ALTER 0A234 Lecture 12 What is Computer amp Cyber Forensics Computer Cyber forensics is the practice of collecting analysing and reporting on digital data in a way that is legally admissible ID: 648076
Download Presentation The PPT/PDF document "Intrusion Detection MIS.5213.011" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Intrusion Detection
MIS.5213.011
ALTER
0A234
Lecture 12Slide2
What is Computer & Cyber Forensics
Computer / Cyber
forensics is the practice of collecting,
analysing
and reporting on digital data in a way that is legally admissible.
It
can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally.
Computer
forensics follows a similar process to other forensic disciplines, and faces similar issues.Slide3
Cyber Forensics
Identifying
This is the process of identifying such things as what evidence is present
, where
and how it is stored, and which operating system is being used.
From this
information the investigator can identify the appropriate
recovery methodologies
, and the tools to be used
.Slide4
Preserving
This is the process of
preserving
the integrity of the digital
evidence, ensuring
the
chain of custody is not broken. The data needs to be preserved (copied
) on
stable media such as CD-ROM, using reproducible methodologies.
All steps
taken to capture the data must be documented. Any changes to
the evidence
must also be documented, including what the change was and
the reason
for the change. You may need to prove the integrity of the data in
a court
of law
.Slide5
Analyzing
This is the process of reviewing and examining the data. The advantage
of copying
this data onto CD-ROMs is the fact that it can be viewed without
risk of
accidental changes, therefore maintaining the integrity whilst examining
the evidence
.
Presenting
This is the process of presenting the evidence in a legally acceptable
and understandable
manner. If the matter is presented in court the jury, who
may have
little or no computer experience, must all be able to understand what
is presented
and how it relates to the original, otherwise all your efforts could
be futile
.Slide6
Incident Investigation
Principles / Rules
Principle 1:
Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court
. Minimal Handling of the original data.
Principle 2:
A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions.
Principle 3:
An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4:
A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to.Slide7
Incident Investigation - Principles
Principle
1:
Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court
.
Minimal Handling of the original data.
This can be regarded as the most important rule in computer
forensics.
Where possible
make duplicate copies of the evidence and examine the
duplicates.
In
doing this, the copy must be an exact reproduction of the original, and
you must
also authenticate the copy, otherwise questions can be raised over
the integrity
of the evidence
.Slide8
Incident Investigation - Principles
Principle
1:
Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court
.
In
certain circumstances changes to the evidence may be unavoidable.
For instance
, booting up or shutting down a machine can result in changes to
the memory
, and/or temporary files. Where changes do occur, the nature,
extent and
reason for the change must be documented.Slide9
Incident Investigation - Principles
Principle
2:
A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions
.
Do not proceed with an investigation if it is beyond your level of
knowledge and
skill. If you find yourself in this situation you should seek assistance
from one
more experienced, such as a specialist investigator, or if time
permits obtain
additional training to improve your knowledge and skills. It is
advisable not
to continue with the examination as you may damage the outcome of
your case
.Slide10
Incident Investigation - Principles
Principle
3:
An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.Slide11
Incident Investigation - Principles
Principle
4:
A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to
.
The rules of evidence are the rules investigators must follow when
handling and
examining evidence, to ensure the evidence they collect will be
accepted by
a court of law
.
Five points on rules of evidence
Admissible
Authentic
Complete
Reliable
BelievableSlide12
Incident Investigation - Principles
Admissible:
This
is the most basic rule – the evidence must be able to be used
in court
or elsewhere. Failure to comply with this rule is equivalent to
not collecting
the evidence in the first place, except the cost is higher
.
Authentic:
If
you can’t tie the evidence positively to the incident, you can’t use it
to prove
anything. You must be able to show that the evidence relates
to the
incident in a relevant way.Slide13
Incident Investigation - Principles
Complete:
It’s not enough to collect evidence that just shows one perspective
of the
incident. Not only should you collect evidence that can help
prove the
attacker’s actions but for completeness it is also necessary
to consider
and evaluate all evidence available to the investigators
and retain
that which may contradict or otherwise diminish the reliability
of other
potentially incriminating evidence held about the suspect
. Similarly
, it is vital to
collect
ev
idence
that eliminates
alternative suspects
. For instance, if you can show the attacker was logged in
at the
time of the incident, you also need to show who else was logged
in and
demonstrate why you think they didn’t do it. This is
called Exculpatory
Evidence and is an important part of proving a case
.Slide14
Incident Investigation - Principles
Reliable:
Your
evidence collection and analysis procedures must not cast
doubt on
the evidence’s authenticity and veracity
.
Believable:
The evidence you present should be clear, easy to understand
and believable
by a jury. There’s no point presenting a binary dump
of process
memory if the jury has no idea what it all means. Similarly,
if you
present them with a formatted version that can be
readily understood
by a jury, you must be able to show the relationship to
the original
binary, otherwise there’s no way for the jury to know
whether you’ve
faked it
.Slide15
Cyber Forensics – Process Steps
Obtain authorization to search and seize
.
Secure the area
Document
the chain of custody
Bag
, tag, and safely transport the equipment and e-evidence.
Acquire
the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence.
Keep
the original material in a safe, secured location.Slide16
Cyber Forensics
Design your review strategy
of the e-evidence, including lists of keywords and search terms
.
Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy.
Interpret
and draw inferences based on facts gathered from the e-evidence. Check your work.
Describe
your analysis and findings in an easy-to-understand and clearly written report.
Give
testimony under oath in a deposition or courtroom.Slide17
Cyber Forensics Memory Dump
Considering modern technology : Volume Encryption, cloud services, etc.
It
becomes vital for an investigation to capture a volatile memory dump first, before triggering the power switch.
Memory
dumps routinely contain information that could be essential for an investigation, including binary decryption keys for encrypted volumes (
TrueCrypt
, BitLocker, PGP WDE), recently viewed pictures, loaded registry keys, recent Facebook communications, emails sent and received via Web services such as Gmail or Hotmail, active malware, open remote sessions, and so on. Slide18
Cyber Forensics Disk Forensics
Creating a forensic image of the suspect’s hard drive is an essential step and a must-do in any investigation.
You should consider the following when looking at a tool:
Bypass ATA /
bootup
passwords –
Search on ATA bypass would get your started.
You can reset HPA/DCO if present
.
Device configuration overlay
(
DCO
) is a hidden area on many of today’s
hard disk drives
(HDDs). Usually when information is stored in either the DCO or
host protected area
(HPA), it is not accessible by the
BIOS
,
OS
, or the user.
Cloning
and imaging to a
file
.Slide19
Analysis
Once the relevant information has been extracted, the analyst should study and analyze the data to draw conclusions from
it.
The
foundation of forensics is using a methodical approach to reach appropriate conclusions based on the available data or determine that no conclusion can yet be drawn.
The
analysis should include identifying people, places, items, and events, and determining how these elements are related so that a conclusion can be reached.
Often
, this effort will include correlating data among multiple sources. For instance, a network intrusion detection system (IDS) log may link an event to a host, the host audit logs may link the event to a specific user account, and the host IDS log may indicate what actions
th
at
user performed.
Tools
such as centralized logging and security event management software can facilitate this process by automatically gathering and correlating the data. Comparing system characteristics to known baselines can identify various types of changes made to the system. Slide20
Reporting
Alternative Explanations.
If there are many possibilities, then the analyst needs to address each one.
Audience
Consideration
.
Report should address the audience. Technical, Legal, Managerial, Law enforcement
Actionable
Information.
Reporting
also includes identifying actionable information gained from data that may allow an analyst to collect new sources of information.
For
example,
a
list of contacts
Identified back doors or other malware Slide21
Additional Resources
https://forensiccontrol.com/resources/free-software
/
http://
forensicswiki.org/wiki/Tools
http://
www.nist.gov/itl/csd/guide_091406.cfm
NIST SP800-86