Ethics, Privacy and

Computer Forensics
Chap 8 Computer Basics For
Digital Investigators
 The Basics
 Central Processing Unit (CPU)
 Processing instruction for every computer
 Basic Input and Output System (BIOS)
 Handles basic movement of data in a computer
 Programs use it to communicate with CPU
 Power on Self Test (POST)
 A small program that tests basic components of a computer
 Verifies integrity of CPU and Program itself
 Then it checks all others: drives, monitor, RAM and keyboard
 Before POST is complete and after BIOS is activated, some
computers allow you to edit the configuration using
Complementary Metal Oxide Silicon (CMOS)
 Result of POST are checked against CMOS settings
 Disk Boot
 An operating system extends the function
of the BIOS and interfaces with the
outside world
 Boot sequence looks for location of OS
and loads
 The ability to boot up from a disk is
important when the hard disk may contain
evidence
 Representation of data
 Digital data is a sequence of “0” and “1” called
bits
 Bit Representation
 little-endian Intel based
 Big-endian Sun and Mac based
 Common data representation is Hexadecimal
 Another one is ASCII (table 8.1)
 We need to use tools that display data in
hexadecimal and ASCII
 Storage Media
 Hard disks, floppy disk, thumb drives etc.
 Hard disks are the richest in digital evidence
 Integrated Disk Electronics (IDE) or Advanced
Technology Attachment (ATA)
 Higher performance SCSI drives
 Fireware is an adaptation of SCSI standards that
provides high speed access to a chain of devices
 All hard drives contain platters made of light,
righid material such aluminum, ceramic or glass
 More on Hard Drives
 Platters have a magnetic coating on both sides and
spin between a pair of read/write heads
 These heads move like a needle on top of the old LP
records but on a cushion of air created by the disk
above the surface
 The heads can align particles of magnetic media
called writing, and can detect how the magnetic
particles are assigned – called reading
 Particles aligned one way are considered “0” and
aligned another way “1”
 Storage
 Cylinders are the data tracks that the data is
being recorded on
 Each track/cylinder is divided into sectors that
contain 512 bytes of information
 512*8 bits of information
 Location of data can be determined by which
cylinder they are on which head can access
them and which sector contains them or CHS
addressing
 Capacity of a hard drive # of C*H*S*512
 Limitations
Event Discovery Analysis Decision Investigate

 When the investigation reveals

evidence that the activity falls within

Or
reportable crimes;

n ot
 When the investigation reveals that
the trail of evidence extends beyond
the boundaries of your enterprise
network; and
 When you know you’re over your
head.
 File System Locations
 SKIP SECTION 8.5 for now
 Very Brief Intro to Encryption
 Encryption is a process that translated plaintext/digital
object into unreadable format or digital object
 Encryption uses the concept of a key which is a type of
data that when applied using a specific algorithm will
result in unreadable data
 Symmetric Encryption – decryption is simply a
reverse of the encryption (using the same key)
 Asymmetric Encryption – decryption process is
different from encryption and usually done with
different keys
 Digital Signatures
 Electronic method to ensure:
 Data is from who it says it is from
 Data has NOT been altered

 Important for e-commerce transactions

 Works whether or not the document itself
is encrypted
 Digital Signatures
 Sender builds the signature using a private key
 Recipient decodes the signature using the
sender’s public key
 To ensure no changes to data, messages can be
hashed
 Hashing (somewhat akin to CRC) calculates a
unique value for the document
 Receiver re-calculates the hash and compares to
the received hash
The digital signature process.
 Ethics
 Very hard to define
 Certified professionals are held to a high
standards
 Should be part of an organizational
behavior and culture
 Generate guidelines for ethics and Net-
ethics
 (ISC)2 Code of Ethics
 Conduct in accordance with highest moral standards
 Not be a party of any unlawful or unethical act
 Report any unlawful acts
 Support and be active in promoting best information
security practices
 Provide competent services to their clients, employees &
community
 Be professional
 Do not misuse information they have access to
CEI 10 Cs of Computer Ethics - Thou
Shall
I. Not use a computer to harm other
people
II. Not interfere with other people’s work
III. Not snoop around in other people’s
computer files
IV. Use a computer to steal
V. Use a computer to bear false witness
 Computer Ethics Institute 10 Cs of
Computer Ethics - Thou Shall
VI. Not copy or use proprietary software for which you
have not paid
VII. Not use other people’s computer resources without
authorization or the proper compensation
VIII. Not appropriate other people’s intellectual output
IX. Think about the social consequences of the program
you are writing for the system you are designing
X. Use a computer in ways that ensure consideration
and respect for your fellow human
 Good Internet Conduct
 Unacceptable and unethical activities:
 Seeks to gain unauthorized access to resources of the
internet
 Destroys integrity of computer based information
 Disrupts the use of the internet
 Wastes resources such as people, capacity and
computers via these actions
 Compromises privacy of users
 Involves negligence in the conduct of internet wide
experiments
 References (General)
 http://www.dcfl.gov/home.asp
 http://www.porcupine.org/forensics/
 http://www.cftt.nist.gov/
 http://www.computerworld.com/news/special/pages/0,10911,1705,00.html
 http://www.itl.nist.gov/div897/docs/computer_forensics_tools_verification.html
 http://seattletimes.nwsource.com/html/businesstechnology/134531230_forensics0
8.html
 http://www.cio.com/archive/030101/autopsy.html
 http://www.csoonline.com/read/030103/machine.html
 http://www.sans.org/rr/incident/
 http://www.saic.com/infosec/computer-incident-management.html
 http://www.ey.com/global/download.nsf/International/Computer_Forensics/
$file/computerforensics.pdf
 http://www.crazytrain.com/
 http://www.htcia.org/
 http://www.cops.org/
 http://www.securityfocus.com/incidents
 Class Work
 Research the following tools. Provide at least 5 of each
 Network vulnerability scanning
 OS vulnerability scanning
 Application vulnerability scanning
 Digital Forensics
 Pretty Good Privacy (PGP) software
 For each tool indicate in a table
 Cost, Available for download and evaluation
 Coverage and what are the requirement to be installed
 Description of the tool and why you like it or not like it
 OS flavor it works on
 Class Work
 In not more than ½ page or two slides and
describe the ethical questions concerning
handling of digital evidence
 Based on what you have read so far, how can
you improve on the digital evidence process
 List the types of possible sources of digital
evidence and a description of what they may
have that is relevant
 List at least 10 web sites with digital forensics
services and describe their methodology. Not
more than ½ page or one slide