Computer Forensic - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Computer Forensic

Description:

10 years computer crime, cyber counterintelligence and corporate ... Microsoft SQL. Oracle. Distributed Computing will be required to process the data quickly ... – PowerPoint PPT presentation

Number of Views:182
Avg rating:3.0/5.0
Slides: 23
Provided by: chr188
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensic


1
Computer Forensic Investigations Christopher
J. Mellen Director of Professional Services
2
Background
  • 19 years of experience
  • Law Enforcement, Counterintelligence, Corporate
    Investigations
  • 10 years computer crime, cyber counterintelligence
    and corporate investigations
  • BS Criminal Justice, MS Computer Information
    Systems
  • 600 hours network and computer forensic training

3
What is computer forensics?
  • Emphasis is on data preservation
  • Hard drive data is preserved in image files
  • Devices are used to prevent changes to evidence
  • Hash values are used as fingerprints or digital
    DNA

4
Computer forensics is a science
  • Discovery must be reproducible
  • Rules for handling evidence must be followed
  • Unique in that evidence is not used up
  • Care must be taken not to contaminate data
  • Date /Time stamps
  • Contamination can make evidence inadmissible

5
Computer forensics has advanced dramatically over
past 20 years
  • Innovation phase DOS-based analysis
  • Early adoption Windows (GUI) analysis
  • Late adoption Enterprise-based forensics
  • Now Memory analysis vs database analysis and
    Distributed computing

6
When forensics began in the mid 80s, tools were
DOS-based
  • Analysts read command line
  • Amount of data to be analyzed was limited
  • Average hard drives were small (lt100 MB)
  • People used floppy disks
  • Little to no formal training existed
  • 1989 FLETC introduced Computer Investigative
    Specialist training program
  • 1991 International Association of Computer
    Investigative Specialists organized

7
By the early 90s, the industry had taken hold
  • DOS-based tools were optimized for high-speed
    searching and data reconstruction
  • Hard drives were still small (lt500 MB)
  • Large cases involved 100,000 files
  • Increased training of law enforcement
  • FBI
  • FLETC
  • IACIS
  • NW3C

8
Case Study Fraud Investigation
  • Theft from a military exchange/dept. store
  • The perpetrator
  • Hired to install window tint, stereos
  • Would earn commission for merchandise sold
  • What was he actually doing?
  • Stealing stereos
  • Charging customers full price
  • Submitting sales to receive commission
  • Using his girlfriend who worked in accounting

9
How did he get caught?
  • The girlfriend reported him to her manager
  • We seized 5 computers and 100s of floppy disks
  • A single disk contained a deleted spreadsheet
    containing the actual numbers
  • Over 1 million identified

10
In the late 90s, GUI forensics tools changed the
game
  • Made computer forensics faster, more efficient
  • Increased use of computer forensics in
    investigations
  • More state and local law enforcement became
    involved and assumed leadership roles

11
Although I think reading binary is fun.
12
graphical tools are easier to use
13
Case Study
  • Case Study -Murder Investigation
  • Cheating spouse
  • Husband kills wife and shoots boyfriend
  • Windows temporary Internet files
  • Automated tool (graphical) able to preview system
    quickly
  • Date stamp analysis showed SUBJECT, map quested
    direction to the victims residence one week prior

14
As computer networks grew, forensics experts
needed more sophisticated ways to retrieve data
that had been shared
15
By 2005, enterprise-based forensics tools were
being used
  • Computer forensics had become mainstream
  • Significant growth in tools, training, education
  • Average hard drive was 40-100 GBs
  • Investigations involved multiple computers
  • Standard investigations involved 5 computers
  • Larger investigations involved networks of 50

16
Case Study Classified Data Spillage
  • Classified document accidentally introduced into
    an unclassified computer
  • E-mailed to several people
  • Using enterprise-class tool, we were able to
    search for and remediate the document
  • A single examiner
  • Hundreds of Machines search from a single
    location

17
Today, data sources continue to grow
  • Some PCs have a terabyte of data
  • Investigations involve 25 electronic devices
  • PDAs
  • USB thumb drives
  • Digital cameras
  • Removable media stores GBs of data
  • Large cases will involve over 100 million files
  • A single PC will take 5 days to process

18
Increased data storage will be key issue going
forward
  • How long will it take to process a terabyte on
    one PC?
  • At 10Meg per second, it would take an entire day
    to run a key-word search
  • Processing with a single computer from memory
    will not suffice
  • Flat databases are becoming obsolete

19
Increased use of distributed computing and
database analysis is the future
20
In the future, distributed computing will
automate hard drive processing
  • Forensics tools for the lab will be built on
    relational database technology to process massive
    amounts of data
  • Microsoft SQL
  • Oracle
  • Distributed Computing will be required to process
    the data quickly

21
Case Study Computer Forensic Incident Response
  • Seven Geographic Locations
  • 200 Separate Domains
  • 100,000 workstation and servers
  • Structured Data sources
  • Email (Notes and Exchange)
  • Sharepoint
  • Databases

22
Conclusion
  • Where we were..
  • Where we are now
  • How it effects you?
  • Expertise
  • Information Sharing
Write a Comment
User Comments (0)
About PowerShow.com