Chapter 14: Computer and Network Forensics - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Chapter 14: Computer and Network Forensics

Description:

Investigation into these crimes often ... an all-purpose set of data collection and analysis tools ... and interpretation of computer media for evidentiary and/or ... – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 17
Provided by: Jki
Learn more at: https://www.utc.edu
Category:

less

Transcript and Presenter's Notes

Title: Chapter 14: Computer and Network Forensics


1
Chapter 14 Computer and Network Forensics
  • Guide to Computer Network Security

2
Computer Forensics
  • Computer forensics involves the preservation,
    identification, extraction, documentation, and
    interpretation of computer media for evidentiary
    and/or root cause analysis.
  • Arose as a result of the growing problem of
    computer crimes.
  • Computer crimes fall into two categories
  • Computer is a tool used in a crime because of
    the role of computers and networks in modern
    communications, it is inevitable that computers
    are used in crimes.
  • Investigation into these crimes often involves
    searching computers suspected to be involved.
  • Computer itself is a victim of a crime this
    commonly referred to as incident response.
  • It refers to the examination of systems that have
    been remotely attacked.
  • Forensics experts follow clear, well-defined
    mythologies and procedures

3
  • History Of Computer Forensics
  • Computer forensics started a few years ago- when
    it was simple to collect evidence from a
    computer.
  • While basic forensic methodologies remain the
    same, technology itself is rapidly changing a
    challenge to forensic specialists.

4
  • Basic forensic methodology consists of
  • Acquire the evidence without altering or damaging
    the original
  • Look for evidence
  • Recover evidence
  • Handle evidence with care
  • Preserve evidence
  • Authenticate that your recovered evidence is the
    same as the originally seized data
  • Analyze the data without modifying it.

5
Acquire the Evidence
  • Keep in mind that every case is different
  • Do not disconnect the computers evidence may be
    only in RAM So collect information from a live
    system.
  • Consider the following issues
  • Handling the evidence- if you do not take care of
    the evidence, the rest of the investigation will
    be compromised.
  • Chain of custody the goal of maintaining a good
    chain of custody to ensure evidence integrity,
    prevent tempering with evidence. The chain should
    be answers to
  • Who collected it
  • How and where
  • Who took possession of it
  • how was it stored and protected in storage
  • Who took it out of storage and why?

6
Storage Media
  • Hard Drives
  • Make an image copy and then restore the image to
    a freshly wiped hard drive for analysis
  • Remount the copy and start to analyze it.
  • Before opening it get information on its
    configuration
  • Use tools to generate a report of lists of the
    disks contents ( PartitionMagic)
  • View operating system logs.

7
Handle Evidence With Care
  • Collection
  • You want the evidence to be so pure that it
    supports your case.
  • Identification
  • Methodically identify every single item that
    comes out of the suspects/victims location and
    labeled.
  • Transportation
  • Evidence is not supposed to be moved so when you
    move it be extremely careful.
  • Storage
  • Keep the evidence in a cool, dry, and appropriate
    place for electronic evidence.
  • Documenting the investigation
  • Most difficult for computer professionals because
    technical people are not good at writing down
    details of the procedures.

8
Authenticating evidence
  • Authenticating evidence is difficult because
  • Crime scenes change
  • Evidence is routinely damaged by environmental
    conditions
  • Computer devices slowly deteriorate
  • Keep proof of integrity and timestamp the
    evidence through encryption of files of data
  • Two algorithms (MD5 and SHA-1) are in common use
    today

9
Analysis
  • Use any well known analysis tools.
  • Make two backups

10
Data Hiding
  • There are several techniques that intruders may
    hide data.
  • Obfuscating data through encryption and
    compression.
  • Hiding through codes, steganoraphy, deleted
    files, slack space, and bad sectors.
  • Blinding investigators through changing behavior
    of system commands and modifying operating
    systems.
  • Use commonly known tools to overcome

11
Network Forensics
  • Unlike computer forensics that retrieves
    information from the computers disks, network
    forensics, in addition retrieves information on
    which network ports were used to access the
    network.
  • There are several differences that separate the
    two including the following
  • Unlike computer forensics where the investigator
    and the person being investigated, in many
    cases the criminal, are on two different levels
    with the investigator supposedly on a higher
    level of knowledge of the system, the network
    investigator and the adversary are at the same
    skills level.
  • In many cases, the investigator and the adversary
    use the same tools one to cause the incident,
    the other to investigate the incident. In fact
    many of the network security tools on the market
    today, including NetScanTools Pro, Tracroute,
    and Port Probe used to gain information on the
    network configurations, can be used by both the
    investigator and the criminal.
  • While computer forensics, deals with the
    extraction, preservation, identification,
    documentation, and analysis, and it still follows
    well-defined procedures springing from law
    enforcement for acquiring, providing
    chain-of-custody, authenticating, and
    interpretation, network forensics on the other
    hand has nothing to investigate unless steps
    were in place ( like packet filters, firewalls,
    and intrusion detection systems) prior to the
    incident.

12
Network Forensics Intrusion Analysis
  • Network intrusions can be difficult to detect
    let alone analyze. A port scan can take place
    without a quick detection, and more seriously a
    stealthy attack to a crucial system resource may
    be hidden by a simple innocent port scan.
  • So the purpose of intrusion analysis is to seek
    answers to the following questions
  • Who gained entry?
  • Where did they go?
  • How did they do it?

13
Damage Analysis
  • It is difficult to effectively assess damage
    caused by system attacks.
  • It provides a trove of badly needed information
    showing how widespread the damage was, who was
    affected and to what extent.

14
  • To achieve a detailed report of an intrusion
    detection, the investigator must carry out a
    post mortem of the system by analyzing and
    examining the following
  • System registry, memory, and caches. To achieve
    this, the investogator can use dd for Linux and
    Unx sytems.
  • Network state to access computer networks
    accesses and connections. Here Netstat can be
    used.
  • Current running processes to access the number of
    active processes. Use ps for both Unix and Linux.
  • Data acquisition of all unencrypted data. This
    can be done using MD5 and SHA-1 on all files and
    directories. Then store this data in a secure
    place.

15
Forensic Electronic Toolkit
  • Computer and network forensics involves and
    requires
  • Identification
  • Extraction
  • Preservation
  • Documentation
  • A lot of tools are needed for a thorough work
  • The forensically sound method is never to
    conduct any examination on the original media.
  • Before you use any forensic software, make sure
    you know how to use it, and also that it works.
  • Tools
  • Hard Drive - use partitioning and viewing (
    Partinfo and PartitionMagic)
  • File Viewers to thumb through stacks of data
    and images looking for incriminating or relevant
    evidence (Qiuckview Plus, Conversion Plus,
    DataViz, ThumnsPlus)

16
More tools (cont.)
  • Unerase if the files are no longer in the
    recycle bin or you are dealing with old systems
    without recycle bins.
  • CD-R/W examine them as carefully as possible.
    Use CD-R Diagnostics
  • Text because text data can be huge, use fast
    scans tools like dtSearch.
  • Other kits
  • Forensic toolkit command-line utilities used
    to reconstruct access activities in NT File
    systems
  • Coroner toolkit - to investigate a hacked Unix
    host.
  • ForensiX an all-purpose set of data collection
    and analysis tools that run primarily on Linux.
  • New Technologies Incorporated (NTI)
  • EnCase
  • Hardware- Forensic-computers.com
Write a Comment
User Comments (0)
About PowerShow.com