Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science
Uploaded by Eiyfa Sa'ad

introduction to computer forensics

advertisement 
Forensic Computer:
CCF2010/KFR20403
Chapter 1
Introduction to Computer Forensic
Introduction


Electronic evidence and information gathering have
become central issues in an increasing number of conflicts
and crimes.
computer forensics


use the computers to analyze complex data (for example,
connections between individuals by examination of telephone logs
or bank account transactions).
employs computers in the court, in the form of computer graphics,
to clarify a complex situation such as a fraud or as a replacement
for large volumes of paper-based exhibits and statements.
So, what actually is computer forensics?
Introduction



Computer forensics is about evidence from computers that
is sufficiently reliable to stand up in court and be
convincing.
Computer forensics, also referred to as computer forensic
analysis is the process of methodically examining computer
media (hard disks, diskettes, tapes, etc.) for evidence. A
thorough analysis by a skilled examiner can result in the
reconstruction of the activities of a computer user.
computer forensics is the collection, preservation, analysis,
and presentation of computer-related evidence. Computer
evidence can be useful in criminal cases, civil disputes, and
human resources/employment proceedings.
Introduction
The continuing technological revolution in
communications and information exchange
has created an entirely new form of crime
witch is Computer crime.
 Computer crime has forced the computer
and law enforcement professions to develop
new areas of expertise and avenues of
collecting and analyzing evidence.
 Computer crimes has developed the science
of computer forensics.

Introduction

Roles of a Computer in a Crime

The computer can play one of three roles in a computer
crime:





The computer can have multiple roles.
The computer serve as a file cabinet storing critical
evidence.


It can be the target of the crime.
It can be the instrument of the crime.
It can serve as an evidence of the crime.
For example, a hacker may use the computer as the tool to break into
another computer and steal files, then store them on the computer.
When investigating a case, it is important to know what
roles the computer played in the crime.
Introduction

The Computer Forensic Objective


The objective in computer forensics is to recover,
analyze, and present computer-based material in such a
way that it is useable as evidence in a court of law.
The Computer Forensic Priority

Specifically



Its primary concern is with forensic procedures, rules of
evidence, and legal processes.
Its secondary concern is with computers.
Generally:


Its primary concern is accuracy.
Its secondary concern is speed.
Introduction

The Computer Forensics Specialist



the person responsible for doing computer forensics.
will take several careful steps to identify and attempt to retrieve
possible evidence that may exist on a subject computer system.
What are the duties of the Computer
Forensics Specialist?
1.
2.
3.
Protect the subject computer system during the forensic
examination from any possible alteration, damage, data
corruption, or virus introduction.
Discover all files on the subject system. This includes existing
normal files, deleted yet remaining files, hidden files, passwordprotected files, and encrypted files.
Recover all (or as much as possible) of discovered deleted files.
Introduction
4.
5.
6.
7.
8.
Reveal (to the extent possible) the contents of hidden
files as well as temporary or swap files used by both
the application programs and the operating system.
Accesses (if possible and if legally appropriate) the
contents of protected or encrypted files.
Analyze all possibly relevant data found in special (and
typically inaccessible) areas of a disk.
Print out an overall analysis of the subject computer
system, as well as a listing of all possibly relevant files
and discovered file data.
Provide expert consultation and/or testimony, as
required.
Introduction

Who Can Use Computer Forensic Evidence?





Criminal Prosecutors use computer evidence in a variety of crimes
where incriminating documents can be found: financial fraud, and
embezzlement record-keeping.
Civil litigations can make use of personal and business records
found on computer systems that bear on fraud, divorce,
discrimination, and harassment cases.
Corporations often hire computer forensics specialists to find
evidence relating to sexual harassment, embezzlement, theft or
misuse of trade secrets.
Law enforcement officials frequently require assistance in presearch warrant preparations and post-seizure handling of the
computer equipment.
Individuals hire computer forensics specialists in support of possible
claims of illegal termination, sexual harassment, or discrimination .
Introduction

Computer Evidence Properties and Problems

Computer Evidence Properties :






Authentic
Accurate
Complete
Convincing to juries
Allowable
Computer Evidence Problems




Computer data changes moment by moment.
Computer data is invisible to the human eye; it can only be viewed
indirectly after appropriate procedures.
The process of collecting computer data may change it in significant
ways.
Computer and telecommunications technologies are always changing
so that forensic processes can seldom be fixed for very long.
Introduction

The Nature of Forensics Evidence


Digital Evidence:
is any data stored or transmitted using
a computer that support or disprove a theory of how an offence
occurred or address critical elements of the offence.
Digital Evidence usually is involve the following areas:






Computer intrusions
Fraud
Identity theft
Intellectual property theft
Sexual harassment
Violent crimes
And so on …
Introduction

Fraud
occurs
when
someone
improvements
something of value, usually money or property, from a
victim by meaningfully making a misrepresentation of
a matter of fact. Fraud commonly occurs in the buying
or selling of property, particularly real estate and
stocks, or in falsifying reports such as taxes and
Medicare claims made to obtain benefits from the
state or federal government.
Introduction






Overview of systems security
Cybercrime is possible because computers and networks
are not properly secured.
Often, applying these simple security measures costs
nothing.
System security is not a thing, it’s a process.
The process of building a barrier between the network and
those who would do harm.
The key is to make your wall more difficult to cross than
someone else’s.

if an attacker specifically wants to breach your security perimeter,
given enough time, he or she will be able to do so.
Introduction

System security

NOT only about
 keeping
out malicious users
 preventing attacks.

It is about
 maintaining
and providing access to resources for
authorized users.
 maintaining the integrity of the data and the
infrastructure.
Introduction

Risk-reducing strategies to improve the
security of your computer:
1.
2.
3.
4.
5.
6.
7.
8.
Deploying Antivirus Software
Defining Strong User Passwords
Setting Access Permissions
Disabling File and Print Sharing
Using Network Address Translation (NAT)
Deploying a Firewall
Disabling Unneeded Services
Configuring System Checking
Introduction

Deploying Antivirus Software
to prevent unauthorized access and to support
authorized access.
 When selecting an antivirus software, look for
the following:

The product should originate from a well-known, reputable
company.
 The product should automatically update its virus definitions.
 The product should scan stored files, memory (RAM),
removable media, e-mail, and Web-transmitted data.
 The product should clean or quarantine any infected files it
detects.

Introduction

Defining Strong User Passwords

Two elements are needed to gain access to a computer:

Username


Most usernames are obvious or very easy to guess.
Password

Passwords must be very strong and kept secured to maintain
control over access.
1. Password length and complexity
 minimum required length (eight characters)
2. Who creates the password?
 users create their own passwords is usually the best
option
3. Forced changing of passwords
 Administrators can use operating system features to
make users change their passwords.
Introduction

Setting Access Consents
Controlling access is an important element in
maintaining system security.
 The most secure environments follow the “least
privileged” principle.
 This principle states that users are decided the
least amount of access possible that still
enables them to complete their required work
tasks.
 Expansions
to that access are carefully
considered before being implemented.

Introduction

Disabling File and Print Sharing
On most networks where security is
important, this service is disabled on all
clients.
 This action forces all shared resources to be
stored on network servers, which typically
have better security and access controls
than end-user client systems.

Introduction

Using Network Address Translation (NAT)
(NAT) is a feature of many firewalls, proxies,
and routing-capable systems.
 NAT has several benefits:

 ability
to hide the IP address and network design of
the internal network.
 NAT enables internal clients to use non-routable IP
addresses, such as the private IP addresses.
 NAT restricts traffic flow so that only traffic
requested or started by an internal client can cross
the NAT system from external networks.
Introduction

Deploying a Firewall



a firewall is a device or a software product whose
primary purpose is to filter traffic crossing the
boundaries of a network.
That boundary can be a broadband connection, a dial
up link, or some type of LAN or WAN connection.
There are several types of firewalls or filtering
mechanisms available to handle this job:
 packet filters.
 stateful inspection systems.
 proxy systems.
 circuit-level filtering.
Introduction

Disabling Unneeded Services




One of the primary tenets for maintaining physical
security in a residence or business property is to reduce
the number of pathways an impostor can take to gain
access to it.
Administrators should apply the same perspective in
regard to the electronic pathways into the network.
Any means by which valid data can reach the network
or computer is also a potential path for a malicious
intruder or attack.
Systems linked to the Internet should have any
unneeded protocols, applications, and services either
disabled or completely removed or uninstalled.
Introduction

Configuring System Auditing
The only way to know when your system has
been breached or when an unsuccessful
attempt to enter your security has occurred is
to monitor or audit for unusual or abnormal
activity.
 Most OSs include native auditing capabilities.


Windows servers and business oriented client operating
systems such as NT Workstation and Windows 2000/XP
Professional provide for security auditing that is tracked through
a security log available to administrators through the Event
Viewer administrative tool.
THE END
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Forensic Science
Forensic Science
What is the “New Forensic Science”? Introduction to Forensic Criminology:
What is the “New Forensic Science”? Introduction to Forensic Criminology:
Download
advertisement