Comp Frns Block 1

4 Myths about Computer Forensics

It is Instantaneous

It is the same as computer security

It is just about computers

It is only cyber crimes

Computer Security is _________, Computer forensics is __________

proactive, reactive

What are four main computer forensic disciplines?

Traditional/Dead Box

Live/Network Investigations

Mobile

E-Discovery

What are other specializations in computer forensics?

Photography/Video Forensics

Mac Forensics

Linux Forensics

Servers

Large Datasets

Malware Analysis

What is Traditional Forensics/Dead Box?

Analysis is done in a Post-Mortem state (after the system has lost power.

What are the two Basic Rules of traditional forensics?

Harm Nothing, Preserve Everything

What is a Writeblocker?

Preserves the integrity of the original evidence - never work on original evidence

What is Live Forensics/Network Investigations?

It is a growing field in which investigations are done while the system is still powered on.

Why would Live/Network Forensics be used?

Volatile data is preserved (on a RAM) and it is only good as long as the power is on

Why is the rule “harm almost nothing” used for Live/Network Forensics?

Because working on a live system always makes changes, so we use trusted tools to create forensic images and document all actions taken.

What is mobile forensics?

It includes smart phones, tablets, ultraportable laptops, and it is constantly changing because hundred of new devices and updates are available on the market each year.

What is e-discovery?

It does not bring stuff from the dark to the light - only analyzes what’s in the light. Not an Investigation tool - used mainly by legal departments. It assists with document view and preparation for trial.

What do you do in e-discovery?

Keyword searching; processing raw data without the need for additional software programs; and tag, organize, and produce subsets of data.

What is the BIG PICTURE in Forensics?

to use all data collected and re-create the chain of events that tie everything together in support of the overall investigation.

What is the GOAL of Forensics?

Control the data, determine ownership of the, determine the intent of the user, and recreate the chain of events.

What CAN Computer forensics do?

Email recovery and analysis, document and file recovery, develop new investigative leads, corroborate other evidence, assist in showing patterns of events, connect computers and people, and extract data that may be hidden, deleted, or otherwise not directly available.

What CAN’T Computer Forensics do?

Create evidence, tie the suspect to the incident, prove innocence or guilt, be instantaneous.

What are some types of forensic evidence?

Hard drives, IDE, SATA, ZIF, SSD, RAM, RAID, External Hard Drives, SD cards, CDs, Magnetic Tapes, Firewalls

What is an SCSI?

Small computer system interface, vendor neutral, uses jumper

What is an IDE?

Integrate Drive Electronics, up to two drives can be connected to a single IDE ribbon, uses jumper

What is a SATA?

Serial ATA, replaced IDE, one-to-one connection

What is a ZIF?

Very specialized adapter, a special ribbon, typically used in small or mobile devices, hard disks.

What is an SSD?

Solid State, stored on memory chips, no moving parts

What are the disadvantages of an SSD?

Ware-leveling, longevity, lack of firmware continuity between manufacturers

What is RAM?

Random Access memory, volatile, used for running applications

What is RAID?

Redundant Array of Independent Disks

What are the most common formats of a RAID?

0 - Striping (no safety net), 1 - Mirror (ultimate safety net), 5 - Parity (one-drive fault tolerance)

What are external hard drives?

USB, firewire, thunderbolt. Large drives usually require separate power along with a data connection

What is an SD Card?

Secure Digital Card, primarily used for portable electronics (SD, Mini Micro)

What are types of CDs?

CD

CD-R

DVD

DVD-R, DVD + R

Blue-ray

What are Magnetic tapes?

Used to backup data from servers, format depends upon software program, data must be read in a linear fashion

What are firewalls?

Can be software or hardware, based on a set of defined rules to determine what is allowed through

What is a Black List and White List?

Black List determines what doesn’t go through.

White List determines what can go through.

What are some types of recovered forensic evidence?

Email, Images, Video, Web History, Log Files, Deleted Files, Documents, Databases

How does EMAIL help an investigation when the parties involved are KNOWN?

Helps determine who knew what and when; if someone directed an action; if someone asks for something; provides first hand impressions or experiences

How does EMAIL help an investigation when the parties involved are UNKNOWN?

Helps determine geographic location and the means in which an email is sent

How do IMAGES help an investigation?

Can be used to document locations of items, actions taken by someone, how the picture was created (EXIF Data) and scanned items.

What is EXIF Data?

Data stored within the photo (model number, version number, make and model of camera, geotagging)

How do LOG FILES help an investigation?

It is only as useful as what it is designed to log, event logs, IIS Logs, Firewall Logs, application specific Logs

What happens when someone “deletes” a file?

the pointer to the file is deleted, the file name is changed, and the physical location of the data on the hard drive is marked as available. To truly delete a file, the physical location on the hard drive must be overwritten with new data.

What kinds of DOCUMENTS help an investigation?

Microsoft Office, Adobe PDFs, Scans, Downloads, Text Files

What are some Cyber Investigator Skills?

Help Desk, Computer Science, Mathematics, Writing, Criminal Justice/Law.

How does Help Desk teach Cyber Investigative Skills?

Build computers

Fix software and hardware issues

Virus clean-up

Create/administer networks

How does Computer Science teach Cyber Investigative Skills?

Knowledge of operating systems and their associated file systems

Knowledge of where files are stored and determine their value to prosecutors in a criminal case

An understanding of how hardware and software interact

File Systems: How files are structured and stored and tracked on drives

Ability to code or understand code

How does Mathematics teach Cyber Investigative Skills?

Encryption, Problem Solving/Analytical Thinking

How does Writing teach Cyber Investigative Skills?

Documenting the investigative process and findings, creating reports to help outsiders understand the investigation

How does Criminal Justice/Law teach Cyber Investigative Skills?

Be knowledgeable about applicable laws, analyze a set of facts and decisions accordingly

What are some trainings and certifications for computer forensics?

Academia, vendor specif, vendor agnostic, government/law/enforcement/military

What constitutional laws are important in cyber investigations?

First, Fourth, Fifth, Sixth Amendments

What does the First Amendment Protect?

Freedom of religion, speech, and the press - Cannot post a message that could incite a disturbance or violence

What does the Fourth Amendment Protect?

Unreasonable searches and seizures - Reasonable expectation of privacy of PEOPLE, NOT PLACES

What does the Fifth Amendment Protect?

Life, Liberty, and Property - Cannot force someone to speak

What does the Sixth Amendment Protect?

Accused persons in criminal cases

What is the “exclusionary rule”?

evidence seized and examined without a warrant or in violation of constitutional rights will often be inadmissible in court in a criminal case

What is a search warrant?

A court order issued by a judge or magistrate authorizing law enforcement to search a person, place, or thing as well as seize items or information within the parameters of the warrant.

What is needed for a Search Warrant?

Probable Cause

What is the “Plain View Doctrine”?

Right to be, right to see

Allows a government agent to seize evidence without a warrant when the officer can clearly observe the contraband without further intrusion

What are important Statutory Laws in Cyber Investigations?

Fraud and related activity in connection with computers

• Any type of protected computer (firewall, password, etc.)

• Does not have to be successful - the mere attempt of degrading, attacking, or other abuse

• Beyond authorized use

 

Interception and disclosure of wire, oral, or electronic communications Prohibited

• Cannot intercept communications in real-time without a specialized warrant