Originated in Medicine



Yüklə 491 b.
tarix08.10.2017
ölçüsü491 b.
#4028



Originated in Medicine

  • Originated in Medicine

  • Expanded … Arson, Chemistry, … and Digital Evidence.

  • Forensic Sciences is “a broad spectrum of sciences to answer questions of interest to a legal system.” (Wikipedia)

  • Computer Forensics -

    • use of analytical and investigative techniques …
    • to identify, collect, examine and preserve information …
    • magnetically stored or encoded …
    • to provide digital evidence of a specific or general activity.” (Computer Forensics World)


Investigations of computer attacks, hacker intrusion, fraud and abuses:

  • Investigations of computer attacks, hacker intrusion, fraud and abuses:

    • Salami attack
    • Data Diddling
  • Excessive (elevation of) privileges

  • Password sniffing on a network

  • IP spoofing

  • Eavesdropping

    • Emanation
    • Wiretapping


International principles

  • International principles

    • Recognition of evidence
    • Handling in various courts consistently in the same manner.
  • The common evidence for such investigation include:

    • Violations of Information Security
    • Penetration of Computer Access Control
    • Breaching Information Accountability
    • Penetration of Network Security
    • Cryptanalysis
    • Penetration of Operational Security of Computer Systems
    • Penetration of Application and Database Security
    • Hacking
    • Illegal Internet and Web Activities, and other






Phases:

  • Phases:

    • Identification
    • Preservation
    • Collection
    • Examination
    • Analysis
    • Presentation
    • Decision
  • Computer forensics software collects data into evidence files



Forensic investigation

  • Forensic investigation

    • Traditional – physical access to a target machine
    • Remote – across network access - new technique
  • EnCase Enterprise Edition supports remote investigation

    • Enables covert examination


Keep system resource usage down

  • Keep system resource usage down

  • Disguise the remote investigative agent software

  • Make sure that a personal firewalls active on the target machine is open for inbound connections

  • Keep Log file free from recoding any forensic activities

  • Start an agent on the target machine systematically when the machine starts

  • Do forensics during the non-business hours or when a large hard drive activity is expected (e.g., antivirus scans)

  • Be extra careful targeting laptop for investigation: a prolong hard drive activity can be suspicious

  • High-speed network connection is better than slow WAN.



Review Task Manager periodically - increased and persistent hard drive activity at odd times

  • Review Task Manager periodically - increased and persistent hard drive activity at odd times

    • Identify and stop the remote agent’s system process
  • Enable blocking the inbound connection in a personal firewall (to block the agent’s tool).

  • Be alert to performance degradation noticeable while copying a large file over network.

  • Use VPN connection whenever possible.



EnCase Certified Examiner (EnCE)

  • EnCase Certified Examiner (EnCE)

  • Certified Computer Forensic Technician (CCFT)

  • Certified Computer Forensic Examiner (CFCE)

  • GIAC Certified Forensics Analyst (GCFA)

  • AccessData Certified Examiner (ACE)

  • Certified Computer Examiner (CCE)

  • others



Computer Forensics and Investigation as a Profession

  • Computer Forensics and Investigation as a Profession

  • Understanding Computing Investigations

  • The Investigator's Office and Laboratory

  • Processing Crime and Incident Scenes

  • Computer Forensics Tools Concepts

  • Computer Forensics Analysis and Validation

  • Acquiring Digital Evidence

  • Searching for and Bookmarking Data

  • File Signature and Hash Analysis

  • Creating Reports for High-Tech Investigations

  • Expert Testimony in High-Tech Investigations

  • Ethics for the Expert Witness



Students must have senior standing

  • Students must have senior standing

  • Pre-requisite courses by majors include:

    • Computer Information Systems - information architecture, common business applications, and organizational context of computer-based information systems.
    • Criminal Justice - methodologies and techniques appropriate for application in criminal justice environments
    • Accounting - Accounting Information Systems including internal controls and tools.
  • Pre-requisite focus - understanding of types of digital evidence and how computers work

    • Large disparity in this knowledge among students


EnCase® Forensic - makes an image of a hard drive in a forensically-prudent EnCase evidence file format

  • EnCase® Forensic - makes an image of a hard drive in a forensically-prudent EnCase evidence file format

    • de facto standard application for computer forensics
    • Used in the proposed course
  • EnCase® Enterprise – for remote investigation of internal and external threats from a central console

  • EnCase Data Audit & Policy Enforcement - search for information on the laptops, desktops, file servers, and email servers … from a central location

  • EnCase Cybersecurity - for national information security policy (identifying/responding to threats, remediating malware).

  • EnCase® eDiscovery - a pocket-sized kit to search and collect electronically stored information across the network.





Hands-on Practicum with EnCase

  • Hands-on Practicum with EnCase

  • Understanding of Case Management, EnCase Forensics software, and evidence file structure

  • Team project

  • Depending on major, emphasis on different phases

    • Information systems - emphasis on identification, preservation, and collection of data of various types from various devices.
    • Accounting - emphasis on data collection, examination, and analysis.
    • Criminal Justice - emphasis on data analysis, presentation, and decision.
  • Computer Forensics case study in the context of a specific major



Viewing FAT Entries

  • Viewing FAT Entries

  • Navigating EnCase

  • Maintaining Data Integrity

  • Searching for Data; Bookmarking the Results

  • File Signature Analysis

  • Windows Artifacts Recovery

  • Partition Recovery

  • Email and Registry Examination



Dedicated Computer Forensics Lab with support of technical assistants (desirable, not required)

  • Dedicated Computer Forensics Lab with support of technical assistants (desirable, not required)

  • Online remote dedicated Computer Forensics Lab (goal)

  • Common-use Open Access Labs on campus (sufficient)

    • Computers are shared between forensics studies and other courses and applications that use internal disk drives
    • Information Assurance and privacy concerns
    • Evidence files are isolated on student’s CDs and USB drives
    • Limit EnCase access to a student’s CD, USB only


E-Learning of Information Security and preparation for certification exams (like Certified Information Systems Security Professional [CISSP®]) is common practice.

  • E-Learning of Information Security and preparation for certification exams (like Certified Information Systems Security Professional [CISSP®]) is common practice.

    • American InterContinental University - Bachelor of Information Technology (BIT) with a concentration in Computer Forensics.
    • Champlain College - BS in Computer and Digital Forensics
    • Other major online universities
      • University of Phoenix, Liberty University, DeVry University's Keller Graduate School of Management, Strayer University Online. Etc.
  • A limited demo version of EnCase Forensic is included in some professional training books

    • Works only with the evidence file included on the CD; prevented from accessing any other media
    • Opens two opportunities: practicing EnCase at home and shifting some of the sessions into online mode of teaching.


TrueCrypt (http://www.truecrypt.org/)

  • TrueCrypt (http://www.truecrypt.org/)

    • Powerful open-source encryption software
    • Windows Vista/XP, Mac OS X, and Linux
    • Encrypts a partition or the entire storage – hard disk
    • Mobile data protection - USB flash drive
    • Plausible deniability for a user using a hidden volume
      • Presence cannot be easily detected
      • Data cannot be distinguished from random residual data
  • Used to secure information transmitted in Online studies

  • Password/encryption cracking to reveal intentionally hidden information (with EnCase)

    • Student can originate an attack on a computer; typical methods are dictionary based attack, key based attack, or simply the brute force attack.


Emphasis on skills using Computer Forensics software

  • Emphasis on skills using Computer Forensics software

  • Online instructions for Computer Forensics skills are well suited

  • Extensive Online EnCase tutorials to reduce the need for F2F instructions

  • Hybrid learning - best option

  • Teamwork vs. Individual work

  • Future - more forensic investigation online



Instructional technical challenges

  • Instructional technical challenges

    • Responding to students’ creativity
    • Inappropriate use of the software by students
  • Multi-disciplinary audience

  • Dissemination of controlled knowledge and software

  • Risks of privacy and information security violations

  • Risks of instructor’s liability

    • Is the target computer permitted for computer investigation?
    • Do online participants impersonate a legitimate student?
  • Compliance with Laws and Regulations

    • InfoSec Laws, campus regulations, and ethics.




Yüklə 491 b.

Dostları ilə paylaş:




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə