SlideShare a Scribd company logo

L11 - Intro to Computer Forensics.ppt

Download as PPT, PDF
R
RebeccaMunasheChimhe

The document discusses the field of digital forensics, including defining digital forensic science, the communities involved, and outlining the process which includes identifying evidence, collecting it while maintaining a chain of custody, examining and analyzing the evidence, and presenting findings in a report. It also covers some challenges in the field like a lack of standards and certification as well as career opportunities in digital forensics.

Technology
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
CUIT420: CYBER SECURITY MS CHIMHENO rchimheno@cut.ac.zw Office: E-12 L11 - INTRO TO COMPUTER FORENSICS
2 DIGITAL FORENSIC SCIENCE • Digital Forensic Science (DFS): “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS)
3 COMMUNITIES • There at least 3 distinct communities within Digital Forensics  Law Enforcement  Military  Business & Industry  Possibly a 4th – Academia
4 DIGITAL FORENSIC SCIENCE
5 COMMUNITY OBJECTIVES
6 • Includes:  Networks (Network Forensics)  Small Scale Digital Devices  Storage Media (Computer forensics)  Code Analysis CYBER FORENSICS
7 CYBER FORENSICS  The scientific examination and analysis of digital evidence in such a way that the information can be used as evidence in a court of law.
8 CYBER FORENSIC ACTIVITIES  Cyber forensics activities commonly include:  the secure collection of computer data  the identification of suspect data  the examination of suspect data to determine details such as origin and content  the presentation of computer-based information to courts of law  the application of a country's laws to computer practice.
9 THE 3 AS  The basic methodology consists of the 3 As: Acquire the evidence without altering or damaging the original Authenticate the image Analyze the data without modifying it
10 CONTEXT OF CYBER FORENSICS •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Cyber Forensics
11 CRIME SCENES - Physical Crime Scenes vs. Cyber/Digital Crime Scenes - Overlapping principals - The basics of criminalistics are constant across both physical and cyber/digital - Locard’s Principle applies “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived”
12 DIGITAL CRIME SCENE Digital Evidence Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003) Digital Crime Scene The electronic environment where digital evidence can potentially exist (Rogers, 2005) Primary & Secondary Digital Scene(s) as well
13 FORENSIC PRINCIPLES - Digital/ Electronic evidence is extremely volatile! - Once the evidence is contaminated it cannot be de-contaminated! - The courts acceptance is based on the best evidence principle With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. - Chain of Custody is crucial
14 CYBER FORENSIC PRINCIPLES The 6 Principles are:  When dealing with digital evidence, all of the general forensic and procedural principles must be applied.  Upon seizing digital evidence, actions taken should not change that evidence.  When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.  All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.  An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.  Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
15 PROCESS/PHASES Identification Collection Bag & Tag Preservation Examination Analysis Presentation/Report
16 IDENTIFICATION The first step is identifying evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple possible crime scenes
17 DEVICES IDENTIFICATION
18 IDENTIFICATION - Context of the investigation is very important - Do not operate in a vacuum! - Do not overlook non-electronic sources of evidence Manuals, papers, printouts, etc.
19 COLLECTION - Care must be taken to minimize contamination - Collect or seize the system(s) - Create forensic image Live or Static? Do you own the system What does your policy say?
20
21 COLLECTION: DOCUMENTATION
22 COLLECTION: DOCUMENTATION Take detailed photos and notes of the computer / monitor If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE
23 COLLECTION: DOCUMENTATION Make sure to take photos and notes of all connections to the computer/other devices
24 COLLECTION: IMAGING  Rule of Thumb: make 2 copies and don’t work from the original (if possible)  A file copy does not recover all data areas of the device for examination  Working from a duplicate image  Preserves the original evidence  Prevents inadvertent alteration of original evidence during examination  Allows recreation of the duplicate image if necessary
25 COLLECTION: IMAGING  Digital evidence can be duplicated with no degradation from copy to copy  This is not the case with most other forms of evidence
26 COLLECTION: IMAGING  Write blockers  Software  Hardware  Hardware write blockers are becoming the industry standard  USB, SATA, IDE, SCSI, SIM, Memory Cards  Not BIOS dependent  But still verify prior to usage!
27 COLLECTION: IMAGING  Forensic Copies (Bitstream) o Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.)  Often the “smoking gun” is found in the residual data.  Imaging from a disk (drive) to a file is becoming the norm o Multiple cases stored on same media o No risk of data leakage from underlying media  Remember avoid working for original
28 IMAGING: AUTHENTICITY & INTEGRITY  How do we demonstrate that the image is a true unaltered copy of the original? o Hashing (MD5, SHA 256)  A mathematical algorithm that produces a unique value (128 Bit, 512 Bit) o Can be performed on various types of data (files, partitions, physical drive)  The value can be used to demonstrate the integrity of your data o Changes made to data will result in a different value  The same process can be used to demonstrate the image has not changed from time-1 to time-n
29 EXAMINATION  Higher level look at the file system representation of the data on the media  Verify integrity of image  MD5, SHA1 etc.  Recover deleted files & folders  Determine keyword list  What are you searching for  Determine time lines  What is the timezone setting of the suspect system  What time frame is of importance  Graphical representation is very useful
30 EXAMINATION  Examine directory tree  What looks out of place  Stego tools installed  Evidence Scrubbers  Perform keyword searches  Indexed  Slack & unallocated  Search for relevant evidence types  Hash sets can be useful  Graphics  Spreadsheets  Hacking tools  Etc.  Look for the obvious first  When is enough enough??
ISSUES  lack of certification for tools  Lack of standards  lack of certification for professionals  lack of understanding by Judiciary  lack of curriculum accreditation  Rapid changes in technology!  Immature Scientific Discipline 31
CAREERS  One of the fastest growing job markets! 32
PATHS TO CAREERS IN CF  Certifications  Associate Degree  Bachelor Degree  Post Grad Certificate  Masters  Doctorate 33
JOB FUNCTIONS  CF Technician  CF Investigator  CF Analyst/Examiner (lab)  CF Lab Director  CF Scientist 34
PROFESSIONAL OPPORTUNITIES  Law Enforcement  Private Sector  Intelligence Community  Military  Academia 35

More Related Content

PPTX
Mobile forensic
DINESH KAMBLE
 
PPT
Collecting and preserving digital evidence
Online
 
PPTX
Crime scene management
Hafeez Bhutta
 
PPTX
Cyber evidence at crime scene
Applied Forensic Research Sciences
 
PPT
crime scene.pptx
kiran yadav
 
PDF
Crime scene management
Shreyas Patel
 
PPTX
CRIME SCENE INVESTIGATION.pptx
SUJA THOMAS
 
PPTX
ROLE OF F.S.L IN CRIMES
Dr.Jayadev Vijayan
 
Mobile forensic
DINESH KAMBLE
 
Collecting and preserving digital evidence
Online
 
Crime scene management
Hafeez Bhutta
 
Cyber evidence at crime scene
Applied Forensic Research Sciences
 
crime scene.pptx
kiran yadav
 
Crime scene management
Shreyas Patel
 
CRIME SCENE INVESTIGATION.pptx
SUJA THOMAS
 
ROLE OF F.S.L IN CRIMES
Dr.Jayadev Vijayan
 

What's hot (20)

PPTX
Audio and Video Forensics
Dipika Sengupta
 
PPT
Physical Evidence
Maria Donohue
 
PPTX
Digital forensics
vishnuv43
 
PPTX
Intro to Forensic Science
nicollins
 
PPTX
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
PPT
Overview History of Forensic Science
University of Southern Mississippi
 
PPTX
A complete review of Forensic Science and its various branches.
Hamza Mohammad
 
PDF
Central FingerPrint Bureau & its main functions (1).pdf
VAISHNAVI BHEDODKAR
 
PPT
Searching the crime scene
BlancoScience
 
PPTX
Forensic imaging
DINESH KAMBLE
 
PPTX
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
PPTX
Digital Forensic ppt
Suchita Rawat
 
PPT
1. clandestine laboratory investigation
salvador dagoon
 
PPTX
Crime Scenc Investigation Evidence Collection
heasulli
 
PPTX
Securing the Crime Scene
Don Caeiro
 
PPT
Brain Finger Printing
Garima Singh
 
PPT
History And Scope
annperry09
 
PPTX
Evidence power point final
Maria Donohue
 
PPTX
(PART-I)-Development of latent fingerprints by powders method.pptx
Applied Forensic Research Sciences
 
PPTX
Computer forensic ppt
Priya Manik
 
Audio and Video Forensics
Dipika Sengupta
 
Physical Evidence
Maria Donohue
 
Digital forensics
vishnuv43
 
Intro to Forensic Science
nicollins
 
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
Overview History of Forensic Science
University of Southern Mississippi
 
A complete review of Forensic Science and its various branches.
Hamza Mohammad
 
Central FingerPrint Bureau & its main functions (1).pdf
VAISHNAVI BHEDODKAR
 
Searching the crime scene
BlancoScience
 
Forensic imaging
DINESH KAMBLE
 
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Digital Forensic ppt
Suchita Rawat
 
1. clandestine laboratory investigation
salvador dagoon
 
Crime Scenc Investigation Evidence Collection
heasulli
 
Securing the Crime Scene
Don Caeiro
 
Brain Finger Printing
Garima Singh
 
History And Scope
annperry09
 
Evidence power point final
Maria Donohue
 
(PART-I)-Development of latent fingerprints by powders method.pptx
Applied Forensic Research Sciences
 
Computer forensic ppt
Priya Manik
 
Ad

Similar to L11 - Intro to Computer Forensics.ppt (20)

PPT
CS426_forensics.ppt
PrabithGupta1
 
PPT
Network Forensics Basic lecture for Everyone
BurhanKhan774154
 
PPT
CS426_forensics_tools to analyse and deve
vikashagarwal874473
 
PPT
CS426_forensics.ppt
OkviNugroho1
 
PPT
Computer Forensics
Alchemist095
 
PPTX
Cyber forensics 02 mit-2014
Muzzammil Wani
 
PPT
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
PDF
Cyber Forensics training by Forensic Academy
Forensic Academy
 
PPT
CS426_forensics.ppt
Faiz430036
 
PDF
Digital forensic science and its scope manesh t
Manesh T
 
PPTX
Computer Forensics.pptx
Happyness Mkumbo
 
PPTX
Digital&computforensic
Rahul Badekar
 
PDF
digital forensics-9 of cyber security.pdf
AdyakantaSahoo
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
 
PDF
digital forensics related to windows.pdf
muhammadosama0121
 
PDF
Cyber forensics and auditing
Sweta Kumari Barnwal
 
PPTX
wang.pptx
SteveIrwin25
 
PPT
Chap 1 general introduction to computer forensics
Malobe Lottin Cyrille Marcel
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
CS426_forensics.ppt
PrabithGupta1
 
Network Forensics Basic lecture for Everyone
BurhanKhan774154
 
CS426_forensics_tools to analyse and deve
vikashagarwal874473
 
CS426_forensics.ppt
OkviNugroho1
 
Computer Forensics
Alchemist095
 
Cyber forensics 02 mit-2014
Muzzammil Wani
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
Cyber Forensics training by Forensic Academy
Forensic Academy
 
CS426_forensics.ppt
Faiz430036
 
Digital forensic science and its scope manesh t
Manesh T
 
Computer Forensics.pptx
Happyness Mkumbo
 
Digital&computforensic
Rahul Badekar
 
digital forensics-9 of cyber security.pdf
AdyakantaSahoo
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
 
digital forensics related to windows.pdf
muhammadosama0121
 
Cyber forensics and auditing
Sweta Kumari Barnwal
 
wang.pptx
SteveIrwin25
 
Chap 1 general introduction to computer forensics
Malobe Lottin Cyrille Marcel
 
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
Ad

Recently uploaded (20)

PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Approach and Philosophy of On baking technology
30anthuong17
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

L11 - Intro to Computer Forensics.ppt

  • 2. 2 DIGITAL FORENSIC SCIENCE • Digital Forensic Science (DFS): “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” Source: (2001). Digital Forensic Research Workshop (DFRWS)
  • 3. 3 COMMUNITIES • There at least 3 distinct communities within Digital Forensics  Law Enforcement  Military  Business & Industry  Possibly a 4th – Academia
  • 6. 6 • Includes:  Networks (Network Forensics)  Small Scale Digital Devices  Storage Media (Computer forensics)  Code Analysis CYBER FORENSICS
  • 7. 7 CYBER FORENSICS  The scientific examination and analysis of digital evidence in such a way that the information can be used as evidence in a court of law.
  • 8. 8 CYBER FORENSIC ACTIVITIES  Cyber forensics activities commonly include:  the secure collection of computer data  the identification of suspect data  the examination of suspect data to determine details such as origin and content  the presentation of computer-based information to courts of law  the application of a country's laws to computer practice.
  • 9. 9 THE 3 AS  The basic methodology consists of the 3 As: Acquire the evidence without altering or damaging the original Authenticate the image Analyze the data without modifying it
  • 10. 10 CONTEXT OF CYBER FORENSICS •Homeland Security •Information Security •Corporate Espionage •White Collar Crime •Child Pornography •Traditional Crime •Incident Response •Employee Monitoring •Privacy Issues •???? Digital Forensics Cyber Forensics
  • 11. 11 CRIME SCENES - Physical Crime Scenes vs. Cyber/Digital Crime Scenes - Overlapping principals - The basics of criminalistics are constant across both physical and cyber/digital - Locard’s Principle applies “When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived”
  • 12. 12 DIGITAL CRIME SCENE Digital Evidence Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003) Digital Crime Scene The electronic environment where digital evidence can potentially exist (Rogers, 2005) Primary & Secondary Digital Scene(s) as well
  • 13. 13 FORENSIC PRINCIPLES - Digital/ Electronic evidence is extremely volatile! - Once the evidence is contaminated it cannot be de-contaminated! - The courts acceptance is based on the best evidence principle With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. - Chain of Custody is crucial
  • 14. 14 CYBER FORENSIC PRINCIPLES The 6 Principles are:  When dealing with digital evidence, all of the general forensic and procedural principles must be applied.  Upon seizing digital evidence, actions taken should not change that evidence.  When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.  All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.  An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.  Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
  • 16. 16 IDENTIFICATION The first step is identifying evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple possible crime scenes
  • 18. 18 IDENTIFICATION - Context of the investigation is very important - Do not operate in a vacuum! - Do not overlook non-electronic sources of evidence Manuals, papers, printouts, etc.
  • 19. 19 COLLECTION - Care must be taken to minimize contamination - Collect or seize the system(s) - Create forensic image Live or Static? Do you own the system What does your policy say?
  • 20. 20
  • 22. 22 COLLECTION: DOCUMENTATION Take detailed photos and notes of the computer / monitor If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE
  • 23. 23 COLLECTION: DOCUMENTATION Make sure to take photos and notes of all connections to the computer/other devices
  • 24. 24 COLLECTION: IMAGING  Rule of Thumb: make 2 copies and don’t work from the original (if possible)  A file copy does not recover all data areas of the device for examination  Working from a duplicate image  Preserves the original evidence  Prevents inadvertent alteration of original evidence during examination  Allows recreation of the duplicate image if necessary
  • 25. 25 COLLECTION: IMAGING  Digital evidence can be duplicated with no degradation from copy to copy  This is not the case with most other forms of evidence
  • 26. 26 COLLECTION: IMAGING  Write blockers  Software  Hardware  Hardware write blockers are becoming the industry standard  USB, SATA, IDE, SCSI, SIM, Memory Cards  Not BIOS dependent  But still verify prior to usage!
  • 27. 27 COLLECTION: IMAGING  Forensic Copies (Bitstream) o Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.)  Often the “smoking gun” is found in the residual data.  Imaging from a disk (drive) to a file is becoming the norm o Multiple cases stored on same media o No risk of data leakage from underlying media  Remember avoid working for original
  • 28. 28 IMAGING: AUTHENTICITY & INTEGRITY  How do we demonstrate that the image is a true unaltered copy of the original? o Hashing (MD5, SHA 256)  A mathematical algorithm that produces a unique value (128 Bit, 512 Bit) o Can be performed on various types of data (files, partitions, physical drive)  The value can be used to demonstrate the integrity of your data o Changes made to data will result in a different value  The same process can be used to demonstrate the image has not changed from time-1 to time-n
  • 29. 29 EXAMINATION  Higher level look at the file system representation of the data on the media  Verify integrity of image  MD5, SHA1 etc.  Recover deleted files & folders  Determine keyword list  What are you searching for  Determine time lines  What is the timezone setting of the suspect system  What time frame is of importance  Graphical representation is very useful
  • 30. 30 EXAMINATION  Examine directory tree  What looks out of place  Stego tools installed  Evidence Scrubbers  Perform keyword searches  Indexed  Slack & unallocated  Search for relevant evidence types  Hash sets can be useful  Graphics  Spreadsheets  Hacking tools  Etc.  Look for the obvious first  When is enough enough??
  • 31. ISSUES  lack of certification for tools  Lack of standards  lack of certification for professionals  lack of understanding by Judiciary  lack of curriculum accreditation  Rapid changes in technology!  Immature Scientific Discipline 31
  • 32. CAREERS  One of the fastest growing job markets! 32
  • 33. PATHS TO CAREERS IN CF  Certifications  Associate Degree  Bachelor Degree  Post Grad Certificate  Masters  Doctorate 33
  • 34. JOB FUNCTIONS  CF Technician  CF Investigator  CF Analyst/Examiner (lab)  CF Lab Director  CF Scientist 34
  • 35. PROFESSIONAL OPPORTUNITIES  Law Enforcement  Private Sector  Intelligence Community  Military  Academia 35

Editor's Notes

  • #3: On board: preservation, collection, validation, identification, analysis, interpretation, documentation and presentation
  • #4: List on the board.
  • #8: What are the important components?
  • #9: Application of laws very NB. Discuss this.
  • #10: Why are these so importnat
  • #25: Never do anything that might inadvertently cause something to be written to the suspect’s original media.
  • #26: Whether analyzed on site or taken to the lab, it is essential to protect the integrity of the data. A duplicate image, also known as a bit-copy, image, or clone, is an exact, bit-for-bit copy of the source media. A duplicate image of a physical device will be a true, digital copy of the entire physical device, including partition tables, reserved areas, partitions and unused areas of the device. A duplicate image of a logical drive will be a bit-for-bit copy of the original logical drive, including Boot Record, FATs, Root Directory, Data Area, and Partition Slack.
  • #29: Developed in 1994, MD5 is a one-way hash algorithm that takes any length of data and produces a 128 bit value, that is a “fingerprint” or “message digest”. This value is “non-reversible”; it is “computationally infeasible” to determine the data based on the value. This means someone cannot figure out your data based on its MD5 value. Here is an example of a MD5 output for the data area:   Processing Data Area: sectors 3246-1648013 MD5 Checksum for: Data Area = 945df74c54de310690e17487d6203876   The actual value is 945df74c54de310690e17487d6203876 A mathematical algorithm was applied to the "Data area" to produce the value (to learn the mathematical details about the algorithm, check out RFC 1321 at http://www.cis.ohio-state.edu/rfc/rfc1321.txt.) Every time an MD5 hash is performed on the data area, it should result in the exact same value. If a different value is obtained, then the data area has been altered.  Source: www.enteract.com/~lspitz/md5.html Definitions Hash — A hash value (or simply hash) is a number generated from a string of data. The hash is substantially smaller than the data itself, and is generated by a formula in such a way that it is extremely unlikely that some other data will produce the same hash value. One-way hash function — An algorithm that turns data into a fixed string of digits, usually for security or data management purposes. The "one way" means that it's nearly impossible to derive the original data from the string. Message Digest (MD) — The representation of data in the form of a single string of digits, created using a formula called a one-way hash function. Algorithm — A formula or set of steps for solving a particular problem. To be an algorithm, a set of rules must be unambiguous and have a clear stopping point.