Professional Documents
Culture Documents
Chapter 18-Engineering and Computer
Chapter 18-Engineering and Computer
Chapter 18
Engineering
Takes fundamental scientific, economic and
practical knowledge and applies this
understanding to the design and construction
of structures, devices, materials, and
processes that directly impact human lives.
CHE 113 2
Forensic Engineering
• In the 19th century, forensic engineering
began to inform courts regarding negligent
or intentionally fraudulent building and
design practices.
• failure analysis
• crime scene analysis and reconstruction.
Failure Analysis Goals
• Determine who was responsible for the
failure in order to bring either criminal
charges or levy financial damages against
them.
• Modify specific designs or practices in
order to prevent similar failures from
happening in the future
Tacoma Narrows Bridge
• Bridge Collapse
Failure Analysis
• Sometimes the catastrophic failure of an
engineered system is brought about by the
failure of just one or several smaller
components that make up the entire
system.
Space Shuttle Challenger
O-Ring Failure
Failure Analysis Protocol
• Get background information (e.g.,
blueprints, maintenance logs, legal
requirements and standards, etc.),
• Carrying out detailed site investigations,
completing computer modeling
simulations,
• run multidisciplinary laboratory analyses
before a reasonable answer is reached
Tree eats car…
Car in the bush…
Truck in house…
Vehicle Accidents
• Possible cause for single vehicle accidents
Possible Reasons
1. *Distraction (Phone, Radio, Bugs…)
2. Drunk
3. Excessive speed with loss of control
4. Slick road surface (unsafe speed, unsafe
distance, bald tires)
5. Avoidance of animal, person or other vehicle
6. Brake/Accelerator Confusion
7. Equipment malfunction
8. Asleep
Process Scene
• Photograph
• Draw
• Measure
• Interview Witnesses
• Look at vehicle documents
• Document weather/road conditions
Skid Marks
• Evidence of braking before
crash
• Friction between road and tire
causes burning
• Can determine Minimum
Traveling Speed preceding
accident, site of incident,
evidence of avoidance or lack
of avoidance
Skid Marks
Skid Marks w/ collision:
19
Skid Marks-Min. Speed
Simplistic SKID to STOP formula:
•Assumes final velocity is 0 mph (ie. gently comes to a
stop with no impact)
V=Impact Speed
Vo=max speed for no crush (manufacturer)
K=crush stiffness (manufacturer)
D=Avg. Crush Depth (measured)
Did Driver signal lane change or
have headlights on?
Brake Lights
Lights
• Brake Lights have filament bowed upward
• This means lights were on at crash
• Heat and impact causes deformed shape
• Means that driver braked before crash
Lights
Information of probative
value (to prove), stored or
transmitted in binary form
SWGDE Definition
Sources of Digital Evidence
• Storage media
• Computing devices
• Communications devices
• Network communications
• Applications
• Cloud
Process Map
Legal
Investigation
Proceedings
Taskin Re Expert
g po
rt Testimon
y
Examination
Planning
Inherent Problems with Data
• Size/volume
– Terabytes of data (~10-20 TB = Y2K Lib. Of
Congress
– Computers store 100’s of thousands of files -
in thousands of file types
– Data is simultaneously in multiple contexts
• Volatility
• Reliability/authentication
• Content
Contexts
Investigative Context
Information Systems Context
• User Who
• Computer What
• Application When
• Operating System Where
• File System Why
• File
How
• Storage Media
• Network (inc. NAS)
• Physical Media
The Problem is…
• The questions are not
data-centric
• The data is not
organized in a
thematic, chronological,
or topical way
• In short, we are not
asking numeric
questions of a Grisham
novel or medieval
manuscript.
The Disconnect
• Investigators • Data Examiners
– Ask narrative – Ask data questions
questions like
• Who • Data location
• What • Data type
• When • Data content
• Were • Metadata
• Why
• How
The Problem is the data aren’t arranged that
way!
Hard drives are huge anthologies
Containing millions of “short Stories”
Value
Acquisition &
Examination Analysis Presentation
Preservation
Forensic Process
It starts with the legal right to
collect information
• In a governmental (LE & Intel), it requires a
form of legal authority (search warrant,
court order, consent, etc.
• In the private sector it is part law and part
ethics.
• In Electronic Discovery, it is procedural law.
• No data should be collected without clear
authority.
How do we actually do Digital
Forensics
• First step: Acquisition
• Collect physical item
• Make a digital duplicate
(file)
– Write Block
– Software to image
• Calculate hash (map
data)
• Document
Hashing – for authentication and
reliability
• Suite Tools (EnCase,
FTK, ProDiscover,
etc.) have hashing
built in
• Command line Tools
Examination Planning
• Review Tasking
• Develop Forensic
Questions
• Write forensic
hypotheses
• Design examination
Examination Planning
Examination
• Mount evidence
• Document evidence
• Recover data
– Deleted
– Unallocated
– File fragments –
carving
• Search & extract
• Command line or GUI
Examination Tools
• Command line tools
– Standard UNIX/Linux dd if=/dev/sda of=evidence.dd
– Sleuthkit – TSK
• GUI Suites
– ProDiscover
– FTK & EnCase
– Autopsy
• Linux Distributions
Analysis
• Analysis is taking the data recovered in the
examination phase and answering
questions:
– Forensic Questions
• Identification
• Classification/individualization
• Association
• Reconstruction
– Investigative Questions
• Who, What, When, Where, Why, and How?
Analysis Continued
• The analysis process is all about critical
thinking
• Selecting pertinent information
– Classifying, refining, evaluating
• Organizing information
– Timelines, narratives, visualization, simulating
• There aren’t really tools for this!
Reporting & Testimony
• Examiners write – A LOT!
– Extensive, contemporaneous Notes
– Reports – vary by organization
– Provide oral briefings
– Testify as expert witnesses
• Teaching on the stand
• Offer opinion and conclusion testimony
And if that wasn’t enough…
• Everything is done under a quality
management system
– Standard Operating Procedures
– Peer Reviews
– Audits
– Proficiency tests
– Certification
– Accreditation
Acquisition Teaching Modalities
• Usually scenario based
– Artificial or reality based
• Evidence can:
– Support scenario or refute it
– Simple or complex (caution: it is always more
complex than you think)
• Think, Plan, Do – In that order!
Virtualization
• Dedicated hardware is
nice, but not practical
• Using virtual machines
are the best and
easiest way to ensure http://www.vmware.com
that the environment is
controlled
• Vmware and Virtual
Box are the two main
packages.
• Vmware Player and
Virtual Box are free https://www.virtualbox.org/
https://www.virtualbox.org/
Creating Evidence for
Acquisition
• Small, simple media e.g.: SD cards, USB
drives
– Start collecting a “stash” of old, small devices
• ALWAYS wipe the media before “planting”
the evidence
• Plant using a clean, recently booted
computer
• Create an image and a hash
• Test, test, test
Imaging
• Can use various tools
– DD, DCFLDD
– FTK Imager/Lite
– Bootable CD/USB
• Verify hash of original
matches image file
evidence.dd
Examination
• Command line tools • Bootable Linux distros
– Mostly Linux-based – Caine
• Hex Editor – Deft/Deft Zero
– WinHex – Santoku
• Semi-suite – Sift
– The Sleuthkit – Kali – pen testing
focus
• Suites
– Autopsy
– FTK
– Pro Discover
Network & Mobile Devices
• Network Forensics is • Mobile devices, such
very “techy” as smartphones and
• You MUST use a tablets are the latest
dedicated, isolated challenge
network – NEVER do • Very technical, tricky
this on a live network to set up and potential
• Tools like Wire Shark for “bricking” the
are useful device
• Only for advanced
instructors/students
Analysis
• While suites typically allow “bookmarking”,
it is often better to export data to analyze
with other programs
• Excel is a very powerful tool for this.
• TSK and Autopsy offer timeline analysis
• Good analysis is intellectually challenging
• It’s about Knowledge Management
Reporting
• Writing can serve several purposes
– Notes are contemporaneous and can be used
both for resource material for report writing,
but can also be “learning by writing” – sort of
journaling
– Reports can be used both for presentation
and for pedagogy
• By defining a structure that forces a logical
approach and completeness, students can become
better thinkers and writers
Example Report Format
• Tasking
• Forensic Questions
– Identification
– Classification/individualization
– Association
– Reconstruction
• Steps Taken
• Results
• Conclusions
• Opinions
Books
• Nelson – Guide to
Computer Forensics
& Investigations
• Altheide – Digital
Forensics with Open
Source Tools
• Carrier - File System
Forensic Analysis
Advanced Cyberforensics
Education Consortium - ACE
http://www.cyberace.org
U.S. Digital Forensics
Challenge
http://www.usdfc.org/
Cyberpatriot
Software Links
• Forensic Linux Distros
– https://www.kali.org/
– http://www.deftlinux.net/
– http://www.caine-live.net/
– https://santoku-linux.com/
• Sleuthkit & Autopsy-
http://www.sleuthkit.org/
Additional Resource links
• Forensic Wiki http://forensicswiki.org
• Virtual Box https://www.virtualbox.org/
• Microsoft Sysinternals
• ProDiscover
• Access Data FTK, Registry Viewer, Imager
• Guidance Software
• FireEye - Mandiant
https://www.fireeye.com/services/freeware.ht
ml
Thanks for all you do as
teachers!
mmpollit@syr.edu