Introduction to Computer Forensics

Download Report

Transcript Introduction to Computer Forensics

COEN 152 Computer Forensics
Introduction to Computer
Forensics
Thomas Schwarz, S.J. 2006
Computer Forensics

Digital Investigation

Focuses on a digital device






Computer
Router
Switch
Cell-phone
SIM-card
…
Computer Forensics

Digital Investigation

Focuses on a digital device involved in an incident
or crime


Computer intrusion
Generic criminal activity


Perpetrator uses internet to gather information used in the
perpetration of a crime.
Digital device is an instrument of a crime




Perpetrator uses cell-phone to set-off a bomb.
 Details are sensitive to natural security. If you get
clearance, I can tell you who to ask.
Email scams
Internet auction fraud
Computer is used for intrusion of another system.
Computer Forensics

Digital Investigation

Has different goals

Prevention of further intrusions.


Assessment of damage.


Goal is to reconstruct modus operandi of intruder to
prevent further intrusions.
Goal is to certify system for safe use.
Reconstruction of an incident.


For criminal proceedings.
For organization-internal proceedings.
Computer Forensics

Digital Investigation

Process where we develop and test
hypotheses that answer questions about
digital events.

We can use an adaptation of the scientific
method where we establish hypotheses based
on findings and then (if possible) test our
hypotheses against findings resulting from
additional investigations.
Computer Forensics

Evidence

Procedural notion


That on what our findings are based.
Legal notion

Defined by the “rules of evidence”


Differ by legislation
“Hear-say” is procedurally evidence, but
excluded (under many circumstances) as
legal evidence.
Computer Forensics

Forensics

Used in the “forum”, especially for judicial
proceedings.

Definition: legal
Computer Forensics

Digital Crime Scene Investigation
Process



System Preservation Phase
Evidence Searching Phase
Event Reconstruction Phase

Note:
 These phases are different activities that
intermingle.
Computer Forensics

Who should know about Computer Forensics

Those involved in legal proceedings that might use
digital evidence


Judges, Prosecutors, Attorneys, Law Enforcement, Expert
Witnesses
Those involved in Systems Administration



Systems Administrators, Network Administrators,
Security Officers
Those writing procedures
Managers
Computer Forensics

Computer Forensics presupposes skills in



Ethics
Law, especially rules of evidence
System and network administration

Digital data presentation


Systems



OS, especially file systems.
Hardware, especially disk drives, memory systems, computer
architecture, …
Networking


Number and character representation
Network protocols, Intrusion detection, …
Information Systems Management
COEN 252
Prerequisites

Required:





Good moral character. Ability and willingness to respect
ethical boundaries.
Familiarity with at least one type of operating system.
(Windows, Unix/Linux, DOS experience preferred.)
Some programming.
Access to a computer with Hex editor.
Desired:



Familiarity with OS Theory.
Familiarity with Networking.
Some Knowledge of U.S. Legal System.
COEN 252
Text Books

SKOUDIS, E., Zeltser, L.: Malware:
Fighting Malicious Code.. Prentice Hall
Professional Technical Reference. 2004.


Second edition about to appear.
MANDIA, K., PROSISE, C., PEPE, M.
Incident Response & Computer
Forensics. 2nd edition. OsbourneMcGraw Hill, 2003.
COEN 252
Grading





Written Final (20%) (No collaboration.)
Practical Final (35%, due day of the final) (No
collaboration.)
Ethics Case (5%, due day of the final) (No
collaboration.)
Laboratories & Homeworks (30%) (Limited
collaboration.)
Class Project (10%) Groups.
This class is subject to the School of Engineering's Honor code.
Disability Accommodation Policy: To request academic accommodations for a disability, students must contact Disability Resources located in
the Drahmann Center in Benson, Room 214 (Tel.: 554-4111, TTY 554-5445). Students must provide documentation of a disability to Disability
Resources prior to receiving accommodations.
You should take the PERL courses offered by the Sun Academic Alliance. You can find instructions at ~tschwarz/ Homepage/
SunAcademicAllianceInstructions.html