User:Mcpiggi

Computer Forensics


Outline of Presentation for AMBA 720

1. What is Computer Forensics?

A branch of forensic science that deals in: Preserving, Recovering, Analyzing, and Documenting evidence from electronic media

2. What is it used for?

Evidence against an employee that the company wants to terminate

Recovery & analysis of data after

Hardware or software malfunctions

Computer has been compromised

Evidence in legal proceedings - Cyber crime

3. Growth in Cyber Crime

4. Where do we look?

User’s PC

Other Media devices – CD Rom, memory cards, backup disks

Shared drives or File servers

PDAs

Mobile Phones – caller ID, address book, call log

Smart cards

Building security system – ID card

5. Types of Data

Active data – user created data (word documents, customer information, program files, photographs)

Metadata – information on files (date stamp, person who created the file)

Residual data - Embedded files/File fragments, Unallocated data

Data from Operating System - Emails sent/received, Temp files – example “Gap-Toothed Bandit”, Cookies

Data through Communications - Routers, ISP (Internet Service Providers), IP Address

Backup Data - Network Backups, Auto Save, Cache Memory

6. Computer Forensics typically recovers:

Damaged or corrupt files

Deleted files

Hidden files

Encrypted and password protected files

Email & web correspondence

Internet browsing history

7. Potential Dangers

Data can be deleted, edited, or corrupt

Improper key commands or procedures

Booby Traps

Even starting a computer changes files

Magnetic fields

Maintaining chain of custody – tracks evidence from source

8. What to do when an incident occurs?

NOTHING! - wait for the appropriate computer specialists to arrive

Do not delete or change anything

Do not try to restore files from back up

Notify personnel not to perform activities on affected machines or related devices

Do not shut down devices that are already on

Provide Computer Forensics specialist with any relevant information - Sources of digital data, System Configurations, Types of machines and Operating Systems used

9. Imaging Creates exact duplicate Preserves original evidence 10. Case example -

“Juvenile Computer Hacker Cuts Off FAA Tower at Regional Airport” March 1998 “Houston Computer Administrator Hacks Former Employer’s Network” July 2009

“Creator and Four Users of Loverspy Spyware Program Indicted” August 2005