Scribd Logo
Upload

Welcome to Scribd!

  • 11 views

    Easttom PPT 14 Final

    Uploaded by

    mohamedabdulkadir767
    The document discusses the basics of computer forensics including making forensic copies of drives without modifying the original, thoroughly documenting all processes and evidence, and taking computer systems offline to preserve evidence. It introduces tools for computer forensics examinations like FTK and concepts such as chain of custody. Specific techniques covered include finding evidence in browsers, system logs, and recovering deleted files from Windows systems.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Easttom PPT 14 Final

    Uploaded by

    mohamedabdulkadir767
    11 views17 pages
    The document discusses the basics of computer forensics including making forensic copies of drives without modifying the original, thoroughly documenting all processes and evidence, and taking computer systems offline to preserve evidence. It introduces tools for computer forensics examinations like FTK and concepts such as chain of custody. Specific techniques covered include finding evidence in browsers, system logs, and recovering deleted files from Windows systems.

    Original Description:

    Original Title

    easttom_ppt_14_final

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the basics of computer forensics including making forensic copies of drives without modifying the original, thoroughly documenting all processes and evidence, and taking computer systems offline to preserve evidence. It introduces tools for computer forensics examinations like FTK and concepts such as chain of custody. Specific techniques covered include finding evidence in browsers, system logs, and recovering deleted files from Windows systems.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    11 views17 pages

    Easttom PPT 14 Final

    Uploaded by

    mohamedabdulkadir767
    The document discusses the basics of computer forensics including making forensic copies of drives without modifying the original, thoroughly documenting all processes and evidence, and taking computer systems offline to preserve evidence. It introduces tools for computer forensics examinations like FTK and concepts such as chain of custody. Specific techniques covered include finding evidence in browsers, system logs, and recovering deleted files from Windows systems.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 17

    Computer Security

    Fundamentals

    by Chuck Easttom

    Chapter 14 Introduction to Forensics


    Chapter 14 Objectives

     Understand basic forensics principles


     Make a forensic copy of a drive
     Use basic forensics tools

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 2


    Don’t Touch the Suspect Drive
    The first, and perhaps most important, is to touch
    the system as little as possible. You do not want
    to make changes to the system in the process of
    examining it. Look at one possible way to make
    a forensically valid copy of a drive. Some of this
    depends on Linux commands, which you may or
    may not be familiar with. If you are not, students
    with no Linux experience can use these same
    commands and accomplish the task tomake a
    forensic copy of a drive.

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 3


    Document Trail

    Beyond not touching the actual drive, the next


    issue is documentation. If you have never
    worked in any investigative capacity, the level
    of documentation may seem onerous to you.
    But the rule is simple: Document everything.

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 4


    Secure the Evidence

    First and foremost, the computer must be


    taken offline to prevent further tampering.
    There are some limited circumstances in
    which a machine would be left online to trace
    down an active, ongoing attack. But the
    general rule is to take it offline immediately.

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 5


    Using FTK

    Widely used tool

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 6


    Concepts to know

     Chain of Custody
     Locard’s principle

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 7


    Document Losses
     Labor cost spent in response and recovery. (Multiply the
    number of participating staff by their hourly rates.)
     If equipment were damaged, the cost of that equipment.
     If data were lost or stolen, what was the value of that
    data? How much did it cost to obtain that data and how
    much will it cost to reconstruct it?
     Any lost revenue, including losses due to down time,
    having to give customers credit due to inconvenience, or
    any other way in which revenue was lost.

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 8


    Tools

     AccessData FTK
     Guidence Encase
     OSForensics
     SleuthKit
     Oxygen
     Cellabrite

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 9


    Finding Evidence in the Browser

    The browser can be a source of both direct evidence and


    circumstantial or supporting evidence. Obviously in
    cases of child pornography, the browser might contain
    direct evidence of the specific crime. You may also find
    direct evidence in the case of cyber stalking. However, if
    you suspect someone of creating a virus that infected a
    network, you would probably find only indirect evidence
    such as the person having searched virus
    creation/programming-related topics.

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 10


    Finding Evidence in System Logs

     Application logs
     Security logs
     System logs
     E-mail logs
     Printer logs

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 11


    Windows Utilities

     Net sessions
     Openfiles
     fc
     netstat
     Windows Registry

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 12


    Windows Forensics

     The Registry is extremely important


     Specific entries
     Logs
     Recovering Deleted Files

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 13


    Phone Forensics

     General Cell Phone Concepts


     Specific Phones
     iOS
     Android
     Windows

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 14


    Legal Issues

     Daubert
     Rule 702

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 15


    Forensic Certifications

     CCFP
     CHFI
     Sans
     Access Data

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 16


    Summary

     The most important things you have learned


    are to first make a forensics copy to work
    with, and second, to document everything.
    You simply cannot over-document. You have
    also learned how to retrieve browser
    information and recover deleted files, and you
    have learned some commands that may be
    useful forensically.

    © 2012 Pearson, Inc. Chapter 14 Introduction to Forensics 17

    You might also like