Title: Computer Forensic
1Computer Forensic Investigations Christopher
J. Mellen Director of Professional Services
2Background
- 19 years of experience
- Law Enforcement, Counterintelligence, Corporate
Investigations - 10 years computer crime, cyber counterintelligence
and corporate investigations - BS Criminal Justice, MS Computer Information
Systems - 600 hours network and computer forensic training
3What is computer forensics?
- Emphasis is on data preservation
- Hard drive data is preserved in image files
- Devices are used to prevent changes to evidence
- Hash values are used as fingerprints or digital
DNA
4Computer forensics is a science
- Discovery must be reproducible
- Rules for handling evidence must be followed
- Unique in that evidence is not used up
- Care must be taken not to contaminate data
- Date /Time stamps
- Contamination can make evidence inadmissible
5Computer forensics has advanced dramatically over
past 20 years
- Innovation phase DOS-based analysis
- Early adoption Windows (GUI) analysis
- Late adoption Enterprise-based forensics
- Now Memory analysis vs database analysis and
Distributed computing
6When forensics began in the mid 80s, tools were
DOS-based
- Analysts read command line
- Amount of data to be analyzed was limited
- Average hard drives were small (lt100 MB)
- People used floppy disks
- Little to no formal training existed
- 1989 FLETC introduced Computer Investigative
Specialist training program - 1991 International Association of Computer
Investigative Specialists organized
7By the early 90s, the industry had taken hold
- DOS-based tools were optimized for high-speed
searching and data reconstruction - Hard drives were still small (lt500 MB)
- Large cases involved 100,000 files
- Increased training of law enforcement
- FBI
- FLETC
- IACIS
- NW3C
8Case Study Fraud Investigation
- Theft from a military exchange/dept. store
- The perpetrator
- Hired to install window tint, stereos
- Would earn commission for merchandise sold
- What was he actually doing?
- Stealing stereos
- Charging customers full price
- Submitting sales to receive commission
- Using his girlfriend who worked in accounting
9How did he get caught?
- The girlfriend reported him to her manager
- We seized 5 computers and 100s of floppy disks
- A single disk contained a deleted spreadsheet
containing the actual numbers - Over 1 million identified
10In the late 90s, GUI forensics tools changed the
game
- Made computer forensics faster, more efficient
- Increased use of computer forensics in
investigations - More state and local law enforcement became
involved and assumed leadership roles
11Although I think reading binary is fun.
12 graphical tools are easier to use
13Case Study
- Case Study -Murder Investigation
- Cheating spouse
- Husband kills wife and shoots boyfriend
- Windows temporary Internet files
- Automated tool (graphical) able to preview system
quickly - Date stamp analysis showed SUBJECT, map quested
direction to the victims residence one week prior
14As computer networks grew, forensics experts
needed more sophisticated ways to retrieve data
that had been shared
15By 2005, enterprise-based forensics tools were
being used
- Computer forensics had become mainstream
- Significant growth in tools, training, education
- Average hard drive was 40-100 GBs
- Investigations involved multiple computers
- Standard investigations involved 5 computers
- Larger investigations involved networks of 50
16Case Study Classified Data Spillage
- Classified document accidentally introduced into
an unclassified computer - E-mailed to several people
- Using enterprise-class tool, we were able to
search for and remediate the document - A single examiner
- Hundreds of Machines search from a single
location
17Today, data sources continue to grow
- Some PCs have a terabyte of data
- Investigations involve 25 electronic devices
- PDAs
- USB thumb drives
- Digital cameras
- Removable media stores GBs of data
- Large cases will involve over 100 million files
- A single PC will take 5 days to process
18Increased data storage will be key issue going
forward
- How long will it take to process a terabyte on
one PC? - At 10Meg per second, it would take an entire day
to run a key-word search - Processing with a single computer from memory
will not suffice - Flat databases are becoming obsolete
19Increased use of distributed computing and
database analysis is the future
20In the future, distributed computing will
automate hard drive processing
- Forensics tools for the lab will be built on
relational database technology to process massive
amounts of data - Microsoft SQL
- Oracle
- Distributed Computing will be required to process
the data quickly
21Case Study Computer Forensic Incident Response
- Seven Geographic Locations
- 200 Separate Domains
- 100,000 workstation and servers
- Structured Data sources
- Email (Notes and Exchange)
- Sharepoint
- Databases
22Conclusion
- Where we were..
- Where we are now
- How it effects you?
- Expertise
- Information Sharing