Professional Documents
Culture Documents
Criminalitate Informatica
Criminalitate Informatica
Ioana Vasiu
Computer forensics
Cyber forensics. Definitions Techniques Importance Areas Basic elements and essential steps Situations, methods, services Types and details Resources
Techniques- 1
Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and for perform anomaly detection.
Techniques-2
steganography, One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. This process is often used to hide pornographic images of children as well as information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the image appears exactly the same, the hash changes as the data changes
Techniques- 3
Deleted files A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.[10] Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
Techniques- 4
Live analysis The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Related to "Evaluation of Source", meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the creation date of a file). Document authentication relates to detecting and identifying falsification of such details.
Computer forensics-areas
Image Capture - The Imaging process is fundamental to any computer investigation. Image Processing - The processing software consists of two modules, GenX and GenText, running automatically to index and extract text from all areas of the target image. Investigation - Once the processing has taken place full searches of all areas of the disk takes only seconds.
Acquisition
Acquisition involves creating an exact sector level duplicate (or "forensic duplicate") of the media, often using a write blocking device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the copy is accurate
Analysis
The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).
Computer evidence
...is like any other evidence, it must be:
Computer evidence
Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence. The logging, description, storage, and disposition of physical evidence are well understood. Forensic laboratories have detailed plans describing acceptable methods for handling physical evidence. To the extent that computer evidence has a physical component, it does not represent any particular challenge. However, the evidence, while stored in these physical items, is latent and exists only in a metaphysical electronic form.
Computer evidence
The result that is reported from the examination is the recovery of this latent information. Although forensic laboratories are very good at ensuring the integrity of the physical items in their control, computer forensics also requires methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidencethe informationfrom harm.
Cyber forensics-methods
Valid and reliable methods to recover data from computers seized as evidence in criminal investigations are becoming fundamental for law enforcement agencies worldwide. These methods must be technologically robust to ensure that all probative information is recovered. They must also be legally defensible to ensure that nothing in the original evidence was altered and that no data was added to or deleted from the original.
Investigator PC
Network Forensics
Evidence collected in normal operations
logs IDS outputs
Network forensics
Methods of surveillance active interception direct, very local interception of individual at ISP or LAN semi-active interception targeted on the basis of access to means of dynamic allocation of IP addresses passive interception no information from ISP etc about dynamically allocated IP address requires further information to link packet to individual
no information from ISP etc about dynamically allocated IP address - requires further information to link packet to individual no information from ISP etc about dynamically allocated IP address - requires further information to link packet to individual o information from ISP etc about dynamically allocated IP address - requires further information to link packet to individual
Network forensics
Problems of disclosure specific methods network topology / configuration
Problems of using proprietary products disclosure of method protection of commercial interests of vendor parity of arms for defence
Resources
Ioana Vasiu & Lucian Vasiu, Criminalitatea n cyberspaiu, Ed. Universul Juridic, Bucureti, 2011.
Resources
RCMP Article on the Forensic Process. http://www.rcmpgrc.gc.ca/tsb/pubs/bulletins/bull41_3.htm Lance Spitzners Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html Fish.com Securitys Forensic Page: The Coroners Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/
Resources
The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm Long Play Video Recorders. http://www.pimall.com/nais/vrec.html FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pubcgi/fileFingerprints.pl Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/securityimprovement/implementations/i003.01.html