System forensics investigation and response second edition pdf

opening of each chapter. • All chapter objectives are listed in the beginning of

each presentation. • You may customize the presentations to fit your

class needs. • Some figures from the chapters are included. A

complete set of images from the book can be found on the Instructor Resources disc.

1

Computer Forensics: Investigation Procedures and

Response, Second Edition

Chapter 1 Computer Forensics in Today’s

World

© Cengage Learning 2017

Objectives

After completing this chapter, you should be able to: • Understand computer forensics • Understand the need for computer forensics • Understand the objectives of computer forensics • Understand the benefits of forensic readiness • Understand forensic readiness planning • Understand cyber crime • Understand the types of computer crimes

3 Computer Forensics: Investigation Procedures and Response, Second Edition

© Cengage Learning 2017

Objectives

After completing this chapter, you should be able to (cont’d): • Understand the key steps in forensic investigations • Understand the need for forensic investigators • Understand the enterprise theory of investigation

(ETI) • Understand legal issues involved in computer

forensics • Understand how to report the results of forensic

investigations 4 Computer Forensics: Investigation Procedures

and Response, Second Edition

© Cengage Learning 2017

Introduction to Computer Forensics in Today’s World

• This chapter – Focuses on computer forensics in today’s world – Discusses some of the most important problems and

concerns that forensic investigators face today – Presents the evolution of computer forensics and

explains forensic science and computer forensics – Discusses the need for computer forensics and the

objectives and methodologies used therein – Covers aspects of organization security, forensic

readiness, and cyber crime – Explains cyber crime investigations

Computer Forensics: Investigation Procedures and Response, Second Edition

5

© Cengage Learning 2017

Evolution of Computer Forensics

• 1888: Francis Galton made the first-ever recorded study of fingerprints to catch potential criminals

• 1915: Leone Lattes was the first person to use blood groupings to connect criminals to a crime

• 1925: Calvin Goddard became first person to make use of firearms and bullet comparisons

• 1932: The FBI set up a laboratory to provide forensic services to all field agents

• 1984: The Computer Analysis and Response Team (CART) was developed to provide support to FBI field offices searching for computer evidence

Computer Forensics: Investigation Procedures and Response, Second Edition

6

© Cengage Learning 2017

Evolution of Computer Forensics

• 1998: Directors of the Federal Crime Laboratory agreed to form the Scientific Working Group on Digital Evidence (SWGDE)

• 2000: The first FBI Regional Computer Forensic Laboratory (RCFL) was established for the examination of digital evidence in support of criminal investigations

• 2003: The American Society of Crime Laboratory Directors/Laboratory Accreditation Board approved digital evidence as part of its accreditation process Computer Forensics: Investigation Procedures and Response, Second Edition 7

© Cengage Learning 2017

Evolution of Computer Forensics

• 2006: The SWGDE released version 2.1 of its “Best Practices” on July 19

• 2012: FBI Computer Analysis and Response Team (CART) caseload exceeds 13,300 digital examinations

• 2014: SP 800-101 Rev. 1, Guidelines for Mobile Device Forensics, was released

Computer Forensics: Investigation Procedures and Response, Second Edition

8

© Cengage Learning 2017

Forensic Science

• Forensic science – The application of physical sciences to law in the

search for truth in civil, criminal, and social behavioral matters to the end that injustice shall not be done to any member of the society

• Main aim of any forensic investigation – To determine the evidential value of the crime scene

and the related evidence

Computer Forensics: Investigation Procedures and Response, Second Edition

9

© Cengage Learning 2017

Forensic Science

• Forensic scientists: – Properly analyze the physical evidence – Provide expert testimony in court – Furnish training in the proper recognition, collection,

and preservation of physical evidence

Computer Forensics: Investigation Procedures and Response, Second Edition

10

© Cengage Learning 2017

Computer Forensics

• Computer forensics is: – The preservation, identification, extraction,

interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found

Computer Forensics: Investigation Procedures and Response, Second Edition

11

© Cengage Learning 2017

Computer Forensics

• Need for Computer Forensics – benefits: – Ensures the overall integrity and continued existence

of an organization’s computer system – Helps the organization capture important information

if their computer systems – Extracts, processes, and interprets the actual

evidence in order to prove the attacker’s actions – Efficiently tracks down cyber criminals and terrorists – Saves the organization money and valuable time – Tracks complicated cases such as child

pornography and e-mail spamming Computer Forensics: Investigation Procedures and Response, Second Edition

12

© Cengage Learning 2017

Computer Forensics

• Objectives of Computer Forensics – To recover, analyze, and preserve the computer and

related materials suitable as evidence in a court of law

– To identify the evidence in a short amount of time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator

Computer Forensics: Investigation Procedures and Response, Second Edition

13

© Cengage Learning 2017

Computer Forensics

• Computer Forensic Methodologies – Preservation – Identification – Extraction – Interpretation – Documentation

Computer Forensics: Investigation Procedures and Response, Second Edition

14

© Cengage Learning 2017

Computer Forensics

• Broad Tests for Evidence – After the evidence is collected, investigators perform

general tests on the evidence to determine: • Authenticity – must determine the source of the

evidence • Reliability – must determine if evidence is reliable and

flawless

Computer Forensics: Investigation Procedures and Response, Second Edition

15

© Cengage Learning 2017

Computer Forensics

• Security Incidents – Increase in Internet IT activities brings with it an

increase in cyber crime activities

Computer Forensics: Investigation Procedures and Response, Second Edition

16

Figure 1-1 The number of companies that reported a security breach according to a 2015 survey

© Cengage Learning 2017

Aspects of Organizational Security

• IT Security – Application security – Computing security – Data security – Information security – Network security

• Physical Security – Facilities security – Human security

Computer Forensics: Investigation Procedures and Response, Second Edition

17

© Cengage Learning 2017

Aspects of Organizational Security

• Financial Security – Security from fraud

• Legal Security – National security – Public security

Computer Forensics: Investigation Procedures and Response, Second Edition

18

© Cengage Learning 2017

Forensic Readiness

• Forensic readiness – Involves an organization having specific incident

response procedures in place, with designated trained personnel assigned to handle any investigation

– Enables an organization to collect and preserve digital evidence in a quick and efficient manner

– Combined with an enforceable security policy helps to mitigate risk of threat from employees

Computer Forensics: Investigation Procedures and Response, Second Edition

19

© Cengage Learning 2017

Forensic Readiness

• Benefits of having an incident response team – Evidence can be accumulated to act in the

company’s defense – Comprehensive evidence collection can be used as

a deterrent to insider threat – In the event of a major incident, a fast and efficient

investigation can be conducted with minimal disruption to day-to-day business activity

– A fixed and structured approach to storage of all digital information can reduce the costs of court- ordered disclosure

Computer Forensics: Investigation Procedures and Response, Second Edition

20

© Cengage Learning 2017

Forensic Readiness

• Benefits of having an incident response team (cont’d) – Demonstrates due diligence and good corporate

governance of information assets – Can demonstrate that regulatory requirements have

been met – Can improve upon and make the interface to law

enforcement easier – Can improve the prospects of successful legal action – Can provide evidence to resolve commercial or

privacy disputes Computer Forensics: Investigation Procedures

and Response, Second Edition 21

© Cengage Learning 2017

Goals of Forensic Readiness

• Collect critical evidence in a forensically sound manner without interfering with normal business

• Gather evidence demonstrating possible criminal activity or disputes

• Allow an investigation to proceed while keeping cost proportional to the cost of the incident

• Ensure that any evidence collected can have a positive effect on the outcome of any legal proceeding

Computer Forensics: Investigation Procedures and Response, Second Edition

22

© Cengage Learning 2017

Forensic Readiness Planning

• Define the business scenarios that might require the collection of digital evidence

• Identify the potential available evidence • Determine the evidence collection requirement • Designate procedures for securely collecting

evidence that meets the defined requirement in a forensically acceptable manner

• Establish a policy for securely handling and storing the collected evidence

Computer Forensics: Investigation Procedures and Response, Second Edition

23

© Cengage Learning 2017

Forensic Readiness Planning

• Ensure that the monitoring process is designed to detect and prevent unexpected or adverse incidents

• Ensure investigative staff members are properly trained and capable of completing any task related to evidence collection and preservation

• Create step-by-step documentation of all activities performed and their impact

• Ensure authorized review to facilitate action in response to the incident

Computer Forensics: Investigation Procedures and Response, Second Edition

24

© Cengage Learning 2017

Cyber Crime

• Cyber crime – Any illegal act that involves a computer, its systems,

or its applications • Cyber crimes are generally categorized by:

– Tools of the crime – Target of the crime

• Cyber crimes include: – Crimes directed against a computer – Crimes in which the computer contains evidence – Crimes in which the computer is used in the crime

Computer Forensics: Investigation Procedures and Response, Second Edition

25

© Cengage Learning 2017

Computer-Facilitated Crimes

• Computers can facilitate crimes such as: • Spamming • Corporate espionage • Identity theft • Writing or spreading computer viruses and worms • Denial-of-service attacks • Distribution of pornography

Computer Forensics: Investigation Procedures and Response, Second Edition

26

© Cengage Learning 2017

Modes of Attacks

• Insider Attacks – Occurs when there is a breach of trust from

employees within the organization – Can be extremely difficult to detect or to protect

against • External Attacks

– Due to poor information security policies and procedures

– Originate from outside the organization

Computer Forensics: Investigation Procedures and Response, Second Edition

27

© Cengage Learning 2017

Modes of Attacks

Computer Forensics: Investigation Procedures and Response, Second Edition

28

Figure 1-2 Insider attacks occur when there is a breach of trust by employees within the organization

© Cengage Learning 2017

Modes of Attacks

Computer Forensics: Investigation Procedures and Response, Second Edition

29

Figure 1-3 External attacks originate from outside the organization

© Cengage Learning 2017

Examples of Cyber Crime • Fraud achieved through the manipulation of

computer records • Spamming where outlawed completely or where

regulations controlling it are violated • Deliberate circumvention of computer security

systems • Unauthorized access to or modification of software

programs • Intellectual property theft • Industrial espionage by access to or theft of

computer materials Computer Forensics: Investigation Procedures and Response, Second Edition 30

© Cengage Learning 2017

Examples of Cyber Crime • Identity theft accomplished through the use of

fraudulent computer transactions • Writing or spreading computer viruses or worms • “Salami slicing” which is the practice of stealing

money repeatedly in small quantities • Denial-of-service attacks • Making and digitally distributing child pornography

Computer Forensics: Investigation Procedures and Response, Second Edition

31

© Cengage Learning 2017

Types of Computer Crimes

• Identity theft • Hacking • Computer viruses and worms • Cyber stalking • Cyber bullying • Drug trafficking • Program manipulation fraud • Credit card fraud • Financial fraud

Computer Forensics: Investigation Procedures and Response, Second Edition

32

© Cengage Learning 2017

Types of Computer Crimes

• Online auction fraud • E-mail bombing and spamming • Theft of intellectual property • Denial-of-service (DoS) attacks • Debt elimination • Webjacking • Internet extortion • Investment fraud • Escrow services fraud

Computer Forensics: Investigation Procedures and Response, Second Edition

33

© Cengage Learning 2017

Types of Computer Crimes

• Cyber defamation • Software piracy • Counterfeit cashier’s checks • Damage to company service networks • Embezzlement • Copyright piracy • Child pornography • Password trafficking • Hacker system penetrations • Telecommunications crime

Computer Forensics: Investigation Procedures and Response, Second Edition

34

© Cengage Learning 2017

Cyber Crime Investigations

• Investigation of any crime involves the collection of clues and forensic evidence with an attention to detail

• Cyber crime investigation – Requires extensive research and highly specialized

skills – Follows a series of investigation phases and

analysis techniques • Attention to the details of the method of attacks and

identification of the appropriate evidence are of critical importance

Computer Forensics: Investigation Procedures and Response, Second Edition

35

© Cengage Learning 2017

Key Steps in a Forensic Investigation

• Investigation is initiated the moment the computer crime is suspected

• Immediate response is to collect preliminary evidence

• Court warrant for seizure (if required) is obtained • First responder procedures are performed • Evidence is seized at the crime scene • Evidence is securely transported to the forensic

laboratory • Two bit-stream copies of the evidence are created

Computer Forensics: Investigation Procedures and Response, Second Edition

36

© Cengage Learning 2017

Key Steps in a Forensic Investigation

• MD5 checksum is generated on the images • Chain of custody is prepared • Original evidence is stored in a secure location • Image copy is analyzed for evidence • Forensic report is prepared • Report is submitted to the client • If required, the investigator may attend court and

testify as an expert witness

Computer Forensics: Investigation Procedures and Response, Second Edition

37

© Cengage Learning 2017

Rules of Forensic Investigations

• Rules of computer forensics must be followed while handling and analyzing evidence to ensure integrity – The forensic examiner must make duplicate copies

of the original evidence – Extent and reason for evidence modifications must

be recorded – Computer forensic examiners must not continue with

the investigation if going to be beyond his/her knowledge or skill level

Computer Forensics: Investigation Procedures and Response, Second Edition

38

© Cengage Learning 2017

Need for Forensic Investigators

• Forensic investigator helps organizations and law enforcement agencies investigate and prosecute the perpetrators of cyber crimes

• Some tasks they may perform: • Determine the extent of any damage done during crime • Recover data of investigative value from computers • Gather evidence in a forensically sound manner • Ensure the evidence is not damaged in any way • Creates an image of original evidence without tampering • Guides officials in carrying out investigation • Reconstructs damaged disks or other storage devices

Computer Forensics: Investigation Procedures and Response, Second Edition

39

© Cengage Learning 2017

Accessing Computer Forensic Resources

• Internet has many sites that help computer forensic investigators stay in touch with the growing technical world

• User groups can be helpful when information is needed about unknown OSs encountered during a computer forensic investigation

• Examples of associations: – International Society of Forensic Computer

Examiners – High Tech Crime Investigator’s Association – American Society of Digital Forensics & eDiscovery

Computer Forensics: Investigation Procedures and Response, Second Edition

40

© Cengage Learning 2017

Role of Digital Evidence

• When intruders bypass the security settings of a victim’s computer or network, they often leave evidence that can serve as clues to document the attack

• Factors that can contain evidence include: – Use/abuse of the Internet – Production of false documents and accounts – Encrypted or password-protected material – Abuse of the systems – E-mail contact between suspects/conspirators – Theft of commercial secrets

Computer Forensics: Investigation Procedures and Response, Second Edition

41

© Cengage Learning 2017

Understanding Corporate Investigations

• Private investigations involve private companies and attorneys addressing a company’s policy violations and litigation disputes

• One of the most common corporate crimes is embezzlement

• Another common crime is corporate sabotage • Others include:

– E-mail harassment, falsification of information, and fraud

Computer Forensics: Investigation Procedures and Response, Second Edition

42

© Cengage Learning 2017

Enterprise Theory of Investigation (ETI)

• Methodology of investigating criminal activity that uses a holistic approach to look at any criminal activity as a piece of a criminal operation rather than as a single criminal act

• By combining ETI with favorable state and federal legislation, law enforcement can target and dismantle entire criminal enterprises in one criminal indictment – Rather than having to pursue each criminal act one

at a time

Computer Forensics: Investigation Procedures and Response, Second Edition

43

© Cengage Learning 2017

Legal Issues

• The expert should be able to consider all possible conclusions of investigations in order to be free from bias

• Forensic experts must do the following: – Adhere to the chain of custody – Be thoroughly equipped with the knowledge of law – Present evidence that is:

• Authentic, accurate, whole, acceptable, and admissible

Computer Forensics: Investigation Procedures and Response, Second Edition

44

© Cengage Learning 2017

Reporting the Results

• All investigation efforts will be in vain if the final report is either incomplete or incomprehensible

• A good investigation report contains: – Methods of investigation – Adequate supporting data – Description of data collection techniques – Calculations used – Error analysis – Results and comments – Graphs and statistics explaining the results

Computer Forensics: Investigation Procedures and Response, Second Edition

45

© Cengage Learning 2017

Reporting the Results

• A good investigation report contains (cont’d): – References – Appendices – Acknowledgments – Litigation support reports

Computer Forensics: Investigation Procedures and Response, Second Edition

46

© Cengage Learning 2017

Summary

• Computer forensics is the preservation, identification, extraction, interpretation, and documentation of computer evidence

• The need for computer forensics has increased because computer crimes are increasing

• The overall objective of all computer forensic phases is to detect a computer incident, identify the intruder, and prosecute the perpetrator in a court of law

• IT systems and information security must be used to protect organizations from cyber crime activities

Computer Forensics: Investigation Procedures and Response, Second Edition

47

© Cengage Learning 2017

Summary

• Forensic readiness supports an organization’s prerequisite need to protect and use digital evidence

• Cyber crime is any illegal act involving a computer, its systems, or its applications

• Cyber crime investigations require extensive research, highly specialized skills, and follow a series of investigation phases and analysis techniques

Computer Forensics: Investigation Procedures and Response, Second Edition

48

© Cengage Learning 2017

Summary

• A forensic results report may be used as evidence if properly documented and supported by the testimony of a trained forensic investigator

Computer Forensics: Investigation Procedures and Response, Second Edition

49

About the Presentations
Computer Forensics: Investigation Procedures and Response, Second Edition
Objectives
Objectives
Introduction to Computer Forensics in Today’s World
Evolution of Computer Forensics
Evolution of Computer Forensics
Evolution of Computer Forensics
Forensic Science
Forensic Science
Computer Forensics
Computer Forensics
Computer Forensics
Computer Forensics
Computer Forensics
Computer Forensics
Aspects of Organizational Security
Aspects of Organizational Security
Forensic Readiness
Forensic Readiness
Forensic Readiness
Goals of Forensic Readiness
Forensic Readiness Planning
Forensic Readiness Planning
Cyber Crime
Computer-Facilitated Crimes
Modes of Attacks
Modes of Attacks
Modes of Attacks
Examples of Cyber Crime
Examples of Cyber Crime
Types of Computer Crimes
Types of Computer Crimes
Types of Computer Crimes
Cyber Crime Investigations
Key Steps in a Forensic Investigation
Key Steps in a Forensic Investigation
Rules of Forensic Investigations
Need for Forensic Investigators
Accessing Computer Forensic Resources
Role of Digital Evidence
Understanding Corporate Investigations
Enterprise Theory of Investigation (ETI)
Legal Issues
Reporting the Results
Reporting the Results
Summary
Summary
Summary