Más contenido relacionado
La actualidad más candente (20)
Similar a Chfi V3 Module 01 Computer Forensics In Todays World (20)
Chfi V3 Module 01 Computer Forensics In Todays World
- 1. Co pute ac g
Computer Hacking
Forensics Investigator
Version 3
Module I
Computer Forensics in
Today’s World
y
- 2. Scenario
Jacob, a senior management official of a software giant is
accused by his junior staff of sexually harassment.
Rachel, the complainant, has accused Jacob of sending
email asking sexual favors in return for her annual
performance hike
Ross, a computer forensics investigator, is hired by the
, p g , y
software giant to investigate the case
If found guilty, Jacob stands to loose his job and may
face imprisonment up to three years, along with a fine of
$ 15,000
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 3. Forensic News
Source: http://www.infoworld.com/article/06/08/10/HNinterceptingemail_1.html
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 4. Module Objective
This module will familiarize you with the following:
Computer forensics Stages of forensic investigation
History of computer forensics in tracking cyber criminals
Objective of computer forensics Rules of computer forensics
Computer facilitated crimes Digital forensics
g
Reasons for cyber attacks Approach the crime scene
Computer forensics flaws and Where and when do you use
y
risks computer forensics
Modes of attacks Legal issues
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 5. Module Flow
Introduction History Objective of forensics
Computer fforensics
i Computer f ili
C facilitated
d
Reasons for cyber attacks
flaws and risks crimes
Stages of Rules of
Digital forensics
forensic investigation computer forensics
Where and when to use Approach to
Legal issues
computer forensics the crime scene
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 6. Introduction
Cyber activity has become an important part of
our daily lives
Importance of computer forensics:
• 85% of business and government agencies
detected security breaches
• The FBI estimates that the United States
loses up t $ billi a year t cyber crime
l to $10 billion to b i
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 7. History of Forensics
Francis Galton (1822-1911)
• Made the first recorded study of fingerprints
fingerprints.
Leone Lattes (1887-1954)
• Discovered blood groupings (A,B,AB, & 0).
Calvin Goddard (1891-1955)
• Allowed Firearms and bullet comparison for solving
many pending court cases.
Albert Osborn (1858-1946)
Alb t O b ( 8 8 6)
• Developed essential features of document examination.
Hans Gross (1847-1915)
• Made use of scientific study to head criminal
investigations.
FBI (1932)
• A Lab was set up to provide forensic services to all field
agents and other law authorities across the country.
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 8. Definition of Forensic Science
Definition:
• “Application of physical sciences to law in the
search for truth in civil, criminal and social
behavioral matters to the end that injustice shall
not be done to any member of society.”
(Source: Handbook of Forensic Pathology College of American Pathologists 1990)
Aim:
• To determine the evidential value of a crime scene
a d e a ed evidence.
and related e de ce
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 9. Definition of Computer Forensics
Definition:
“A methodical series of techniques and procedures for gathering
evidence, from computing equipment and various storage devices and
digital media, that can be presented in a court of law in a coherent and
i f l format.”
meaningful f
- Dr. H.B. Wolfe
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 10. What is Computer Forensics?
“The preservation, identification, extraction, interpretation, and
documentation of computer evidence, to include the rules of evidence, legal
processes, integrity of evidence, factual reporting of the information found,
and providing expert opinion in a court of law or other legal and/or
p g p p g /
administrative proceeding as to what was found.”
"Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law.”
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 11. Need for Computer Forensics
“Computer forensics is equivalent of surveying a
crime scene or performing an autopsy on a
victim.”
– {Source: James Borek 2001}
Presence of a majority of electronic documents
Search and identify data in a computer
y p
Digital evidence can be easily destroyed, if not
handled properly
For
F recovering:
i
• Deleted files
• Encrypted files
• Corrupted files
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 12. Ways of Forensic Data Collection
Forensic Data collection can be categorized:
• Background: Data gathered and stored for
normal business reasons
• Foreground: Data specifically gathered to detect
crime, or to identify criminals
Issues related t collecting evidence:
I l t d to ll ti id
• Proper documentation
• Duplicating media
l d
• Preserving evidence
• Tests should be repeatable
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 13. Objectives of Computer Forensics
To recover, analyze, and present
computer-based material in such a way
that it can be presented as evidence
p
in a court of law
To id tif the id
T identify th evidence i short ti
in h t time,
estimate potential impact of the
malicious activity on the victim, and
assess the intent and identity of the
perpetrator
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 14. Benefits of Forensic Readiness
Evidence can be gathered to act in the company's
defense if subject to a lawsuit
In the event of a major incident, a fast and efficient
investigation can be conducted and corresponding
actions can be followed with minimal disruption to
the business
Forensic readiness can extend the target of
information security to the wider threat from cyber
crime, such as intellectual property protection, fraud,
or extortion
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 15. Categories of Forensics Data
Computer forensics focuses on
three categories of data:
• Active Data
• Latent Data
• Archival Data
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 16. Computer Forensics Flaws and Risks
Computer forensics is in its development stage
It differs from other forensic sciences, as digital
evidence is examined
There is a little theoretical knowledge based upon
which empirical hypothesis testing is carried out
There is a lack of proper training
There is no standardization of tools
It i ill
I is still more of an “Art” than a “Science”
f “A ” h “S i ”
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 17. Computer Facilitated Crimes
Dependency on computer has given way to new
crimes
Computers are used as tools for committing crimes
Computer crimes pose new challenges for
investigators due to their:
• Speed
• Anonymity
• Fl ti nature of evidence
Fleeting t f id
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 18. Type of Computer Crimes
Fraud by computer manipulation
Damage to or modifications of computer data or programs
Unauthorized access to computer and programs/applications
Unauthorized reproduction of computer programs
Financial crimes – identity theft, fraud, forgery, theft of funds
committed by electronic means
Counterfeiting – use of computers and laser printers to print checks,
money orders, negotiable securities, store coupons
y , g , p
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 19. Cyber Crime
Cyber crime is defined as
“Any illegal act involving a computer, its systems, or its applications.”
• Crime directed against a computer
• Crime where the computer contains evidence
• Crime where the computer is used as a tool to commit the crime
“Cyber Crime is a term used broadly to describe criminal activity in which
computers or networks are a tool, a target, or a place of criminal activity
These categories are not exclusive and many activities can be characterized
as falling in one or more categories.”
A cyber crime is intentional and not accidental
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 20. Modes of Attacks
Cyber crime can be categorized into two categories, depending on the
way the attack takes place.
• Insider Attacks: Breach of trust from employees within the
organization
• External Attacks: Hackers either hired by an insider or by an
y y
external entity with aim to destroy competitor’s reputation
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 21. Examples of Cyber Crime
A few examples of cyber crime include:
• Theft of Intellectual Property
• Damage of company service networks
• Embezzlement
• Copyright piracy (
py g p y (software, movie, sound recording)
, , g)
• Child Pornography
• Planting of virus and worms
• Password trafficking
• E il bombing & SPAM
Email b bi
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 22. Examples of Cyber Crime (cont’d)
The investigation of any crime involves painstaking collection
of clues, forensic evidence and attention to detail
,
This is more so in these days of ‘white collar’ crime where
documentary evidence plays a crucial role
With an increasing number of households and businesses
using computers, coupled with easy Internet access, i i
i l d ih it is
inevitable that there will be at least one electronic device
found during the course of an investigation
This may be a computer, but could also be a printer, mobile
y p , p ,
phone, and personal organizer
This electronic device may be central to the investigation
No matter which, the information held on the computer may
be
b crucial and must b i
i l d be investigated i the proper manner,
i d in h
especially if any evidence found is to be relied upon in a court
of law
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 23. Examples of Evidence
Examples of how evidence found in a computer may
assist in the prosecution or defense of a case are
p
manifold.
A few of these examples are:
Use/abuse of the Internet
Production of false documents and accounts
Encrypted/password protected material
Abuse of systems
Email contact between suspects/conspirators
Theft of commercial secrets
Unauthorized transmission of information
Records of movements
Malicious attacks on the computer systems themselves
p y
Names and addresses of contacts
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 24. Stages of Forensic Investigation in
Tracking Cyber Criminals
An incident occurs in The client contacts the The advocate contracts
which, the company’s
hi h h ’ company’s advocate
’ d an external f
l forensic
i
server is compromised for legal advice investigator
The FI seizes the
The forensic investigator The forensic investigator
evidences in the crime
(FI) prepares the prepares first response
scene & transports
bit-stream images of the files of procedures (frp)
them to the forensics lab
The FI prepares investigation
The forensic investigator The forensic investigator
reports and concludes the
Creates md5 # examines the evidence
investigation, enables the
of the files files for proof of a crime
advocate identify required p oo s
de t y equ ed proofs
The advocate studies the
The forensic investigator The FI handles the
report and might press charges
usually destroys sensitive report to the
against the offensive in
all the evidences client in a secure manner
the court of law
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 25. Key Steps in Forensic Investigations
Step 1: Computer crime is suspected
Step 2: Collect preliminary evidence
p p y
Step 3: Obtain court warrant for seizure (if required)
Step 4: Perform first responder procedures
Step 5: S i evidence at the crime scene
S Seize id h i
Step 6: Transport them to the forensic laboratory
Step 7: Create 2 bit stream copies of the evidence
Step 8: Generate MD5 checksum on the images
Step 9: Prepare chain of custody
Step 10: Store the original evidence in a secure location
Step 11: Analyze the image copy for evidence
Step 12: Prepare a forensic report
Step 13: S b i the report to the client
S Submit h h li
Step 14: If required, attend the court and testify as expert witness
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 26. Rules of Computer Forensics
Minimize the
option of
examining the
original evidence
Document anyy
Follow rules of
change in
evidence
evidence
Never exceed Do not tamper
the knowledge with the
base evidence
Handle evidence Always prepare
with care chain of custody
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 27. Rule for Forensic Investigator
Examination of a computer
by the technically
inexperienced person will
almost certainly result in
rendering any evidence
found inadmissible in a court
of law
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 28. Accessing Computer Forensics Resources
You can obtain • Computer Technology Investigators
Resources by joining Northwest
various discussion • High Technology Crime Investigation
groups such as: Association
Joining
J i i a network of
t k f
computer forensic
experts and other
professionals
News services
devoted to computer
forensics can also be
a powerful resource
• Journals of forensic investigators
Other resources: • Actual case studies
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 29. Maintaining Professional Conduct
Professional conduct determines the credibility of a
forensic investigator
Always dress professionally – wear a tie and a coat
Investigators must display the highest level of ethics
I ti t t di l th hi h t l l f thi
and moral integrity, as well as confidentiality
Discuss the case at hand only with the person who has
the right to k
h i h know
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 30. Understanding Corporate Investigations
Involve private companies who address company
policy violations and litigation disputes
Company procedures should continue
without any interruption from the
investigation
vest gat o
After the investigation the company should
minimize or eliminate similar litigations
Industrial espionage is the foremost crime in
corporate investigations
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 31. Digital Forensics
The use of scientifically unexpressed and proven
methods towards
h d d
Preserving
Collecting
C ll i
Confirming Digital evidence extracted
Identifying
d if i from digital sources
Analyzing
Recording
di
Presenting
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 32. Case Study: # 1
Password Recovery Services
y
A pharmaceutical manufacturer had password protected accounting software
files as part of normal security practices to safeguard confidential
information.
After the bookkeeper’s employment was terminated for poor performance,
the Director of Human Resources attempted to open the accounting file and
found the file password protected, as expected.
The HR Director obtained a copy of the current password that had been
stored in an envelope in the department safe (as directed by the company’s
security policy).
When she attempted to use the password to open the file, she was
unsuccessful.
Apparently, the former bookkeeper had changed the password and not
followed the company policy of placing a copy of the password in the safe.
The HR Director emailed the password protected accounting file to TRC.
We were able to recover the password within a few hours and email it back to
her all in the same afternoon.
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 33. Case Study: #2
Court Upholds Repayment of Fees Incurred in a Computer Forensic
Investigation
United States v. Gordon, 393 F.3d 1044 (9th Cir. 2004). After discovering missing
stock shares, an employer suspected embezzlement and requested the defendant’s
laptop computer for examination.
The employer specifically told the defendant not to delete anything from the hard drive.
p y p y y g
A computer forensic analysis revealed the defendant attempted to overwrite files on the
computer by running “Evidence Eliminator,” a software wiping program, at least five
times the night before he turned over the computer.
The defendant was convicted of embezzlement and ordered to pay restitution,
including reimbursing the employer for $1,038,477 of the total $1,268,022 costs spent
on the forensic analysis.
On appeal, the defendant argued the trial court should not have awarded the employer
investigation costs, including the costs of the forensic examination
costs examination.
The appellate court rejected this argument and affirmed the district court’s award,
noting the defendant “purposefully covered his tracks as he concealed his numerous
acts of wrongdoing from [his employer] over a period of years.
As the victim, [the employer] cannot be faulted for making a concerted effort to pick up
his trail and identify all the assets he took amid everything he worked on.”
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 34. When An Advocate Contacts The Forensic Investigator, He
Specifies How To Approach The Crime Scene
p pp
Any liabilities from the incident and how they can be managed
Finding and prosecuting/punishing (internal versus external culprits)
Legal and regulatory constraints on what action can be taken
Reputation protection and PR issues
When/if to advise partners, customers, and investors
How to deal with employees
Resolving commercial disputes
Any additional measures required
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 35. Enterprise Theory of Investigation (ETI)
“Rather than viewing criminal acts as isolated crimes, the
ETI attempts to show that individuals commit crimes in
furtherance of the criminal enterprise itself
In other words, individuals commit criminal acts solely to
benefit their criminal enterprise
“By applying the ETI with favorable state and federal
legislation, l enforcement can t
l i l ti law f t target and di
t d dismantle
tl
entire criminal enterprises in one criminal indictment.”
Source: FBI LAW ENFORCEMENT BULLETIN,THE, May, 2001 by Richard A. Mcfeely
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 36. Where and When Do You Use
Computer Forensics
Where?
• To provide a Real Evidence such as reading bar codes,
magnetic tapes.
• To identify the occurrence of electronic transactions
transactions.
• To reconstruct an incidence with sequence of events.
When?
• If a breach of contract occurs.
• If copyright and intellectual property theft/misuse
happens.
• Employee disputes.
• Damage to Resources.
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 37. Legal Issues
It is not always possible for a computer forensics expert to
separate the legal issues surrounding the evidence from
the practical aspects of computer forensics
Ex: The issues related to authenticity, reliability
and completeness and convincing
The
Th approach of investigation di
h fi ti ti diverges with change i
ith h in
technology
Evidence shown is to be untampered with and fully
accounted for, from the time of collection to the time of
presentation to the court. Hence, it must meet the
relevant evidence laws
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 38. Reporting the Results
Report should consist of summary of
p y
conclusions, observations and all
appropriate recommendations.
i t d ti
Report is based on:
• Who has access to the data?
• H
How could it b made available t an
ld be d il bl to
investigation?
• To what business processes does it relate?
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 39. Summary
Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a court of law.
The
Th need f computer f
d for t forensics h i
i has increased d t th presence of a
d due to the f
majority of digital documents.
Computer forensics focuses on three categories of data: active data,
latent data and archival data.
Cyber crime is defined as any illegal act involving a computer, its
systems, or its applications.
Forensics results report should consist of summary of conclusions,
observations and all appropriate recommendations.
b i d ll i d i
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 40. Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
- 41. Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited