The ABC's of Computer Forensics Annual Toronto Fraud Forum
advertisement
The ABC’s of Computer Forensics Annual Toronto Fraud Forum Scott Weissent Forensic Technology Services Practice Leader Grant Thornton LLP Canada September 25, 2013 Introduction • • • • • • Defining computer forensics Common sources & types of evidence Top 10 locations for evidence Case examples Steps of computer forensics Computer forensics tools Definition • Computer forensics involves: – Identification – Preservation – Extraction – Documentation – Interpretation and – Presentation of electronically stored information (ESI) in such a way that it can be legally admissible. What forensics is not . . . • Pro-active (Security) – but reactive to an event or request. • About finding the bad guy/criminal – but finding evidence of value. • Something you do for fun – expertise is needed. • Quick – 2 TB drives are easily available – OS X 10.4 supports 8 Exabyte or 8 million TB Reasons for evidence • Child porn • Breech of computer security • Fraud/theft • Copyright violations • Identify theft • Narcotics investigations • Threats • • • • • Burglary Suicide Obscenity Homicide Administrative investigations • Sexual assault • Stalking Common types of Electronically Stored Information (ESI) • • • • • • • Word processing files Spreadsheets E-mail messages Web pages O/S system files Database records Photographs Common sources of ESI • • • • • • • • Desktops Laptops CDs/DVDs Network Attached Storage Devices (NAS) Storage Area Networks (SAN) Servers Databases Backup tapes • • • • • • • • • E-mail Archives Cell phones/PDAs Thumb drives Memory cards External storage devices Cameras Printers GPS devices Common locations of evidence 1. 2. 3. 4. Internet history files Temporary Internet files Slack/Unallocated space Buddy lists, personal chat room records, P2P, others' saved areas 5. News groups/club lists/postings 6. Settings, folder structure, file names 7. File storage dates 8. Software/Hardware added 9. File sharing ability 10. E-mails Case examples File dates Bullying/defamation Theft of intellectual property Steps of computer forensics • • • • Identification Preservation Extraction Documentation, interpretation and presentation Steps of computer forensics Identification Preservation Extraction Documentation, interpretation and presentation • Identification – Identify evidence – Identify type of information available – Determine how best to retrieve it Steps of Computer Forensics Identification Preservation Extraction Documentation, interpretation and presentation • Preservation – Preserve evidence with least amount of change possible – Must be able to account for any change – Chain of custody Steps of computer forensics • Analysis – Extract – Process – Interpret Identification Preservation Extraction Documentation, interpretation and presentation Side note on evidence Identification Preservation Extraction Documentation, interpretation and presentation • Types of evidence 1. Inculpatory evidence: supports a given theory 2. Exculpatory evidence: contradicts a given theory 3. Evidence of tampering: shows that the system was tampered with to avoid identification Steps of computer forensics Identification Preservation Extraction Documentation, interpretation and presentation • Documentation, interpretation and presentation – Evidence will be accepted in court on: • Manner of presentation • Qualifications of the presenter • Credibility of the processes used to preserve and analyze evidence • If you can duplicate the process Software tools • • • • • • Encase Forensic Forensic Toolkit (FTK) Paraben F-Response BlackBag Technologies Passware Forensic Toolkit Hardware tools • • • • • Forensic Disk Duplicator Forensic Write Blockers Forensic Drive Wiper Forensic Workstation Lots of Hard Drives Commercial vs. open-source tools • Some advantages commercial tools have over open-source tools: – Better documentation – Commercial level support – Slick GUI (Graphical User Interface), user-friendly – In some cases, complete report generation which is accepted in court of law • However, for anything a commercial forensics application can do, there are open-source applications which can do the same thing. Common mistakes Using the internal IT staff to conduct a computer forensics investigation Waiting until the last minute to perform a computer forensics exam Too narrowly limiting the scope of computer forensics Not being prepared to preserve electronic evidence Not selecting a qualified computer forensics team Conclusions • As technology advances, so too does crime. • Digital crime is an emerging field, and as it develops and picks up speed, there will be increased need for trained, experienced computer forensic professionals. • Conventional crimes are becoming underpinned and improved by digital crime • Training, education, and awareness are key. Always remember . . . Computers operate in a binary world (it’s a 1 or 0, its on or off). The challenge with computer forensics is not the computer itself but the human who interfaces with it. Be objective, open minded, curious, and don’t overlook the human element. Questions?
