
Hidden partitions
Goals
Find information on “what happened” by looking in the network packet flow
Information can be used to:
Reconstruct sessions (e.g., web, ftp, telnet, IM)
Find files (downloaded or accessed through network drives)
Find passwords
Identify remote machines