Originated in Medicine Expanded … Arson, Chemistry, … and Digital Evidence. Forensic Sciences is “a broad spectrum of sciences to answer questions of interest to a legal system.” (Wikipedia) Computer Forensics - - use of analytical and investigative techniques …
- to identify, collect, examine and preserve information …
- magnetically stored or encoded …
- to provide digital evidence of a specific or general activity.” (Computer Forensics World)
Investigations of computer attacks, hacker intrusion, fraud and abuses: Investigations of computer attacks, hacker intrusion, fraud and abuses: - Salami attack
- Data Diddling
Excessive (elevation of) privileges Password sniffing on a network IP spoofing Eavesdropping
International principles International principles - Recognition of evidence
- Handling in various courts consistently in the same manner.
The common evidence for such investigation include: - Violations of Information Security
- Penetration of Computer Access Control
- Breaching Information Accountability
- Penetration of Network Security
- Cryptanalysis
- Penetration of Operational Security of Computer Systems
- Penetration of Application and Database Security
- Hacking
- Illegal Internet and Web Activities, and other
Phases: Phases: - Identification
- Preservation
- Collection
- Examination
- Analysis
- Presentation
- Decision
Computer forensics software collects data into evidence files
Forensic investigation Forensic investigation - Traditional – physical access to a target machine
- Remote – across network access - new technique
EnCase Enterprise Edition supports remote investigation - Enables covert examination
Keep system resource usage down Keep system resource usage down Disguise the remote investigative agent software Make sure that a personal firewalls active on the target machine is open for inbound connections Keep Log file free from recoding any forensic activities Start an agent on the target machine systematically when the machine starts Do forensics during the non-business hours or when a large hard drive activity is expected (e.g., antivirus scans) Be extra careful targeting laptop for investigation: a prolong hard drive activity can be suspicious High-speed network connection is better than slow WAN.
Review Task Manager periodically - increased and persistent hard drive activity at odd times Review Task Manager periodically - increased and persistent hard drive activity at odd times - Identify and stop the remote agent’s system process
Enable blocking the inbound connection in a personal firewall (to block the agent’s tool). Be alert to performance degradation noticeable while copying a large file over network. Use VPN connection whenever possible.
EnCase Certified Examiner (EnCE) EnCase Certified Examiner (EnCE) Certified Computer Forensic Technician (CCFT) Certified Computer Forensic Examiner (CFCE) GIAC Certified Forensics Analyst (GCFA) AccessData Certified Examiner (ACE) Certified Computer Examiner (CCE) others
Computer Forensics and Investigation as a Profession Computer Forensics and Investigation as a Profession The Investigator's Office and Laboratory Processing Crime and Incident Scenes Computer Forensics Tools Concepts Computer Forensics Analysis and Validation Acquiring Digital Evidence Searching for and Bookmarking Data File Signature and Hash Analysis Creating Reports for High-Tech Investigations Expert Testimony in High-Tech Investigations Ethics for the Expert Witness
Students must have senior standing Students must have senior standing Pre-requisite courses by majors include: - Computer Information Systems - information architecture, common business applications, and organizational context of computer-based information systems.
- Criminal Justice - methodologies and techniques appropriate for application in criminal justice environments
- Accounting - Accounting Information Systems including internal controls and tools.
Pre-requisite focus - understanding of types of digital evidence and how computers work - Large disparity in this knowledge among students
EnCase® Forensic - makes an image of a hard drive in a forensically-prudent EnCase evidence file format EnCase® Forensic - makes an image of a hard drive in a forensically-prudent EnCase evidence file format - de facto standard application for computer forensics
- Used in the proposed course
EnCase® Enterprise – for remote investigation of internal and external threats from a central console EnCase Data Audit & Policy Enforcement - search for information on the laptops, desktops, file servers, and email servers … from a central location EnCase Cybersecurity - for national information security policy (identifying/responding to threats, remediating malware). EnCase® eDiscovery - a pocket-sized kit to search and collect electronically stored information across the network.
Hands-on Practicum with EnCase Hands-on Practicum with EnCase Understanding of Case Management, EnCase Forensics software, and evidence file structure Team project Depending on major, emphasis on different phases - Information systems - emphasis on identification, preservation, and collection of data of various types from various devices.
- Accounting - emphasis on data collection, examination, and analysis.
- Criminal Justice - emphasis on data analysis, presentation, and decision.
Computer Forensics case study in the context of a specific major
Viewing FAT Entries Viewing FAT Entries Navigating EnCase Maintaining Data Integrity Searching for Data; Bookmarking the Results File Signature Analysis Windows Artifacts Recovery Partition Recovery Email and Registry Examination
Dedicated Computer Forensics Lab with support of technical assistants (desirable, not required) Dedicated Computer Forensics Lab with support of technical assistants (desirable, not required) Online remote dedicated Computer Forensics Lab (goal) Common-use Open Access Labs on campus (sufficient) - Computers are shared between forensics studies and other courses and applications that use internal disk drives
- Information Assurance and privacy concerns
- Evidence files are isolated on student’s CDs and USB drives
- Limit EnCase access to a student’s CD, USB only
E-Learning of Information Security and preparation for certification exams (like Certified Information Systems Security Professional [CISSP®]) is common practice. E-Learning of Information Security and preparation for certification exams (like Certified Information Systems Security Professional [CISSP®]) is common practice. - American InterContinental University - Bachelor of Information Technology (BIT) with a concentration in Computer Forensics.
- Champlain College - BS in Computer and Digital Forensics
- Other major online universities
- University of Phoenix, Liberty University, DeVry University's Keller Graduate School of Management, Strayer University Online. Etc.
A limited demo version of EnCase Forensic is included in some professional training books - Works only with the evidence file included on the CD; prevented from accessing any other media
- Opens two opportunities: practicing EnCase at home and shifting some of the sessions into online mode of teaching.
TrueCrypt (http://www.truecrypt.org/) TrueCrypt (http://www.truecrypt.org/) - Powerful open-source encryption software
- Windows Vista/XP, Mac OS X, and Linux
- Encrypts a partition or the entire storage – hard disk
- Mobile data protection - USB flash drive
- Plausible deniability for a user using a hidden volume
- Presence cannot be easily detected
- Data cannot be distinguished from random residual data
Used to secure information transmitted in Online studies Password/encryption cracking to reveal intentionally hidden information (with EnCase) - Student can originate an attack on a computer; typical methods are dictionary based attack, key based attack, or simply the brute force attack.
Emphasis on skills using Computer Forensics software Emphasis on skills using Computer Forensics software Online instructions for Computer Forensics skills are well suited Extensive Online EnCase tutorials to reduce the need for F2F instructions Hybrid learning - best option Teamwork vs. Individual work Future - more forensic investigation online
Instructional technical challenges Instructional technical challenges - Responding to students’ creativity
- Inappropriate use of the software by students
Multi-disciplinary audience Dissemination of controlled knowledge and software Risks of privacy and information security violations Risks of instructor’s liability - Is the target computer permitted for computer investigation?
- Do online participants impersonate a legitimate student?
Compliance with Laws and Regulations - InfoSec Laws, campus regulations, and ethics.
Dostları ilə paylaş: |