SURVEY OF
CYBER
FORENSICS
AND CYBER
SECURITY
IRA WILSKER
July 17, 2014
Be sure to follow
the Justice
Department
Guidelines
published in
“Searching and
Seizing
Computers and
Obtaining
Electronic
Evidence in
Criminal
Investigations”
which can be
found online
http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf
WARRANTS
If the equipment is seized
pursuant to a criminal
investigation, be absolutely
sure that a search warrant
has been issued prior to
any type of analysis unless
exigent circumstances,
consent, or other legal
requirements are met
Failure to have a proper and
timely issued warrant or
other exception may likely
render the computer and
anything found in it
inadmissible as evidence.
Follow proper protocols.
IF THE COMPUTER IS TURNED ON
WHEN ENCOUNTERED, DO NOT
TURN IT OFF OR UNPLUG IT.
FOLLOW ESTABLISHED PROTCOLS
FOR SAVING ANY DATA THAT MAY
BE STORED IN VOLATILE RAM
PRIOR TO ANY SHUT DOWN
IF THE COMPUTER IS OFF WHEN
ENCOUNTERED, DO NOT TURN IT
ON – FOLLOW APPROPRIATE
PROTOCOLS FOR A SECURITY
CHECK AND POSSIBLE REMOVAL
OF ANY FORMS OF HARD DRIVE,
SSD, FLASH MEMORY, OR OTHER
STORAGE DEVICE
BEWARE!
Suspect Computers May Be BOOBY-TRAPPED
with either destructive software that will significantly wipe
and destroy any data on the hard drive, or with EXPLOSIVES.
There are many documented cases of both.
It is COMMON for organized groups of PEDOPHILES and
CHILD PORNOGRAPHERS to have software “bombs” that will
automatically initiate a high grade wipe utility. These wipe
utilities my be initiated with a single keystroke, an icon, a
voice command, speech recognition, or other form of input.
There is serious debate in the forensics community as to
whether the power should be shut off at the time of a raid in
order to prevent the hard drive from being wiped; but this
may lead to the loss of volatile RAM. Many pedophiles use a
UPS to prevent the computer from being externally shut
down if the power is lost, thus allowing data destruction to
continue.
It is not unusual for drug dealers and terrorists to plant
EXPLOSIVES inside or in close proximity of the computer
case which can detonate if the case is moved, opened, hard
drive removed, or other common investigative processes
occur.
SOURCES:
http://cleaninternetcharity.com/2013/03/21/how-pedophiles-booby-trap-their-computers
http://www.jurispro.com/uploadArticles/Pelton-Destroyed.pdf
LEADING COMMERCIAL FORENSIC SOFTWARE PRODUCTS
UNIVERSALLY ACCEPTED AS VALID IN COURT
ENCASE
https://www.guidancesoftware.com
FORENSIC TOOLKIT (FTK)
http://www.accessdata.com/solutions/digital-forensics/ftk
OPEN SOURCE FORENSIC SOFTWARE
FREE, BUT NOT ALWAYS ACCEPTED IN COURT
AUTOPSY and THE SLEUTH KIT
http://www.sleuthkit.org
Digital Forensics Framework
http://www.digital-forensic.org
SOURCE:
http://www.justice.gov/criminal/cybercrime/docs/forensics_chart.pdf
THERE IS AN ORDERLY SEQUENCE WHICH MUST (SHOULD ) BE
FOLLOWED IN ORDER TO PROPERLY MEET THE LEGAL AND
TECHNICAL REQUIREMENTS FOR A PROPER CYBER FORENSIC
INVESTIGATION
TECHNOLOGY, LEGISLATION, and COURT RULINGS
ARE DYNAMIC AND EVER CHANGING
There is a necessity that cyber forensic investigators stay informed of
factors that can impact or influence their activities. Several resources are
available that should be frequently monitored for these changes.
http://www.swgde.org
THERE ARE ALSO SEVERAL OTHER EXCELLENT
RESOURCES THAT THE INVESTIGATOR SHOULD
UTILIZE IN ORDER TO BE AWARE OF CHANGES AND
TO STAY CURRENT WITH LEGAL AND OTHER ISSUES
http://www.hightechcrimecops.org
OTHER ONLINE RESOURCES WITH INFORMATION ON
CYBER FORENSIC TRENDS
http://publicintelligence.net
http://www.justice.gov/criminal/cybercrime
http://nc4.net/cybercop.php
https://cybercop.esportals.com
http://www.justnet.org/ect_coe/Pages/Home.aspx
http://www.htcia.org
http://www.infragard.net
CONTACT:
IRA WILSKER ira.wilsker@lit.edu