SlideShare a Scribd company logo

Computer_forensics_ppt.ppt

Download as PPT, PDF
G
Gnanavi2

This document provides an overview of computer forensics and discusses: - The key components of computer forensics including acquisition, analysis and examination of digital evidence (the "3 As") within a criminal investigation process. - How computer forensics fits within the broader fields of digital forensic science and criminalistics, which applies scientific methods to criminal law enforcement. - The challenges faced by computer forensics professionals including issues around its status and acceptance as a scientific discipline, legal challenges around evidence admissibility, and technical challenges posed by new storage technologies and network environments.

Science
1 of 41
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
1 Computer Forensics: Basics Lecture1 The Context of Computer Forensics Adapted from a lecture by Mark Rogers Purdue University 2004
2 Debate  Is digital forensics a “real” scientific discipline? – What is digital forensics – How do you define a scientific discipline? – Does it really matter?
3 Learning Objectives  At the end of this section you will be able to: – Describe the science of digital forensics. – Categorize the different communities and areas within digital forensics. – Explain where computer forensics fits into DFS – Describe criminalistics as it relates to the investigative process – Discuss the 3 A’s of the computer forensics methodology – Critically analyze the emerging area of cyber- criminalistics – Explain the holistic approach to cyber-forensics
4 Computer Forensics Fundamentals Military Acquisition Analysis Examination Report Investigation Criminal FRYE FRE 702 Daubert/Kumho Civil Federal Rules of Civil Procedure Sedona Rowe Rules of Evidence Expert Witness Friend of the Court Technical Expert Presentation Standards & Guidelines Law Enforcement Private Sector Computer Forensics
5 Concept Map Context/Domain Legal Technical Standards & Guidelines Data Hiding Profili ng & Issues Criminal Civil Disks Structures Filesystem Bag/tag Acquire Analysis Examine
6 Criminalistics
7 Criminalistics  Fancy term for Forensic Science  Forensic Science – The application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system (Saferstein, 2004)  Think Sherlock Holmes!!
8 History & Development  Francis Galton (1822-1911) – First definitive study of fingerprints  Sir Arthur Conan Doyle (1887) – Sherlock Holmes mysteries  Leone Lattes (1887-1954) – Discovered blood groupings (A,B,AB, & 0)  Calvin Goddard (1891-1955) – Firearms and bullet comparison  Albert Osborn (1858-1946) – Developed principles of document examination  Hans Gross (1847-1915) – First treatise on using scientific disciplines in criminal investigations.
9 History & Development  Edmond Locard (1877-1966) – Principle of Exchange  “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” – The purpose of an investigation is to locate identify and preserve evidence-data on which a judgment or conclusion can be based.  FBI (1932) – National Lab to provide forensic services to all law enforcement agencies in the country
10 Crime Lab  Basic services provided – Physical Science Unit  Chemistry, physics, geology – Biology Unit  DNA, blood, hair & fiber, body fluids, botanical – Firearms Unit – Document Examination – Photography Unit
11 Crime Lab  Optional Services – Toxicology Unit – Latent Fingerprint Unit – Polygraph Unit – Voice Print Analysis Unit – Evidence Collection Unit (Rather new)
12 Other Forensic Science Services  Forensic Pathology – Sudden unnatural or violent deaths  Forensic Anthropology – Identification of human skeletal remains  Forensic Entomology – Insects  Forensic Psychiatry  Forensic Psychology  Forensic Odontology – Dental  Forensic Engineering  ***Digital Forensics***
13 Digital Forensic Science  Digital Forensic Science (DFS): “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS)
14 Communities  There at least 3 distinct communities within Digital Forensics – Law Enforcement – Military – Business & Industry  Possibly a 4th – Academia
15 Digital Forensic Science
16 Community Objectives
17 The Process  The primary activities of DFS are investigative in nature.  The investigative process encompasses – Identification – Preservation – Collection – Examination – Analysis – Presentation – Decision
18 Investigative Process
19 Subcategories of DFS  There is a consensus that there are at least 3 distinct types of DFS analysis – Media Analysis  Examining physical media for evidence – Code Analysis  Review of software for malicious signatures – Network Analysis  Scrutinize network traffic and logs to identify and locate
20 Media Analysis  May often be referred to as computer forensics.  More accurate to call it media analysis as the focus is on the various storage medium (e.g., hard drives, RAM, flash memory, PDAs, diskettes etc.)  Excludes network analysis.
21 Computer Forensics  Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
22 Computer Forensic Activities  Computer forensics activities commonly include: – the secure collection of computer data – the identification of suspect data – the examination of suspect data to determine details such as origin and content – the presentation of computer-based information to courts of law – the application of a country's laws to computer practice.
23 The 3 As  The basic methodology consists of the 3 As: – Acquire the evidence without altering or damaging the original – Authenticate the image – Analyze the data without modifying it
24 Computer Forensics - History  1984 FBI Computer Analysis and Response Team (CART)  1991 International Law Enforcement meeting to discuss computer forensics & the need for standardized approach  1997 Scientific Working Group on Digital Evidence (SWGDE) established to develop standards  2001 Digital Forensic Research Workshop (DFRWS) development of research roadmap  2003 Still no standards developed or corpus of knowledge (CK)
25 Context of Computer Forensics •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Computer Forensics
26 Fit with Information Assurance  Computer Forensics is part of the incident response (IR) capability  Forensic “friendly” procedures & processes  Proper evidence management and handling  IR is an integral part of IA
27 Incident Response Methodology (PDCAERF) Preparation Detection Containment Analysis Eradication Recovery Follow-up Feed Back Digital Forensics/Evidence Management
28 (PDCAERF)  Preparation – Being ready to respond – Procedures & policies – Resources & CSIRT creation – Current vulnerabilities & counter-measures  Detection/Notification – Determining if an incident or attempt has been made – IDS – Initial actions/reactions – Determining the scope – Reporting process
29 (PDCAERF)  Containment – Limit the extent of an attack – Mitigate the potential damage & loss – Containment strategies  Analysis & Tracking – How the incident occurred – More in-depth analysis of the event – Tracing the incident back to its source
30 (PDCAERF)  Eradication/ Repair-Recovery – Recovering systems – Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) – Hardening systems – Dealing with patches
31 (PDCAERF)  Follow-up – Review the incident and how it was handled – Postmortem analysis – Lessons learned – Follow-up reporting
32 Challenges  Eric Holder, Deputy Attorney General of the United States Subcommittee on Crime of the House Committee on the Judiciary and the Subcommittee on Criminal Oversight of the Senate Committee on the Judiciary:  Technical challenges that hinder law enforcement’s ability to find and prosecute criminals operating online;  Legal challenges resulting from laws and legal tools needed to investigate cybercrime lagging behind technological, structural, social changes; and  Resource challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of government.
33 Challenges  NIJ 2001 Study  There is near-term window of opportunity for law enforcement to gain a foothold in containing electronic crimes.  Most State and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime.  Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.
34 General Challenges  Computer forensics is in its infancy  Different from other forensic sciences as the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector  No real basic theoretical background upon which to conduct empirical hypothesis testing  No true professional designations  Proper training  At least 3 different “communities” with different demands  Still more of a “folk art” than a true science
35 Legal Challenges  Status as scientific evidence??  Criteria for admissibility of novel scientific evidence (Daubert v. Merrell) – Whether the theory or technique has been reliably tested; – Whether the theory or technique has been subject to peer review and publication; – What is the known or potential rate of error of the method used; and – Whether the theory or method has been generally accepted by the scientific community.  Kumho Tire extended the criteria to technical knowledge
36 Specific Challenges  No International Definitions of Computer Crime  No International agreements on extraditions  Multitude of OS platforms and filesystems  Incredibly large storage capacity – 100 Gig Plus – Terabytes – SANs
37 Specific Challenges  Small footprint storage devices – Compact flash – Memory sticks – Thumb drives – Secure digital  Networked environments  RAID systems  Grid computing  Embedded processors  Other??
38 Specific Challenges  Where is the “crime scene?” Perpetrator’s System Victim’s System Electronic Crime Scene Cyberspace
39 Specific Challenges  What constitutes evidence??  What are we looking for??
40 Summary  DFS is a sub-discipline of criminalistics  DFS is a relatively new science  3 Communities – Legal, Military, Private Sector/Academic  DFS is primarily investigative in nature  DFS is made up of – Media Analysis – Code Analysis – Network Analysis
41 Summary  Computer Forensics is a sub-discipline within DFS  Computer Forensics is part of an IR capability  3 A’s of the Computer Forensic Methodology  There are many general and specific challenges  There is a lack of basic research in this area  Both DFS and Computer Forensics are immature emerging areas

More Related Content

PPT
Fundamentals of cryptography
Hossain Md Shakhawat
 
PPTX
User authentication
CAS
 
PPT
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
PDF
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
PPTX
Chapter5 slideshare
manirajan12
 
PPTX
Steganography
Mayank Saxena
 
PDF
I.BEST FIRST SEARCH IN AI
vikas dhakane
 
PPTX
Password craking techniques
أحلام انصارى
 
Fundamentals of cryptography
Hossain Md Shakhawat
 
User authentication
CAS
 
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Chapter5 slideshare
manirajan12
 
Steganography
Mayank Saxena
 
I.BEST FIRST SEARCH IN AI
vikas dhakane
 
Password craking techniques
أحلام انصارى
 

What's hot (20)

PPT
Symmetric & Asymmetric Cryptography
chauhankapil
 
PPTX
3170725_Unit-1.pptx
YashPatel132112
 
PPTX
Information Security Lecture #1 ppt
vasanthimuniasamy
 
PPTX
Network Forensics
primeteacher32
 
PPTX
Digital forensics
Roberto Ellis
 
PPTX
Unified process Model
University of Haripur
 
DOCX
Social and legal issues in i
Hassan Nasir
 
PPTX
The adversary playbook - the tools, techniques and procedures used by threat ...
Jisc
 
PPTX
Cryptography
Sidharth Mohapatra
 
PDF
Information Security Lecture Notes
FellowBuddy.com
 
PDF
02 Types of Computer Forensics Technology - Notes
Kranthi
 
PPTX
Risk assessment
kajal kumari
 
PDF
01 Computer Forensics Fundamentals - Notes
Kranthi
 
PPT
Access control matrix
Aravindharamanan S
 
PPTX
Role-of-lexical-analysis
Dattatray Gandhmal
 
PDF
Chapter 8 software testing
despicable me
 
PPTX
3 d display-methods-in-computer-graphics(For DIU)
Rajon rdx
 
PPT
12 symmetric key cryptography
drewz lin
 
PPTX
Malware ppt final.pptx
LakshayNRReddy
 
PPTX
A* Algorithm
Dr. C.V. Suresh Babu
 
Symmetric & Asymmetric Cryptography
chauhankapil
 
3170725_Unit-1.pptx
YashPatel132112
 
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Network Forensics
primeteacher32
 
Digital forensics
Roberto Ellis
 
Unified process Model
University of Haripur
 
Social and legal issues in i
Hassan Nasir
 
The adversary playbook - the tools, techniques and procedures used by threat ...
Jisc
 
Cryptography
Sidharth Mohapatra
 
Information Security Lecture Notes
FellowBuddy.com
 
02 Types of Computer Forensics Technology - Notes
Kranthi
 
Risk assessment
kajal kumari
 
01 Computer Forensics Fundamentals - Notes
Kranthi
 
Access control matrix
Aravindharamanan S
 
Role-of-lexical-analysis
Dattatray Gandhmal
 
Chapter 8 software testing
despicable me
 
3 d display-methods-in-computer-graphics(For DIU)
Rajon rdx
 
12 symmetric key cryptography
drewz lin
 
Malware ppt final.pptx
LakshayNRReddy
 
A* Algorithm
Dr. C.V. Suresh Babu
 
Ad

Similar to Computer_forensics_ppt.ppt (20)

PPT
sakshi Computer_forensics_ppt.ppt
SakshiAlex
 
PPT
Computer forensics and cyber security powerpoint presentation
bhargavi804095
 
PPT
01 computer%20 forensics%20in%20todays%20world
Aqib Memon
 
PPTX
3170725_Unit-1.pptx
BhagyasriPatel2
 
PPTX
Cyber forensics 02 mit-2014
Muzzammil Wani
 
PDF
Digital forensic science and its scope manesh t
Manesh T
 
PPTX
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
PDF
Computer forencis
Teja Bheemanapally
 
PPT
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
PPTX
cyber law and forensics,biometrics systems
Mayank Diwakar
 
PPT
Chapter 1 - Computer Forensics and Investigations as a Profession.ppt
kong100
 
PPTX
Computer forensic
Shashi Mishra
 
PDF
Computer forensic
ibraheem ogundele
 
PPTX
Digital&computforensic
Rahul Badekar
 
PPTX
computer-forensics-8727-OHvDvOm.pptx
ssuser2bf502
 
PPTX
computer-forensics-8727-OHvDvOm.pptx
DaniyaHuzaifa
 
PPTX
Unit 4 -Digital Forensic Chapter for MSBTE engineering students
gboy4529248
 
PPTX
ppt for Module 5 cybersecuirty_023501.pptx
MayuraD1
 
PPT
Ch 3C Processing Crime and Incident Scenes.ppt
whbwi21Basri
 
PPTX
Computer forensics toolkit
Milap Oza
 
sakshi Computer_forensics_ppt.ppt
SakshiAlex
 
Computer forensics and cyber security powerpoint presentation
bhargavi804095
 
01 computer%20 forensics%20in%20todays%20world
Aqib Memon
 
3170725_Unit-1.pptx
BhagyasriPatel2
 
Cyber forensics 02 mit-2014
Muzzammil Wani
 
Digital forensic science and its scope manesh t
Manesh T
 
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
Computer forencis
Teja Bheemanapally
 
L11 - Intro to Computer Forensics.ppt
RebeccaMunasheChimhe
 
cyber law and forensics,biometrics systems
Mayank Diwakar
 
Chapter 1 - Computer Forensics and Investigations as a Profession.ppt
kong100
 
Computer forensic
Shashi Mishra
 
Computer forensic
ibraheem ogundele
 
Digital&computforensic
Rahul Badekar
 
computer-forensics-8727-OHvDvOm.pptx
ssuser2bf502
 
computer-forensics-8727-OHvDvOm.pptx
DaniyaHuzaifa
 
Unit 4 -Digital Forensic Chapter for MSBTE engineering students
gboy4529248
 
ppt for Module 5 cybersecuirty_023501.pptx
MayuraD1
 
Ch 3C Processing Crime and Incident Scenes.ppt
whbwi21Basri
 
Computer forensics toolkit
Milap Oza
 
Ad

More from Gnanavi2 (6)

PDF
PPT_on_Cache_Partitioning_Techniques.pdf
Gnanavi2
 
PDF
computerforensicsppt-111006063922-phpapp01.pdf
Gnanavi2
 
PDF
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
PDF
computerforensics-140212060522-phpapp02.pdf
Gnanavi2
 
PDF
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
PDF
computerforensicppt-160201192341.pdf
Gnanavi2
 
PPT_on_Cache_Partitioning_Techniques.pdf
Gnanavi2
 
computerforensicsppt-111006063922-phpapp01.pdf
Gnanavi2
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
Gnanavi2
 
computerforensics-140212060522-phpapp02.pdf
Gnanavi2
 
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
computerforensicppt-160201192341.pdf
Gnanavi2
 

Recently uploaded (20)

PPTX
neck nodes and dissection types and lymph nodes levels
DipuSarma
 
PPTX
G5Q1W8 PPT SCIENCE.pptx 2025-2026 GRADE 5
Rodel Gordzkie
 
DOCX
Q1_LE_Mathematics 8_Lesson 5_Week 5.docx
marcusaviso1101
 
PPT
protein biochemistry.ppt for university classes
bayewodajo27
 
PDF
IFIT3 RNA-binding activity primores influenza A viruz infection and translati...
saracelre
 
PPTX
TOTAL hIP ARTHROPLASTY Presentation.pptx
hararghemssc
 
PPTX
The KM-GBF monitoring framework – status & key messages.pptx
pensoftservices
 
PDF
The scientific heritage No 166 (166) (2025)
The scientific heritage
 
PPTX
7. General Toxicologyfor clinical phrmacy.pptx
faysalphr
 
PDF
SEHH2274 Organic Chemistry Notes 1 Structure and Bonding.pdf
ivan1108lau
 
PDF
ELS_Q1_Module-11_Formation-of-Rock-Layers_v2.pdf
savannaesar07
 
PPT
The World of Physical Science, • Labs: Safety Simulation, Measurement Practice
joybejerano
 
PPTX
Vitamins & Minerals: Complete Guide to Functions, Food Sources, Deficiency Si...
Muhammad Sajid Afridi
 
PPTX
2. Earth - The Living Planet Module 2ELS
markjustinebarolobau
 
PPTX
INTRODUCTION TO EVS | Concept of sustainability
manumaddy15198
 
PDF
Biophysics 2.pdffffffffffffffffffffffffff
MiraMusleh
 
PPTX
Microbiology with diagram medical studies .pptx
mohammedabbusiddiq
 
PPT
Chemical bonding and molecular structure
karthikeyan
 
PDF
An interstellar mission to test astrophysical black holes
Sérgio Sacani
 
PDF
Unveiling a 36 billion solar mass black hole at the centre of the Cosmic Hors...
Sérgio Sacani
 
neck nodes and dissection types and lymph nodes levels
DipuSarma
 
G5Q1W8 PPT SCIENCE.pptx 2025-2026 GRADE 5
Rodel Gordzkie
 
Q1_LE_Mathematics 8_Lesson 5_Week 5.docx
marcusaviso1101
 
protein biochemistry.ppt for university classes
bayewodajo27
 
IFIT3 RNA-binding activity primores influenza A viruz infection and translati...
saracelre
 
TOTAL hIP ARTHROPLASTY Presentation.pptx
hararghemssc
 
The KM-GBF monitoring framework – status & key messages.pptx
pensoftservices
 
The scientific heritage No 166 (166) (2025)
The scientific heritage
 
7. General Toxicologyfor clinical phrmacy.pptx
faysalphr
 
SEHH2274 Organic Chemistry Notes 1 Structure and Bonding.pdf
ivan1108lau
 
ELS_Q1_Module-11_Formation-of-Rock-Layers_v2.pdf
savannaesar07
 
The World of Physical Science, • Labs: Safety Simulation, Measurement Practice
joybejerano
 
Vitamins & Minerals: Complete Guide to Functions, Food Sources, Deficiency Si...
Muhammad Sajid Afridi
 
2. Earth - The Living Planet Module 2ELS
markjustinebarolobau
 
INTRODUCTION TO EVS | Concept of sustainability
manumaddy15198
 
Biophysics 2.pdffffffffffffffffffffffffff
MiraMusleh
 
Microbiology with diagram medical studies .pptx
mohammedabbusiddiq
 
Chemical bonding and molecular structure
karthikeyan
 
An interstellar mission to test astrophysical black holes
Sérgio Sacani
 
Unveiling a 36 billion solar mass black hole at the centre of the Cosmic Hors...
Sérgio Sacani
 

Computer_forensics_ppt.ppt

  • 1. 1 Computer Forensics: Basics Lecture1 The Context of Computer Forensics Adapted from a lecture by Mark Rogers Purdue University 2004
  • 2. 2 Debate  Is digital forensics a “real” scientific discipline? – What is digital forensics – How do you define a scientific discipline? – Does it really matter?
  • 3. 3 Learning Objectives  At the end of this section you will be able to: – Describe the science of digital forensics. – Categorize the different communities and areas within digital forensics. – Explain where computer forensics fits into DFS – Describe criminalistics as it relates to the investigative process – Discuss the 3 A’s of the computer forensics methodology – Critically analyze the emerging area of cyber- criminalistics – Explain the holistic approach to cyber-forensics
  • 4. 4 Computer Forensics Fundamentals Military Acquisition Analysis Examination Report Investigation Criminal FRYE FRE 702 Daubert/Kumho Civil Federal Rules of Civil Procedure Sedona Rowe Rules of Evidence Expert Witness Friend of the Court Technical Expert Presentation Standards & Guidelines Law Enforcement Private Sector Computer Forensics
  • 5. 5 Concept Map Context/Domain Legal Technical Standards & Guidelines Data Hiding Profili ng & Issues Criminal Civil Disks Structures Filesystem Bag/tag Acquire Analysis Examine
  • 7. 7 Criminalistics  Fancy term for Forensic Science  Forensic Science – The application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system (Saferstein, 2004)  Think Sherlock Holmes!!
  • 8. 8 History & Development  Francis Galton (1822-1911) – First definitive study of fingerprints  Sir Arthur Conan Doyle (1887) – Sherlock Holmes mysteries  Leone Lattes (1887-1954) – Discovered blood groupings (A,B,AB, & 0)  Calvin Goddard (1891-1955) – Firearms and bullet comparison  Albert Osborn (1858-1946) – Developed principles of document examination  Hans Gross (1847-1915) – First treatise on using scientific disciplines in criminal investigations.
  • 9. 9 History & Development  Edmond Locard (1877-1966) – Principle of Exchange  “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” – The purpose of an investigation is to locate identify and preserve evidence-data on which a judgment or conclusion can be based.  FBI (1932) – National Lab to provide forensic services to all law enforcement agencies in the country
  • 10. 10 Crime Lab  Basic services provided – Physical Science Unit  Chemistry, physics, geology – Biology Unit  DNA, blood, hair & fiber, body fluids, botanical – Firearms Unit – Document Examination – Photography Unit
  • 11. 11 Crime Lab  Optional Services – Toxicology Unit – Latent Fingerprint Unit – Polygraph Unit – Voice Print Analysis Unit – Evidence Collection Unit (Rather new)
  • 12. 12 Other Forensic Science Services  Forensic Pathology – Sudden unnatural or violent deaths  Forensic Anthropology – Identification of human skeletal remains  Forensic Entomology – Insects  Forensic Psychiatry  Forensic Psychology  Forensic Odontology – Dental  Forensic Engineering  ***Digital Forensics***
  • 13. 13 Digital Forensic Science  Digital Forensic Science (DFS): “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS)
  • 14. 14 Communities  There at least 3 distinct communities within Digital Forensics – Law Enforcement – Military – Business & Industry  Possibly a 4th – Academia
  • 17. 17 The Process  The primary activities of DFS are investigative in nature.  The investigative process encompasses – Identification – Preservation – Collection – Examination – Analysis – Presentation – Decision
  • 19. 19 Subcategories of DFS  There is a consensus that there are at least 3 distinct types of DFS analysis – Media Analysis  Examining physical media for evidence – Code Analysis  Review of software for malicious signatures – Network Analysis  Scrutinize network traffic and logs to identify and locate
  • 20. 20 Media Analysis  May often be referred to as computer forensics.  More accurate to call it media analysis as the focus is on the various storage medium (e.g., hard drives, RAM, flash memory, PDAs, diskettes etc.)  Excludes network analysis.
  • 21. 21 Computer Forensics  Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
  • 22. 22 Computer Forensic Activities  Computer forensics activities commonly include: – the secure collection of computer data – the identification of suspect data – the examination of suspect data to determine details such as origin and content – the presentation of computer-based information to courts of law – the application of a country's laws to computer practice.
  • 23. 23 The 3 As  The basic methodology consists of the 3 As: – Acquire the evidence without altering or damaging the original – Authenticate the image – Analyze the data without modifying it
  • 24. 24 Computer Forensics - History  1984 FBI Computer Analysis and Response Team (CART)  1991 International Law Enforcement meeting to discuss computer forensics & the need for standardized approach  1997 Scientific Working Group on Digital Evidence (SWGDE) established to develop standards  2001 Digital Forensic Research Workshop (DFRWS) development of research roadmap  2003 Still no standards developed or corpus of knowledge (CK)
  • 25. 25 Context of Computer Forensics •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Computer Forensics
  • 26. 26 Fit with Information Assurance  Computer Forensics is part of the incident response (IR) capability  Forensic “friendly” procedures & processes  Proper evidence management and handling  IR is an integral part of IA
  • 27. 27 Incident Response Methodology (PDCAERF) Preparation Detection Containment Analysis Eradication Recovery Follow-up Feed Back Digital Forensics/Evidence Management
  • 28. 28 (PDCAERF)  Preparation – Being ready to respond – Procedures & policies – Resources & CSIRT creation – Current vulnerabilities & counter-measures  Detection/Notification – Determining if an incident or attempt has been made – IDS – Initial actions/reactions – Determining the scope – Reporting process
  • 29. 29 (PDCAERF)  Containment – Limit the extent of an attack – Mitigate the potential damage & loss – Containment strategies  Analysis & Tracking – How the incident occurred – More in-depth analysis of the event – Tracing the incident back to its source
  • 30. 30 (PDCAERF)  Eradication/ Repair-Recovery – Recovering systems – Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) – Hardening systems – Dealing with patches
  • 31. 31 (PDCAERF)  Follow-up – Review the incident and how it was handled – Postmortem analysis – Lessons learned – Follow-up reporting
  • 32. 32 Challenges  Eric Holder, Deputy Attorney General of the United States Subcommittee on Crime of the House Committee on the Judiciary and the Subcommittee on Criminal Oversight of the Senate Committee on the Judiciary:  Technical challenges that hinder law enforcement’s ability to find and prosecute criminals operating online;  Legal challenges resulting from laws and legal tools needed to investigate cybercrime lagging behind technological, structural, social changes; and  Resource challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of government.
  • 33. 33 Challenges  NIJ 2001 Study  There is near-term window of opportunity for law enforcement to gain a foothold in containing electronic crimes.  Most State and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime.  Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.
  • 34. 34 General Challenges  Computer forensics is in its infancy  Different from other forensic sciences as the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector  No real basic theoretical background upon which to conduct empirical hypothesis testing  No true professional designations  Proper training  At least 3 different “communities” with different demands  Still more of a “folk art” than a true science
  • 35. 35 Legal Challenges  Status as scientific evidence??  Criteria for admissibility of novel scientific evidence (Daubert v. Merrell) – Whether the theory or technique has been reliably tested; – Whether the theory or technique has been subject to peer review and publication; – What is the known or potential rate of error of the method used; and – Whether the theory or method has been generally accepted by the scientific community.  Kumho Tire extended the criteria to technical knowledge
  • 36. 36 Specific Challenges  No International Definitions of Computer Crime  No International agreements on extraditions  Multitude of OS platforms and filesystems  Incredibly large storage capacity – 100 Gig Plus – Terabytes – SANs
  • 37. 37 Specific Challenges  Small footprint storage devices – Compact flash – Memory sticks – Thumb drives – Secure digital  Networked environments  RAID systems  Grid computing  Embedded processors  Other??
  • 38. 38 Specific Challenges  Where is the “crime scene?” Perpetrator’s System Victim’s System Electronic Crime Scene Cyberspace
  • 39. 39 Specific Challenges  What constitutes evidence??  What are we looking for??
  • 40. 40 Summary  DFS is a sub-discipline of criminalistics  DFS is a relatively new science  3 Communities – Legal, Military, Private Sector/Academic  DFS is primarily investigative in nature  DFS is made up of – Media Analysis – Code Analysis – Network Analysis
  • 41. 41 Summary  Computer Forensics is a sub-discipline within DFS  Computer Forensics is part of an IR capability  3 A’s of the Computer Forensic Methodology  There are many general and specific challenges  There is a lack of basic research in this area  Both DFS and Computer Forensics are immature emerging areas