COEN 152 Computer Forensics - Santa Clara University's

Download Report

Transcript COEN 152 Computer Forensics - Santa Clara University's

COEN 252 Computer Forensics
Introduction to Computer
Forensics
Thomas Schwarz, S.J. 2009 w/ T. Scocca
Computer Forensics

Digital Investigation

Focuses on a digital device






Computer
Router
Switch
Cell-phone
SIM-card
…
Computer Forensics

Digital Investigation

Focuses on a digital device involved in an incident
or crime


Computer intrusion
Generic criminal activity


Perpetrator uses internet to gather information used in the
perpetration of a crime.
Digital device is an instrument of a crime




Perpetrator uses cell-phone to set-off a bomb.
 Details are sensitive to national security. If you get
clearance, I can tell you who to ask.
Email scams
Internet auction fraud
Computer is used for intrusion of another system.
Computer Forensics

Digital Investigation

Has different goals

Prevention of further intrusions.


Assessment of damage.


Goal is to reconstruct modus operandi of intruder to
prevent further intrusions.
Goal is to certify system for safe use.
Reconstruction of an incident.


For criminal proceedings.
For organization-internal proceedings.
Computer Forensics

Digital Investigation

Process where we develop and test
hypotheses that answer questions about
digital events.

We can use an adaptation of the scientific
method where we establish hypotheses based
on findings and then (if possible) test our
hypotheses against findings resulting from
additional investigations.
Computer Forensics

Evidence

Procedural notion


That on what our findings are based.
Legal notion

Defined by the “rules of evidence”


Differ by legislation
“Hear-say” is procedurally evidence, but
excluded (under many circumstances) as
legal evidence.
Computer Forensics

Forensics

Used in the “forum”, especially for judicial
proceedings.

Definition: legal
Computer Forensics

Digital Crime Scene Investigation
Process



System Preservation Phase
Evidence Searching Phase
Event Reconstruction Phase

Note:
 These phases are different activities that
intermingle.
Computer Forensics

Who should know about Computer Forensics

Those involved in legal proceedings that might use
digital evidence


Judges, Prosecutors, Attorneys, Law Enforcement, Expert
Witnesses
Those involved in Systems Administration



Systems Administrators, Network Administrators,
Information Security Officers
Those writing procedures
Managers
Computer Forensics

Computer Forensics presupposes skills in



Ethics
Law, especially rules of evidence
System and network administration

Digital data presentation


Systems



OS, especially file systems.
Hardware, especially disk drives, memory systems, computer
architecture, …
Networking


Number and character representation
Network protocols, Intrusion detection, …
Information Systems Management
Computer Forensics

Swiss Army Knife for Investigations

Useful in the following areas:











HR Policy Violations
Insider Trading Allegations
Compliance Audits / Validation
Network Misuse
Workplace Harassment
Intellectual Property Protection
IT Check & Balance
Ombudsman’s Office
Whistleblower Allegations
Internal Fraud
eDiscovery
COEN 252
Prerequisites

Required:





Good moral character. Ability and willingness to respect
ethical boundaries.
Familiarity with at least one type of operating system.
(Windows, Unix/Linux, DOS experience preferred.)
Some programming.
Access to a computer with Hex editor.
Desired:



Familiarity with OS Theory.
Familiarity with Networking.
Some Knowledge of U.S. Legal System.
COEN 252
Text Books


COHEN, F. Digital Forensic Evidence
Examination. 2nd edition. Fred Cohen &
Associates, 2010.
(Optional)
COEN 252
Text Books - Optional

NELSON, B., PHILLIPS, A., STEUART, C.
Guide to Computer Forensics And
Investigations. 2nd edition. Course
Technology, 2010.
COEN 252
Text Books – Of Interest

Carrier, Brian: File System Forensic
Analysis. Addison-Wesley Professional.
2005.
Computer Forensics Software

Commercial








FTK – Forensic Toolkit
http://www.accessdata.com/
WinHex http://www.winhex.com/
EnCase
http://www.guidancesoftware.com/
Paraben http://www.paraben.com/
NTI
http://www.forensics-intl.com/tools.html
Maresware http://www.dmares.com/
Digital Intelligence http://www.digitalintel.com/
Open Source





Coroner’s Toolkit http://www.porcupine.org/forensics/tct.html
Knoppix http://www.knoppix.com/
The Sleuth Kit http://www.sleuthkit.org/sleuthkit/index.php
Penguin Sleuth Kit http://www.linux-forensics.com/
BackTrack http://www.remote-exploit.org/backtrack.html