Computer Forensics Lecture Notes

Flashcards generated from lecture notes on Computer Forensics

Computer Forensics

A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, such that any discovered evidence is acceptable during a legal and/or administrative proceeding

Objectives of Computer Forensics

Identify, gather, and preserve evidence of cybercrime; Gather evidence of cyber crimes in a forensically sound manner; Estimate the potential impact of malicious activity; Minimize losses to the organization; Protect the organization from similar incidents; Support the prosecution of the perpetrator

Need for Computer Forensics

To ensure the integrity of IT systems; To track down perpetrators; To process factual evidence for court; To protect financial resources and time

Cybercrime Definition

Cybercrime is defined as any illegal act involving a computing device, network, its systems, or its applications

Internal/Insider Attack

An attack performed on a corporate network by an entrusted person (insider) who has authorized access to the network

External Attack

An attack that occurs when an attacker from outside the organization tries to gain unauthorized access to computing systems

Examples of Cybercrimes

Examples include Espionage, Intellectual Property Theft, Data Manipulation, Trojan Horse Attack, SQL Attack, Brute-force Attack, Phishing/Spoofing, Privilege Escalation Attacks, Denial of Service Attack, Cyber Defamation, Cyberterrorism, Cyberwarfare

Impact of Cybercrimes at the Organizational Level

Loss of confidentiality, integrity and availability of information; Theft of sensitive data; Disruption of business activities; Loss of customer trust; Reputational damage; Financial losses; Penalties for non-compliance

Digital evidence

Any information of probative value that is either stored or transmitted in a digital form

Volatile Data

Data that are lost as soon as the device is powered off

Non-volatile Data

Permanent data stored on secondary storage devices such as hard disks and memory cards

User-Created Files

Address books, database files, media files, documents, Internet bookmarks

User-Protected Files

Compressed files, encrypted files, password-protected files, hidden files

Computer-Created Files

Backup files, log files, configuration files, printer spool files, cookies, swap files, system files, history files, temporary files

Understandable Evidence

Evidence must be clear and understandable

Admissible Evidence

Evidence must be related to the fact being proved

Authentic Evidence

Evidence must be real and appropriately related to the incident

Reliable Evidence

There must be no doubt about the authenticity or veracity of the evidence

Complete Evidence

The evidence must prove the attacker's actions or innocence

Best Evidence Rule

The court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy

SWGDE Principle 1

Law enforcement and forensic organizations must establish and maintain an effective quality system

ACPO Principles of Digital Evidence

No action should change data which may subsequently be relied upon in court; Persons accessing original data must be competent; An audit trail of processes should be created and preserved; The case officer has overall responsibility

Forensic Readiness

An organization's ability to optimally use digital evidence in a limited period of time and with minimal investigation costs

Forensics Readiness Planning

Identify potential evidence; Determine sources of evidence; Define a policy to legally extract electronic evidence; Establish a policy to handle and store evidence; Identify if the incident requires full investigation; Create a process for documenting the procedure; Establish a legal advisory board; Keep an incident response team

Need for a Forensic Investigator

Helps organizations and law enforcement investigate and prosecute cybercrimes; Sound Evidence Handling; Incident Handling and Response

Roles and Responsibilities of a Forensics Investigator

Determines the extent of damage; Recovers data of investigative value; Creates an image of the original evidence; Guides officials; Prepares analysis reports; Updates the organization about attack methods; Addresses the issue in court

What Makes a Good Computer Forensics Investigator?

Interviewing skills; Excellent writing skills; Strong analytical skills; Excellent communication skills; Updated knowledge; Knowledge of computer platforms; Knowledge of various technologies; Contact with professionals; Knowledge of relevant laws

Legal compliance in computer forensics

Ensures that any evidence collected and analyzed is admissible in a court of law

Examples of legal acts relevant to Computer Forensics

Gramm-Leach-Bliley Act (GLBA), Federal Information Security Modernization Act of 2014 (FISMA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Electronic Communications Privacy Act, General Data Protection Regulation (GDPR), Data Protection Act 2018, Sarbanes-Oxley of 2002

NIST Framework for Digital Forensic

Framework for conducting digital forensic investigations, focusing on evidence integrity, repeatability, and accuracy.

Phishing Attack Investigation Reporting

Summarize collection, Examination, Analysis, and Reporting key findings.

Cyber Crime

Type of crime that involves a computer, networked device, or a network, often used to commit fraud, steal information, or disrupt services.

First recorded cyber crime Internationally Morris Worm in 1988

Caused significant disruption and highlighting the vulnerabilities of networked systems.

Robert Tappan Morris was prosecuted for his role in creating the Morris Worm.

Convicted under the U.S. Computer Fraud and Abuse Act

Yahoo Inc. v. Akash Arora case in 1999

Highlighted the need for legal measures to address domain name disputes in India.

State of Tamil Nadu vs. Suhas Katti (2004)

First cases in India where a conviction was secured under the Information Technology Act for cyberstalking and harassment.

Key Points of Evidence and Proceedings

Police tracked the IP addresses used by the accused to send the messages.