MARK LANE

BN104/402
SEPTEMBER 2013
1
Introduction
Moodle
Enrolment Key
CNF2013
Updated on a weekly basis
Continuous Assessment 100%
Most likely three assignments worth 40%, 30% and 30%
One team effort (pairs)
Two individual
Lab exam/practical, research, demo, presentation
2
3
Introduction
This course on Digital Forensics covers the essential basics of the hardware and
software computer forensics, network forensics and the role of the computer
forensics examiner.
Topics include:
basic elements of computer and network forensics
concepts
tools
activities
process of finding, collecting and analysing evidence
certification opportunities
4
Defining Computer Forensics
The application of forensics science techniques to computer
based material
Oxford English Dictionary
The use of science and technology to investigate and establish facts in
criminal or civil courts of law.
Computer Forensics is often more of an art than a science but as a
discipline, it follows clear well defined methodologies and procedures.
However a degree of flexibility is still required when encountering the
unusual.
Computer forensics is the process of identifying, preserving,
analysing and presenting digital evidence in a manner that
is acceptable in a legal proceedings.
Like other areas of forensics science, computer forensics
involves the use of sophisticated tools and procedures that
must be followed to guarantee the accuracy of the
preservation of evidence and the accuracy of results
concerning computer evidence processing.
5
Who is a Forensicstechnician
The Computer Forensics technician is a cross between the private eye and
computer scientist.
i.e. investigative intelligence and technical proficiency.
6
All physical evidence e.g. computer, peripherals, notepads, documentation, etc
Including any visual output on the monitor and printed evidence on printer or
plotter.
It is important to understand that computer forensics is not solely about computers
but is also about:
rules of evidence,
legal processes,
the integrity and continuity of evidence,
the clear and precise reporting of factual information to a court of law
the provision of expert opinion concerning evidence.
7
8
Reasons why we need Computer Forensics
Society relies on computers more and more every day
Electronic information
easy to create
inexpensive to store
and virtually effortless to replicate
Massive growth in electronic data
email messages numbers in the billions each day
WWW consists of thousands of terabytes of HTML pages
approx. 550 billion documents
over 80% of corporate data exists in digital form
Other forms of electronic data
internet based electronic commerce, online banking and stock trading
office and corporate activities and communications
online stores and services
Personal Internet use
Mobile data, graphic and voice communications
9
Computers are ubiquitous (everywhere) and people are dependent on their
cell/smart phones for constant communication or entertainment.
Most disputes, civil or criminal, are between people who know each other
and interact using technology including email, cell phones and text
messaging.
10
Increase in Internet use and availability has created an increase in
criminal activity like hacking, cyber-terrorism, identity theft, theft of
intellectual property, fraud, and exploitation.
Significantly, criminals think they are anonymous online and wont be
caught. This has lead to increased criminal activity.
11
12
An additional explanation for the expansion in the field is that large
companies, particularly those that are publicly traded or store large
amounts of private customer data, fear the large-scale loss of that
intellectual property.
These companies fear the ramifications from regulatory agencies. There
are fines and potential criminal penalties imposed for violations of various
statutes designed to protect individuals and consumers.
Companies go to extreme lengths to protect the integrity of their data,
particularly intellectual property, and learn about how to prevent the
destruction or theft of that information.
Electronic Discovery
Electronic Discovery
eDiscovery refers to the process by which Electronically Stored
Information (ESI) is sought, located, secured and searched with a view
to its use as evidence in a criminal or civil legal dispute.
Can involve a combination of highly skilled technology experts and legal
advisers/lawyers and can involve challenging local and multi-
jurisdictional eDiscovery projects. Electronic Discovery Reference Model
(EDRM) often used as a basis for any electronic discovery project.
13
Litigation costs for the production of e-discovery can be in the
hundreds of thousands of dollars. What is known as the CSI Effect,"
which is that juries and judges want to see tangible evidence before
they make a decision about who is responsible in a legal dispute.
With advances in technology, computer forensic examiners are often
hired to use highly specialized techniques to retrieve and present that
evidence in court.
Oftentimes, this evidence is powerful when properly preserved and
analysed.
Document examiners, lawyers, litigants, forensic examiners, and
consultants are all capitalizing on this new business.
14
15
In computer security, the dancing pigs problem
(also known as the dancing bunnies problem) is a
statement on user attitudes to computer security:
that users primarily desire features without
considering security, and so security must be
designed in without the computer having to ask a
non-technically users.
Dancing pigs
Bruce Schneier: Secrets and Lies (John Wiley & Sons, 2000; ISBN 0-471-45380-3), p262
Bruce Schneier expands on this remark as follows:
If a random websurfer clicks on a button that promises dancing pigs on
his computer monitor, and instead gets a message describing the
potential dangers of the applet he's going to choose dancing pigs
over computer security any day.
If the computer prompts him with a warning screen like: "The applet
DANCING PIGS could contain malicious code that might do permanent
damage to your computer and steal your life's savings, he'll click OK
without even reading it. Thirty seconds later he won't even remember
that the warning screen even existed.
16
17
Computer crime
Corporations and businesses are reporting financial
losses, which include:
theft of proprietary information,
financial fraud,
data and network sabotage
denial of service attacks.
Some examples of computer crime can be seen at www.cybercrime.gov
OWASP Top 10 Web Application
Security Threats 2013
https://www.owasp.org/index.php/Top_1
0_2013-Top_10
Computer crime can be based on direct criminal activity or just the
abuse of company policies, for example:
inappropriate use of email,
non-work related usage of company resources,
theft of information,
violation of security parameters
A computer forensics investigation can also be useful in identifying
shortcomings in company security policies.
18
19
Specialist areas are:
1. Law enforcement and criminal investigations (investigation &
prosecution)
2. Corporate incident response activities (detection and prevention)
3. Civil / Private Investigations (investigation and detection)
20
Criminal
crime has been alleged or committed
violation of local, regional, national or international laws
usually conducted by law enforcement personal
computer could contain evidence of non-computer related crimes
21
Corporate
usually violation of a corporate policy or directive
or commission of crime
may turn into a criminal investigation
usually investigated by corporate security division or external team
Law enforcement called in when necessary
Examples: online gaming, gambling, accessing prohibited sites,
harassment, espionage, invasion of privacy, sabotage and so on.
22
23
Private / Civil
usually between individuals or part of civil suit.
evidence usually provided to individuals requesting investigation.
private investigators, law firm investigators or security companies
examples: divorce cases, child custody battles, law suits, small claims
http://www.pi-spy4u.com/services.html
24
Role of Investigator
The investigator must be impartial and skilled.
Impartiality
neutrality/objectivity must be maintained
creditability depends on it
impartiality in analysis and reporting
report evidence of wrong-doing including all the facts
job is to deliver the evidence not judge or convict
25
Skills set of the Computer Forensics Investigator
Detailed knowledge of computer hardware and software
Investigative and analytical techniques
Skills in use of forensics software toolkits
Knowledge of law and giving evidence in court
Common sense
26
6. Presentation
5. Documentation
4. Discovery
3. Analysis
2. Acquisition
1. Preservation
Steps of a Computer Forensics Methodology
27
How to begin a forensics examination
The Incident Response
This is the process of responding to a computer-related
incident (crime or policy violation) and methodically
securing, preserving and documenting digital evidence
using a prescribed methodology.
Forensics and Analysis tasks take place AFTER response.
Response could be carried out by an administrative assistant, network
administrator, manager, investigator or incident response team.
Initial response is critical to entire case.
First person on scene may not be highly trained in security and evidence
preservation.
28
29
Skills Sets and Training
Technical skills
basic computer maintenance
familiarisation with multiple operating systems
networking background and experience
working knowledge of computer and networking security
knowledge of law and criminal procedures
understanding of forensics procedures
knowledge of investigative techniques and tools
Presentation Skills
write reports in clear, concise manner
and acceptable format
describe technical subjects in non-
technical language
be able to speak on public platform
30
Professional skills
be credible i.e. perception is reality
be professional i.e. recognised
qualifications
be impartial
31
32
Evidence Control and Documentation
All evidence is properly acquired, controlled and
documented at ALL times
most important aspect of investigation
crime scene treated with care i.e. not changed
Chain of custody will make or break case
who has evidence, what is happening to evidence, timeline of activity
Every action taken must be documented with times, dates and events
Document all interviews and analysis
Documentation written up during case and NOT afterwards
33
34
Investigation and Analysis
follows the collection of data and evidence from
the crime scene
can be time consuming and tedious
requires highly technical skills
conducted on site or in forensics lab
can involve time critical work
find evidence of wrong-doing or not
must establish:
what happened
where - location
when - timeline
how methods, tools, etc
who and why if possible
document all parts of analysis
35
36
Reporting and Testifying
Formal report at conclusion of analysis
investigation
Report to corporate individual
Report to individual initiating investigation
Criminal can have several reporting requirements
reports
depositions
testimonies
Expert witness to refute another testimony
37
Some useful terms
Admissible Evidence
Evidence that meets all regulatory and statutory requirements, and has been
properly obtained and handled
Backdoor
A software program that allows access to a system without using
security checks
Best practices
A set of recommended guidelines that outlines a set of good controls
38
Some useful terms
Computer forensics
Any computer hardware, software or data that can be used to prove one or
more of the 5WH of a security incident
39
40
Forensic Certifications
The following are the most popular computer forensics certifications
Certified Computer Examiner (CCE) http://www.certified-computer-examiner.com
Certified Computer Crime Investigator (CCCI) http://www.htcn.org
Computer Forensics Computer Examiner (CFCE) http://iacis.com
Certified Information Forensics Investigator (CIFI) http://www.iisfa.org
Professional Certified Investigator (PCI) http://www.asisonline.org
41
The general qualifications of a computer forensics professional who is
involved in any type of computer investigation should be as follows.
Certified Computer Forensics Expert,
Electronic Data Recovery Expert,
Forensic Data Recovery Expert FDR,
International Association of Computer Investigative Specialists IACIS,
Certified Fraud Examiner CFE,
Certified Chief Information Security Officer CSO,
Certified Information Systems Security Professional CISSP,
Certified Forensic Computer Examiner CFCE,
http://www.computerforensics1.com/computer-forensic-professional.html
42
Some Reading Material
Forensic Discovery by Dan Farmer and Wierse Venema
Internet Forensics By Robert Jones
File System Forensic Analysis by Brian Carrier
Windows Forensic Analysis DVD Toolkit, Second Edition
By Harlan Carvey
43
Internet Sites
http://www.forensicfocus.com
http://www.digital-evidence.org/
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://krebsonsecurity.com/2010/03/researchers-map-multi-network-cybercrime-infrastructure/
http://www.ccmostwanted.com/
http://www.symantec.com/norton/cybercrime/index.jsp
http://www.antiphishing.org/crimeware.html
http://dataprotection.ie
http://www.tjmcintyre.com
http://en.wikipedia.org/wiki/Computer_crime
Journals
Journal of Digital Forensics, Security and Law
International Journal of Digital Crime and Forensics
Journal of Digital Investigation
International Journal of Digital Evidence
International Journal of Forensic Computer Science
Journal of Digital Forensic Practice
Cryptologia
Small Scale Digital Device Forensic Journal
44